The state-sponsored Chinese hacking campaign known as Volt Typhoon is exploiting a bug in a California-based startup to hack American and Indian internet companies, according to security researchers. 

Volt Typhoon has breached four US firms, including internet service providers, and another in India through a vulnerability in a Versa Networks server product, according to Lumen Technologies Inc.’s unit Black Lotus Labs. Their assessment, much of which was published in a blog post on Tuesday, found with “moderate confidence” that Volt Typhoon was behind the breaches of unpatched Versa systems and said exploitation was likely ongoing. 

Versa, which makes software that manages network configurations and has attracted investment from Blackrock Inc. and Sequoia Capital, announced the bug last week and offered a patch and other mitigations. 

The revelation will add to concerns over the susceptibility of US critical infrastructure to cyberattacks. The US this year accused Volt Typhoon of infiltrating networks that operate critical US services, including some of the country’s water facilities, power grid and communications sectors, in order to cause disruptions during a future crisis, such as an invasion of Taiwan. 

Liu Pengyu, a spokesman for the Chinese Embassy in Washington, said in an email, “ ‘Volt Typhoon’ is actually a ransomware cyber criminal group who calls itself the ‘Dark Power’ and is not sponsored by any state or region.”

He added that China sees signs that the US intelligence community has secretly collaborated with cybersecurity companies to falsely accuse China of supporting cyberattacks against the US as part of an effort to boost congressional budgets and government contracts. Bloomberg couldn’t verify those claims.

Lumen shared its findings with Versa in late June, according to Lumen and supporting documentation shared with Bloomberg.

Versa, which is based in Santa Clara, California, said it issued an emergency patch for the bug at the end of June, but only began flagging the issue widely to customers in July once it was notified by one that claimed to have been breached. Versa said that customer, which it didn’t identify, didn’t follow previously published guidelines on how to protect its systems via firewall rules and other measures.

Dan Maier, Versa’s chief marketing officer, said in an email Monday that those 2015 guidelines include advising customers to close off internet access to a specific port, which the customer had failed to follow. Since last year, he said, Versa has now taken measures of its own to make the system “secure by default,” meaning customers will no longer be exposed to that risk even if they haven’t followed company guidelines.

The bug carries a “high” severity rating, according to the National Vulnerability Database. On Friday, the Cybersecurity and Infrastructure Security Agency, known as CISA, ordered federal agencies to patch Versa products or stop using them by Sept. 13.

The vulnerability has been exploited in at least one known instance by a sophisticated hacking group, Versa said in a blog post on Monday. The company didn’t identify the group, and on Friday, Versa told Bloomberg it didn’t know the identity.

Microsoft Corp. named and unveiled the Volt Typhoon campaign in May 2023. Since its discovery, US officials have urged companies and utilities to improve their logging to help search for and eradicate the hackers, who use vulnerabilities to get into systems and then can remain undetected for long stretches of time. 

The Chinese government has dismissed US accusations, saying the hacking attacks attributed to Volt Typhoon are the work of cyber criminals. 

CISA Director Jen Easterly told Congress in January about the malicious cyber activity, warning the US has discovered only the tip of the iceberg when it comes to victims and that China’s aim is to be able to plunge the US into “societal panic.”

US agencies, including CISA, the National Security Agency and the FBI, said in February that Volt Typhoon activity dates back at least five years and has targeted communications, energy, transportation systems, water and wastewater systems. 

Lumen first identified the malicious code in June, according to Lumen researcher Michael Horka. A malware sample uploaded from Singapore on June 7 bore the hallmarks of Volt Typhoon, he said in an interview. 

Horka, a former FBI cyber investigator who joined Lumen in 2023 after working on Volt Typhoon cases for the federal government, said the code was a web shell that allowed hackers to gain access to a customer’s network via legitimate credentials and then behave as if they were bona fide users.

More stories like this are available on bloomberg.com