Singapore’s largest mobile operator Singapore Telecommunications (Singtel) suffered a major cyber breach this summer, allegedly orchestrated by Chinese state-sponsored hackers, Bloomberg reported citing sources familiar with the investigation.

The attack, uncovered in June, was reportedly executed by Volt Typhoon, a hacking group associated with Chinese interests. Earlier this year, intelligence officials in the “Five Eyes” alliance released a security advisory detailing Volt Typhoon’s cyber activities.

It is believed that the Singtel breach may have served as a trial for further incursions into US telecommunications networks. Singtel, which has operations across Southeast Asia and Australia, has not confirmed the breach but also has not directly refuted the allegations in response to Bloomberg’s inquiry.

The hackers reportedly employed a web shell tool, allowing them to intercept and steal login credentials and gain unauthorized access by masquerading as legitimate users.

In August, researchers from Lumen Technologies discovered a cyber campaign exploiting a zero-day vulnerability (CVE-2024-39717) in Versa Director servers. The campaign, attributed with moderate confidence to Volt Typhoon and another China-linked threat actor known as Bronze Silhouette, involved a custom web shell dubbed ‘VersaMem.’

The web shell’s primary purpose is to intercept and harvest credentials which would enable access into downstream customers’ networks as an authenticated user. Modular in nature, VersaMem also enables the threat actors to load additional Java code to run exclusively in-memory.

According to Bloomberg, the same web shell was discovered in the Singtel breach. In addition to Singtel, Volt Typhoon's breach extended to four US companies, including internet service providers, as well as a company in India.

In January, the US authorities disrupted the KV-botnet used by the Volt Typhoon hackers to evade detection during attacks targeting US critical infrastructure. The botnet comprised hundreds of US-based small office/home office (SOHO) routers. Most of these routers were produced by Cisco and NetGear and were vulnerable because they had reached end-of-life and were no longer supported by the manufacturers.

More recently, another China-affiliated state-sponsored threat actor dubbed ‘Salt Typhoon’ has infiltrated Internet service provider (ISP) networks in the US in an effort to steal sensitive information. The hackers have been active for months, potentially accessing routers that manage critical traffic for US ISPs. The threat actor has reportedly targeted the communications of US political figures as well as a wiretapping system used by federal law enforcement.