Chinese government-backed hackers have reportedly hacked U.S. internet service providers (ISPs) in recent months. The unusually aggressive and sophisticated attacks have granted access to at least two major U.S. providers with millions of customers and several smaller providers, according to sources familiar with the ongoing American response and private security researchers.
Escalation in Chinese Cyber Activities
Brandon Wales, the former executive director of the Cybersecurity and Infrastructure Security Agency (CISA), described the situation as “business as usual now for China, but that is dramatically stepped up from where it used to be. It is an order of magnitude worse.”
The hacks have raised concerns due to the strategic nature of the targets, believed to include government and military personnel working undercover and groups of interest to China.
Sophisticated Techniques and Undiscovered Vulnerabilities
The hackers employed advanced techniques, including the exploitation of previously undiscovered software flaws, known as zero-day vulnerabilities. Cybersecurity firm Lumen Technologies identified three U.S. internet service providers that had been compromised this summer, along with another U.S. company and one in India.
The attackers leveraged a critical vulnerability in a program made by Versa Networks for managing wide-area networks.
Potential Links to Volt Typhoon Group
Some of the techniques and resources used in these attacks have been associated with a China-backed group known as Volt Typhoon. This group has been previously linked to attempts to access equipment at Pacific ports and other infrastructure, potentially to disrupt America’s ability to respond in case of an armed conflict over Taiwan.
DNS Manipulation and Other Sophisticated Tactics
In a separate report, security company Volexity revealed another high-end technique being used at a different unnamed ISP. They found that a Chinese state hacking group, distinct from Volt Typhoon, had managed to alter Domain Name System (DNS) web addresses, allowing them to insert backdoors for spying. This level of DNS manipulation is considered a specialty among Chinese government hacking groups.
Ongoing Threat and U.S. Cybersecurity Response
Top U.S. cybersecurity officials have acknowledged that Volt Typhoon remains as active and successful as when its operations were first identified last year. The group’s emphasis on obtaining access for potential physical destruction has been described as unprecedented in international cyber operations.
Chinese Embassy Denies Accusations
The Chinese Embassy in Washington has rejected these accusations, claiming that “Volt Typhoon” is actually a ransomware cybercriminal group calling itself “Dark Power” and is not state-sponsored. They further alleged that the U.S. intelligence community and cybersecurity companies might be collaborating to spread disinformation about Chinese government support for cyberattacks.