Volt Typhoon, a sophisticated hacking group, has successfully infiltrated at least four U.S. firms, including internet service providers, and one organization in India by exploiting a security flaw in Versa Networks’ server product, according to a recent report by Black Lotus Labs, a unit of Lumen Technologies Inc. The report, detailed in a blog post on Tuesday, indicates with moderate confidence that Volt Typhoon is behind the breaches of unpatched Versa systems and suggests that the exploitation is likely still ongoing.
Versa Networks, which specializes in network configuration software and has received investments from major firms such as BlackRock Inc. and Sequoia Capital, acknowledged the vulnerability last week. The company has since released a patch and other remediation measures to address the issue.
This disclosure heightens concerns about the vulnerability of U.S. critical infrastructure to cyberattacks. Earlier this year, U.S. officials accused Volt Typhoon of penetrating networks crucial to national services, including water facilities, the power grid, and communication sectors, potentially aiming to disrupt operations during future crises, such as a conflict over Taiwan.
In response, Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, contested the allegations in an email, asserting that Volt Typhoon, referred to as “Dark Power,” is a ransomware group unaffiliated with any state or region. Pengyu also suggested that the U.S. intelligence community might be colluding with cybersecurity firms to falsely attribute these cyberattacks to China as a means to secure increased funding and contracts. These claims remain unverified by Bloomberg.
Lumen Technologies first shared its findings with Versa in late June, as confirmed by both companies and corroborated by documents reviewed by Bloomberg. Versa, based in Santa Clara, California, issued an emergency patch for the vulnerability at the end of June but only widely communicated the issue to its customers in July after being informed of a breach by one unidentified customer. Versa noted that this customer had failed to adhere to previously published security guidelines, which include blocking internet access to a specific port.
Dan Maier, Versa’s Chief Marketing Officer, stated in an email that the guidelines from 2015 recommended closing off internet access to certain ports, a step which the affected customer neglected. Versa has since implemented measures to ensure the system is “secure by default,” mitigating the risk even for customers who do not follow security guidelines.
The vulnerability has been rated as “high” severity by the National Vulnerability Database. On Friday, the Cybersecurity and Infrastructure Security Agency (CISA) mandated that federal agencies either patch Versa products or discontinue their use by September 13.
Versa confirmed in a blog post that the vulnerability has been exploited by a sophisticated hacking group, although the group’s identity remains undisclosed. Microsoft Corp. first identified and named the Volt Typhoon campaign in May 2023. Since then, U.S. officials have urged companies and utilities to enhance their logging practices to detect and eliminate these hackers, who can exploit system vulnerabilities to remain undetected for extended periods.
The Chinese government has refuted U.S. claims, attributing the Volt Typhoon-related attacks to cybercriminals rather than state-sponsored actors. CISA Director Jen Easterly warned Congress in January that the U.S. has only uncovered a fraction of the affected entities and cautioned that China’s goal may be to induce “societal panic.”
U.S. agencies, including CISA, the National Security Agency, and the FBI, revealed in February that Volt Typhoon’s activities span at least five years and have targeted various critical systems, including communications, energy, transportation, and water infrastructure.
Lumen’s researcher, Michael Horka, reported that the malicious code was first detected in June. A malware sample uploaded from Singapore on June 7 showed clear indications of Volt Typhoon’s involvement. Horka, a former FBI cyber investigator, explained that the code acted as a web shell, allowing the hackers to access networks using legitimate credentials and operate as if they were authorized users.
