Singtel Suffers Data Breach in Alleged Chinese Cyber Espionage Campaign
Singapore Telecommunications (Singtel), a major telecommunications company, has reportedly fallen victim to a data breach orchestrated by the Chinese government-backed hacking group, Volt Typhoon. According to the sources, the alleged intrusion, discovered in June 2024, is believed to have served as a “test run” for further attacks targeting US telecommunications companies.
Volt Typhoon’s Global Reach and Destructive Potential
The Volt Typhoon group first came to light in February 2024, when governments from the US, Canada, UK, Australia, and New Zealand issued a joint warning about its activities. The warning highlighted the group’s compromise of multiple critical infrastructure organizations’ IT networks globally, emphasizing their potential for “disruptive or destructive cyberattacks.” Targets include communications, energy, transportation, and water and wastewater systems.
The statement explicitly noted that Volt Typhoon’s actions “are not consistent with traditional cyber espionage or intelligence gathering operations,” suggesting a more malicious intent beyond mere data collection. Instead, the assessment concluded that the group was “pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.” This indicates a potential for significant physical damage and disruption of essential services.
Singtel’s Response and Technical Details of the Breach
Singtel, in a statement to Bloomberg, acknowledged the importance of network resilience and affirmed its commitment to employing industry best practices and collaborating with leading security partners for continuous threat monitoring and mitigation.
The company’s statement, however, did not directly address the specifics of the alleged Volt Typhoon breach. According to Bloomberg’s sources, the attack involved the use of a web shell, a common technique employed by attackers to gain persistent access to compromised systems.
This aligns with findings from Lumen Technologies’ Black Lotus Labs, which in August 2024 warned about Volt Typhoon’s exploitation of a Versa SD-WAN vulnerability (CVE-2024-39717) to deploy custom web shells for credential harvesting. Black Lotus Labs researchers attributed the new malware, dubbed VersaMem, and the exploitation to Volt Typhoon with “moderate confidence,” warning of ongoing attacks against unpatched Versa Director systems. This highlights the critical importance of timely patching and vulnerability management in mitigating such threats.
Further Allegations and China’s Denial
The Volt Typhoon breach of Singtel is not an isolated incident. Another Chinese government-backed group, Salt Typhoon, has also been accused of targeting US telecom companies, including Verizon, AT&T, and Lumen Technologies, in October 2024. Furthermore, Salt Typhoon is also reportedly linked to attacks targeting the phones of individuals affiliated with both US presidential candidates, Kamala Harris and Donald Trump, along with his running mate, JD Vance. Despite these allegations, China has consistently denied the accusations and the very existence of Volt Typhoon.
The alleged Singtel data breach, coupled with other reported attacks by Volt Typhoon and Salt Typhoon, underscores the growing threat of state-sponsored cyberattacks targeting critical infrastructure. The use of advanced techniques, such as web shells and the exploitation of vulnerabilities in SD-WAN systems, highlights the sophistication of these attacks and the need for robust cybersecurity measures to protect against them.
The lack of direct comment from Singtel, while adhering to industry best practices, leaves some unanswered questions regarding the full extent of the compromise and the measures taken to remediate the situation. The ongoing investigation and the potential for further attacks against US telecoms warrant close monitoring and collaboration between governments and private sector organizations to effectively counter this threat.
