{ "id": "dd74a3f1-a333-495c-871b-95630d40a7b0", "created_at": "2026-04-06T00:14:49.328214Z", "updated_at": "2026-04-10T03:34:44.513731Z", "deleted_at": null, "sha1_hash": "62dd4bef6623b69ab3e2187654d7610596be353a", "title": "Chinese group accused of hacking Singtel in telecom attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40185, "plain_text": "Chinese group accused of hacking Singtel in telecom attacks\r\nPublished: 2024-11-05 · Archived: 2026-04-05 13:20:34 UTC\r\nSINGAPORE – Singtel, Singapore’s largest mobile carrier, was breached by Chinese state-sponsored hackers this\r\nsummer as part of a broader campaign against telecommunications companies and other critical infrastructure\r\noperators around the world, according to two people familiar with the matter.\r\nThe previously undisclosed breach was discovered in June, and investigators believe it was pulled off by a\r\nhacking group known as Volt Typhoon, according to the two people, who asked not to be identified to discuss a\r\nconfidential investigation.\r\nOfficials in the United States, Australia, Canada, Britain and New Zealand – the “Five Eyes” intelligence-sharing\r\nalliance – warned earlier in 2024 that Volt Typhoon was embedding itself inside compromised IT networks to give\r\nChina the ability to conduct disruptive cyber attacks in the event of a military conflict with the West.\r\nThe breach of Singtel, a carrier with operations throughout South-east Asia and Australia, was seen as a test run by\r\nChina for further hacks against US telecommunications companies, and information from the attack has provided\r\nclues about the expanding scope of suspected Chinese attacks against critical infrastructure abroad, including in\r\nthe US, the people said.\r\nIn a joint statement on Nov 5, the Cyber Security Agency of Singapore (CSA) and Infocomm Media Development\r\nAuthority (IMDA) said they understood from Singtel that no service was affected, and no data loss was reported\r\nfrom the incident.\r\nThey added that in this case, early detection and mitigation measures were in place.\r\n“Based on current investigations, the threat has been dealt with and the overall telecommunications infrastructure\r\nremains secure and unaffected. CSA and IMDA will continue to work with organisations, especially key service\r\nproviders including Singtel to strengthen the security and resilience of our digital infrastructure,” they said.\r\nSingtel on Nov 5 said “there was a malware detected in June which was subsequently dealt with and reported to\r\nrelevant authorities”, but added that the telco cannot confirm or ascertain if that was the exact same event reported\r\nby Bloomberg.\r\n“We do not comment on speculation. Singtel conducts regular malware sweeps as part of its cyber posture,” it\r\nnoted.\r\nSpokesperson Liu Pengyu for the Chinese Embassy in Washington said he was not aware of the specifics as\r\nrelayed by Bloomberg, but that in general, China firmly opposes and combats cyber attacks and cyber theft.\r\nThe US is currently battling its own suspected Chinese attacks of political campaigns and telecommunications\r\ncompanies. Officials have described the telecom breaches as one of the most damaging campaigns on record by\r\nsuspected Chinese hackers and one that they are still seeking to fully understand and contain. \r\nhttps://www.straitstimes.com/business/chinese-group-accused-of-hacking-singtel-in-telecom-attacks\r\nPage 1 of 3\n\nIn the US telecommunications attacks, which investigators have attributed to another Chinese group called Salt\r\nTyphoon, AT\u0026T Inc and Verizon Communications Inc were among those breached, and the hackers potentially\r\naccessed systems the federal government uses for court-authorised network wiretapping requests, the Wall Street\r\nJournal reported in early October.\r\nUS intelligence officials think the Chinese hacking group that Microsoft Corp dubbed Salt Typhoon may have\r\nbeen inside US telecommunications companies for months and found a route into an access point for legally\r\nauthorised wiretapping, according to a person familiar with their views. \r\nAT\u0026T declined to comment. Verizon did not respond to a request for comment.\r\nThrough those intrusions, the hackers are believed to have targeted the phones of former president and\r\nRepublican presidential candidate Donald Trump, his running mate J.D. Vance and Trump family members, as\r\nwell as members of Vice-President Kamala Harris’ campaign staff and others, The New York Times has reported.\r\nIn the case of the alleged Singtel breach, one of the people familiar with that incident said the attack relied on a\r\ntool known as a web shell. \r\nIn August, researchers at Lumen Technologies Inc said in a blog post they assessed with “moderate confidence”\r\nthat Volt Typhoon had used such a web shell.