Sign in Subscribe

Volt Typhoon attacks failed?

Gary Longsine

2 min read
Work on what matters: weak authentication, cross-site scripting, memory safety issues.
Almost all breaches are down to three classes of problems: authentication with passwords, cross-site scripting, and memory safety issues. Fix the hot spots.

With all due respect to the good and hard working people of the NSA, the statement that the Chinese attack against telcos was a "failure" strikes me as overly optimistic.

The Chinese group that Microsoft calls "Volt Typhoon" were in every major and several minor telcos for as long as a couple years.

This group or a related Chinese group was also inside Microsoft so deep that the company was forced to put out a series of statements trickling out over nearly a year as they tried to clean up the mess, as they kept discovering the intrusion was worse than they had previously thought — over the course of an investigation that lasted at least 9 months, and which probably isn't completed even now, about 16 months after it began.

Neither Microsoft not any of the telcos seem very confident that they've cleaned up the mess, which you know because there have been no statements along the lines, "OK we finally fixed it."

In fact, the response that Microsoft is making appears to include an acceleration of their migration of all customer-facing systems away from passwords to (phishing resistant and replay resistant) passkeys.

This is *a* right move, given that it's known that many of these attacks involved what Microsoft calls "password spray" which is the use of stolen credentials, but it's not the only necessary step.

I see little evidence that the telcos are prepared to make the kinds of investment required to really put a stop to this class of intrusions from APTs (advanced persistent threats), and Microsoft hasn't revealed what other steps it's taken.

There's been no public discussion of the methods used by Volt Typhoon, with the exception of Microsoft mentioning "password spray".But you know what the methods are, mostly.

Few of them are a surprise. Read a few of the Verizon DBIR (Data Breach Investigation Reports) and look through the CVE database.

Read some reports from the insurance industry.

The vast majority of breaches are down to a few classes of exploits:
🟠 attacks against weak, stolen, phished, or cracked passwords, and replayed (MitM) "one time" credentials;
🟠 XSS (cross-site scripting) attacks against web servers and services;
🟠 memory safety attacks (buffer overflows et al.) against API endpoints (commercial and custom enterprise internal software).

Nearly the entire industry remains in denial about this plain fact, because we're afraid the solutions are too difficult.

They're not.

If you're tired of magic bullets that don't work, contact me.

Contact me if you want to do the things that will help your enterprise keep state-sponsored foreign adversaries out of your network.


Gary Longsine is a reluctant enterprise security consultant, patented inventor of large scale enterprise security systems, experienced product designer for both enterprise and consumer software products, and manager of remote, distributed, American software development teams since 1998.

Sign up for more like this.

Enter your email
Subscribe