Chinese state-sponsored hackers have successfully infiltrated several major American internet service providers (ISPs) in recent months. This sophisticated campaign has granted the attackers unprecedented access to networks serving millions of customers, including potentially sensitive government and military personnel.

The Scale and Sophistication of the Attacks

Security experts and government officials familiar with the ongoing situation describe these intrusions as exceptionally aggressive and technically advanced. The hackers have managed to penetrate at least two large US providers and several smaller ones, demonstrating a significant escalation in China's cyber capabilities.

Brandon Wales, who recently held the position of executive director at the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the gravity of the situation. "What we're seeing from China now is business as usual, but on a dramatically larger scale. The threat has increased by an order of magnitude," Wales stated.

Targeting High-Value Information

The choice of targets suggests a clear strategic focus. By compromising ISPs, the attackers gain access to a wealth of data flowing through these networks. Of particular concern is the potential surveillance of government employees, undercover operatives, and other groups of interest to Chinese intelligence services.

Mike Horka, a former FBI agent now working as a researcher at Lumen Technologies, noted the significance of this access. "This represents a privileged, high-level connection to interesting customers," Horka explained. He also pointed out that the hackers were willing to expend valuable zero-day vulnerabilities in these attacks, underscoring the
importance of the operation to Chinese interests.

Advanced Techniques and Possible Connections

The methods employed in these intrusions share similarities with those attributed to a notorious Chinese hacking group known as Volt Typhoon. This group has previously targeted critical infrastructure, including Pacific ports, raising concerns about China's ability to disrupt US military logistics in a potential conflict scenario.

One particularly sophisticated technique involved the exploitation of a previously unknown vulnerability in network management software from Versa Networks. This allowed the attackers to plant malware capable of intercepting user passwords within compromised ISP routers.

In a separate but related campaign, another Chinese state-sponsored group demonstrated the ability to manipulate Domain Name System (DNS) records within a compromised ISP. This powerful technique can be used to redirect users to malicious sites or insert backdoors for ongoing surveillance.

Broader Implications and Ongoing Threats

The breach of multiple ISPs represents a significant escalation in the cyber threat landscape. It provides potential avenues for widespread data collection, targeted surveillance, and even the possibility of disruptive attacks on critical infrastructure.

US cybersecurity officials, including former NSA director Gen. Paul Nakasone, have expressed ongoing concern about the activities of groups like Volt Typhoon.

The focus on gaining access for potential physical sabotage is particularly alarming, as it goes beyond traditional espionage into the realm of preparing for potential kinetic conflict.
Chinese Response and Denial

The Chinese Embassy in Washington has vehemently denied these
accusations.

In a statement, they claimed that "Volt Typhoon" is actually an independent ransomware group, not a state-sponsored entity. The embassy further alleged that US intelligence agencies and cybersecurity firms might be fabricating evidence to secure increased funding and contracts.