\r\nA sample of the malware was first uploaded to VirusTotal, a popular site for security experts to research malicious\r\ncode, on June 7 by an unidentified entity in Singapore, according to Lumen researchers.\r\nThe web shell allowed hackers to intercept and gather credentials to gain access to a customer’s network disguised\r\nas a bona fide user, they said. The hackers then breached four US firms, including internet service providers, and\r\nanother in India, according to Lumen researchers.\r\nGeneral Timothy Haugh, director of the National Security Agency (NSA), said in early October that the\r\ninvestigations into the latest telecommunications breaches were at an early stage.\r\nLater in October, the FBI and the Cybersecurity and Infrastructure Security Agency (Cisa) said they had identified\r\nspecific malicious activity by actors affiliated with the Chinese government and immediately notified affected\r\ncompanies and “rendered technical assistance”.\r\nA spokesperson for the National Security Council last week referred to the “ongoing investigation and mitigation\r\nefforts”, but directed further questions to the FBI and Cisa. \r\nSingtel uncovered the breach of its network after detecting suspicious data traffic in a core back-end router and\r\nfinding what it believed was sophisticated, and possibly state-sponsored, malware on it, according to the other\r\nperson familiar with the investigation.\r\nThe malware was in “listening” mode and didn’t appear to have been activated for espionage or any other\r\npurpose, the person said, adding that it reinforced a suspicion that the attack was either a test run of a new hacking\r\ncapability or that its purpose was to create a strategic access point for future attacks.\r\nhttps://www.straitstimes.com/business/chinese-group-accused-of-hacking-singtel-in-telecom-attacks\r\nPage 2 of 3\n\nThere is evidence that Salt Typhoon reached the US at least as early as spring 2024, and possibly long before, and\r\ninvestigators tracking the group think it has infiltrated other telecommunications companies throughout Asia,\r\nincluding in Indonesia, Nepal, the Philippines, Thailand and Vietnam, according to two people familiar with those\r\nefforts.\r\nThe NSA has warned since 2022 that telecommunications infrastructure was vulnerable to Chinese hacking. Volt\r\nTyphoon has been active since at least mid-2020, having attacked sensitive networks in Guam and elsewhere in\r\nthe US with a goal of burrowing into critical infrastructure and staying undetected for as long as possible. \r\nThe hacks by both Chinese Typhoon groups have alarmed Western officials and raised concerns about the number\r\nand severity of back doors – a way to get around security tools and gain high-level access to a computer system –\r\nthat China has placed inside critical IT systems. Those entry points could be used to conduct espionage or prepare\r\nthe battlespace for use in a potential military conflict with the West.\r\nChinese hackers have long been accused of conducting espionage attacks against the US – including, most\r\nnotably, the theft of security clearance applications for tens of millions of US government workers held by the\r\nOffice of Personnel Management.\r\nBut officials say the latest hacks go a step further and in some cases suggest China may be amassing capabilities\r\nto disrupt or degrade critical services in the US and abroad.\r\nRetired general Paul Nakasone, who led the NSA for nearly six years until February, told reporters in October that\r\nthe latest telecommunications hacks by Salt Typhoon were distinguished by their scale, and that the two Chinese\r\ngroups represent a tremendous challenge for the government. “I am not pleased in terms of where we’re at with\r\neither of the Typhoons,” he said. BLOOMBERG\r\nSource: https://www.straitstimes.com/business/chinese-group-accused-of-hacking-singtel-in-telecom-attacks\r\nhttps://www.straitstimes.com/business/chinese-group-accused-of-hacking-singtel-in-telecom-attacks\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.straitstimes.com/business/chinese-group-accused-of-hacking-singtel-in-telecom-attacks" ], "report_names": [ "chinese-group-accused-of-hacking-singtel-in-telecom-attacks" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434489, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/62dd4bef6623b69ab3e2187654d7610596be353a.pdf", "text": "https://archive.orkl.eu/62dd4bef6623b69ab3e2187654d7610596be353a.txt", "img": "https://archive.orkl.eu/62dd4bef6623b69ab3e2187654d7610596be353a.jpg" } }