A Chinese hacking group known as Volt Typhoon is using a security flaw in software from a California-based startup called Versa Networks to attack internet companies in the United States and India. According to security researchers at Lumen Technologies’ Black Lotus Labs, cited in a report by Bloomberg, Volt Typhoon has breached four American companies, including internet service providers, and one Indian company by exploiting this vulnerability.

The flaw was found in Versa Networks’ software, which helps manage network configurations. Although Versa identified the bug and released a fix in June 2023, it seems that not all companies applied the patch in time, leaving them vulnerable to attack. The hacking campaign is believed to be ongoing.

Volt Typhoon is suspected of being a state-sponsored Chinese hacking group. The U.S. government has previously accused the group of infiltrating critical infrastructure in the U.S., like water facilities and the power grid, with the aim of causing disruptions during a future crisis, possibly linked to Taiwan.

The Chinese government denies these accusations, claiming that Volt Typhoon is actually a criminal group called “Dark Power” and not linked to the state. They also suggested that U.S. intelligence agencies are falsely blaming China for cyberattacks to justify increased budgets and government contracts.

Versa issued an emergency fix for the bug at the end of June, but only widely informed customers in July after one customer reported a breach. The company stated that this customer did not follow earlier guidelines to protect their systems, such as closing off internet access to a specific port. Versa has now updated its systems to be secure by default, meaning that even if customers don’t follow guidelines, they should still be protected.

The vulnerability is rated as “high” severity by the National Vulnerability Database. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to fix the vulnerability or stop using Versa products by September 13, 2023. The hacking group has used the flaw at least once to breach a system, according to Versa, although they did not name the group.

Volt Typhoon’s activities have reportedly been going on for at least five years, targeting key sectors like communications, energy, and transportation.