Chinese State-Supported Cyber Operatives Attack US ISPs Using Unpatched Vulnerabilities, according to Experts

Security experts have uncovered that hackers, believed to be connected to the Chinese government, exploited an unknown flaw in software to attack U.S. internet service providers.

The cyber espionage group identified as Volt Typhoon leveraged an unpatched vulnerability — a scenario where the developers were not previously aware of the issue — in a piece of software known as Versa Director, developed by Versa Networks. This discovery was made by Black Lotus Labs, a division of the cybersecurity firm Lumen.

Versa, which provides software solutions for network configuration management, is particularly used by internet service providers (ISPs) and managed service providers (MSPs), placing Versa in a vital yet vulnerable position according to the study published on Tuesday by the researchers.

These hacking incidents mark another chapter in the operations of Volt Typhoon, suspected to be an arm of the Chinese government. The group’s strategy includes infiltrating critical infrastructure such as communication systems and telecom networks to potentially inflict “real-world harm” during future conflicts, specifically against the United States. Important testimonies to U.S. officials earlier this year highlighted the group’s intention to disrupt U.S. military actions in any potential conflict over Taiwan.

According to the investigations by Black Lotus Labs, the hackers aimed at commandeering and utilizing credentials from corporate victims’ downstream clients. Essentially, the hackers used the compromised Versa servers as junctions to infiltrate further networks linked to these servers, explained Mike Horka, a security investigator for this case, in a discussion with TechCrunch.

“This operation wasn’t only targeted at telecoms but also at managed service providers and internet service providers,” Horka elaborated. “These focal points provide additional access points.” He added that these companies are strategic targets due to the potential access they offer to further downstream clients.

Horka discovered four U.S. victims in his investigation, including two ISPs, one MSP, and an IT service provider, along with an ISP victim based in India. The specific identities of these victims were not disclosed by Black Lotus Labs.

Dan Maier, Versa’s Chief Marketing Officer, communicated to TechCrunch via email that Versa addressed the zero-day flaw identified by Black Lotus Labs.

“Versa acknowledged the vulnerability and immediately issued an emergency patch. A comprehensive patch has since been developed and distributed to our customers,” Maier stated, noting that the flaw was brought to their attention in late June.

Maier also mentioned that Versa was able to verify the vulnerability and observed the “APT attacker” exploiting it.

Black Lotus Labs reported the zero-day vulnerability and its associated hacking campaign to the U.S. cybersecurity entity CISA. Consequently, on Friday, CISA added the vulnerability to its catalog of known exploited flaws, cautioning that such vulnerabilities frequently serve as avenues for cybercriminals and represent significant threats to the federal framework.