A group of hackers linked to the Chinese government has exploited a previously unknown vulnerability in software to target U.S. internet service providers, according to security researchers. The group, known as Volt Typhoon, used this zero-day flaw—meaning the software maker was unaware of it and had no time to patch it—in Versa Director, a network management software developed by Versa Networks. This discovery was made by researchers at Black Lotus Lab, a division of the cybersecurity firm Lumen.
Versa Director is widely used by internet service providers (ISPs) and managed service providers (MSPs), making it an appealing target for hackers. The researchers described the software as a “critical and attractive target” due to its role in managing network configurations for these essential services.
Volt Typhoon, believed to be working on behalf of the Chinese government, has a history of targeting critical infrastructure, including communication and telecom networks. The group’s activities are thought to be aimed at causing “real-world harm” in the event of a future conflict with the United States. Earlier this year, U.S. government officials testified that these hackers intend to disrupt any U.S. military response to a potential future invasion of Taiwan.
According to Black Lotus Labs, the hackers were primarily focused on stealing and using credentials from the downstream customers of the compromised corporate victims. The researchers found that Volt Typhoon was targeting Versa servers as entry points, which they could then use to infiltrate other networks connected to these vulnerable servers. Mike Horka, the security researcher who investigated the incident, explained that the hackers targeted central locations like ISPs and MSPs to gain additional access to other networks.
Horka identified four victims in the United States, including two ISPs, one MSP, and an IT provider, as well as one victim outside the U.S., an ISP in India. However, Black Lotus Labs did not disclose the names of these victims.
In response to the discovery, Versa Networks issued an emergency patch after being alerted to the vulnerability by Black Lotus Labs in late June. Versa’s chief marketing officer, Dan Maier, confirmed to TechCrunch that the company had patched the flaw and distributed the fix to all customers. Maier also noted that Versa was able to confirm the vulnerability and observe the “APT attacker” exploiting it.
Black Lotus Labs notified the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the zero-day vulnerability and the associated hacking campaign. Subsequently, CISA added the zero-day to its list of known exploited vulnerabilities and issued a warning that such vulnerabilities are frequent attack vectors for malicious cyber actors, posing significant risks to federal enterprises.