“This is privileged, high-level connectivity to interesting customers,” said Mike Horka, a researcher at Lumen Technologies and a former FBI agent. It was notable, he added, that the groups considered the effort important enough to exploit previously undiscovered software flaws that could have been preserved for later use. (Wikimedia Commons)
Chinese government-backed hackers have penetrated deep into U.S. internet service providers in recent months to spy on their users, according to people familiar with the ongoing American response and private security researchers.
The unusually aggressive and sophisticated attacks include access to at least two major U.S. providers with millions of customers as well as to several smaller providers, people familiar with the separate campaigns said.
“It is business as usual now for China, but that is dramatically stepped up from where it used to be. It is an order of magnitude worse,” said Brandon Wales, who until earlier this month was executive director of the Cybersecurity and Infrastructure Security Agency, CISA.
The hacks raise concern because their targets are believed to include government and military personnel working undercover and groups of strategic interest to China.
“This is privileged, high-level connectivity to interesting customers,” said Mike Horka, a former FBI agent and current researcher at Lumen Technologies, which described one of the campaigns but didn’t identify the ISPs it targeted. It was notable, he added, that the groups considered the effort important enough to exploit previously undiscovered software flaws that could have been preserved for later use.
Though there is no evidence that the new inroads are aimed at anything other than gathering intelligence, some of the techniques and resources employed are associated with those used in the past year by a China-backed group known as Volt Typhoon, two of the people said. U.S. intelligence officials said that group sought access to equipment at Pacific ports and other infrastructure to enable China to sow panic and disrupt America’s ability to move troops, weaponry and supplies to Taiwan if armed conflict breaks out.
The White House referred questions to CISA, inside the Department of Homeland Security, which agreed that the flaw found by Lumen was being exploited. It declined to answer questions about other techniques, the end victims, the breadth of the campaigns or who is behind them.
The Chinese Embassy in Washington rejected the accusations.
“‘Volt Typhoon’ is actually a ransomware cybercriminal group who calls itself the ‘Dark Power’ and is not sponsored by any state or region,” said embassy spokesman Liu Pengyu.
“There are signs that in order to receive more congressional budgets and government contracts, the U.S. intelligence community and cybersecurity companies have been secretly collaborating to piece together false evidence and spread disinformation about so-called Chinese government’s support for cyberattacks against the U.S.,” he added.
Lumen researchers said they had identified three U.S. internet service providers that had been hacked this summer, one of them large, along with another U.S. company and one in India.
In a blog made public Tuesday, Lumen said the hackers used a previously unknown vulnerability, known as a zero-day flaw, in a program made by Versa Networks for managing wide-area networks. Versa acknowledged the critical vulnerability late last week, warning only its direct customers.
On Monday, the Santa Clara, Calif.-based company published a blog post about the problem, saying that it had issued a patch and that “impacted customers failed to implement system hardening and firewall guidelines.”
Lumen wrote that it located malware inside ISP routers serving certain groups or individual customers that could intercept passwords from those customers. Lumen said it believed the malicious software was being used by Volt Typhoon. In a separate report earlier this month, security company Volexity said it had found another high-end technique in play at a different, unnamed ISP. In that case, it said a Chinese state hacking group distinct from Volt Typhoon was able to get far enough inside the service provider to alter the Domain Name System (DNS) web addresses that users were trying to reach and divert them elsewhere, allowing the hackers to insert back doors for spying.
While the concept of such an approach “is not that hard, to put in play successfully, that’s more top-tier,” said Volexity Chief Executive Steven Adair.
DNS manipulation is something of a specialty among Chinese government hacking groups. A mysterious campaign identified earlier this year by security experts at Infoblox and attributed to China involved using the so-called Great Firewall of China, which normally misdirects people on the mainland trying to reach restricted services or content.
Though they avoided discussing threats to ISPs specifically, some of the top U.S. cybersecurity officials at the recent Black Hat and Def Con hacking conferences said Volt Typhoon remained as active and successful as it was when its operations were first identified last year.
The group’s emphasis on obtaining access for potential physical destruction “is nowhere near where the nations of the world behave,” said retired Gen. Paul Nakasone, who stepped down in February from his posts running U.S. Cyber Command and the National Security Agency.
