An alleged state-sponsored Chinese hacking campaign known as Volt Typhoon is reportedly exploiting a bug in a California-based startup to hack American and Indian internet companies.
Volt Typhoon has breached four US firms, including internet service providers, and another in India through a vulnerability in a Versa Networks server product, according to Lumen Technologies Inc.’s unit Black Lotus Labs, a security research firm.
Their assessment, much of which was published in a blog post on Tuesday, found with “moderate confidence” that Volt Typhoon was behind the breaches of unpatched Versa systems and said exploitation was likely ongoing, Bloomberg reported.
Versa, which makes software that manages network configurations and has attracted investment from Blackrock Inc. and Sequoia Capital, announced the bug last week and offered a patch and other mitigations.
The revelation will add to concerns over the susceptibility of US critical infrastructure to cyberattacks.
The US this year accused the Volt Typhoon of infiltrating networks that operate critical US services, including some of the country’s water facilities, power grid and communications sectors, in order to cause disruptions during a future crisis, such as an invasion of Taiwan.
Lumen shared its findings with Versa in late June, according to Lumen and supporting documentation shared with Bloomberg.
Versa, which is based in Santa Clara, California, said it issued an emergency patch for the bug at the end of June, but only began flagging the issue widely to customers in July once it was notified by one that claimed to have been breached.
The bug carries a “high” severity rating, according to the National Vulnerability Database.
On Friday, the Cybersecurity and Infrastructure Security Agency, known as CISA, ordered federal agencies to patch Versa products or stop using them by September 13.
The vulnerability has been exploited in at least one known instance by a sophisticated hacking group, Versa said in a blog post on Monday.
The company didn’t identify the group, and on Friday, Versa told Bloomberg it didn’t know the identity.
Microsoft Corp. named and unveiled the Volt Typhoon campaign in May 2023.
Since its discovery, US officials have urged companies and utilities to improve their logging to help search for and eradicate the hackers, who use vulnerabilities to get into systems and then can remain undetected for long stretches of time.
The Chinese government has dismissed US accusations, saying the hacking attacks attributed to Volt Typhoon are the work of cybercriminals.
Follow us on
