Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Noise Storms: Massive Amounts of Spoofed Web Traffic Linked to China

GreyNoise has observed millions of spoofed IPs flooding internet providers with web traffic primarily focusing on TCP connections.

Threat intelligence company GreyNoise warns of a concerning phenomenon involving massive amounts of spoofed traffic that is likely linked to China.

Periodically since January 2020, millions of IPs are seen generating spoofed traffic that looks like a broadcast, which GreyNoise has named Noise Storm.

Typically focusing on TCP connections, the storms may also be formed of ICMP packets, but never of UDP packets – which are typically used in distributed denial-of-service (DoS) attacks – which may suggest that the sender is concerned with who is receiving the traffic.

Observed characteristics of the traffic include Time To Live (TTL) spoofing that mimics realistic network hops, spoofed window sizes to emulate traffic from different operating systems, and increased intensity and focus on certain segments of the internet.

A Noise Storm that is happening now, GreyNoise explains, involves roughly five million IPs apparently located in Brazil, but deeper analysis has revealed that the traffic may originate from China.

“Our analysis has revealed that the Autonomous System Number (ASN) associated with the ICMP traffic is linked to a Content Delivery Network (CDN) servicing major Chinese platforms like QQ, WeChat, and WePay,” GreyNoise explains.

The connection to China raises further concerns, as it suggests that sophisticated threat actors are behind the spoofed traffic and that deliberate obfuscation is being used to hide its true intent.

GreyNoise also noticed that recent storms are affecting major providers such as Cogent, Lumen, and Hurricane Electric, but avoid AWS, which suggests that a “sophisticated, potentially organized actor with a clear agenda” is responsible for them.

Advertisement. Scroll to continue reading.

However, the purpose of these storms is unclear, and possible explanations include covert communication, router misconfigurations, elaborate command-and-control (C&C) mechanisms, sophisticated DDoS attacks, and congestion leading to traffic manipulation.

Additionally, GreyNoise has identified and isolated certain patterns in the spoofed traffic, such as the ASCII string ‘LOVE’ in the ICMP packets, which reinforce the hypothesis that the storms may be used as a covert communications channel.

What’s more, several of the Noise Storms, the cybersecurity firm notes, have coincided with news reports describing noteworthy military actions.

“These persistent mysteries add new layers of complexity to the cybersecurity landscape, prompting security leaders to reevaluate their defenses and ensure they are equipped with the right tools for an ironclad security posture,” GreyNoise says.

While it is unclear who is behind the Noise Storms, the connection to China does not appear far-fetched. In April, Infoblox detailed how China-linked threat actor Muddling Meerkat had been using the country’s Great Firewall (GFW) to probe the internet using manipulated DNS mail server records.

Related: Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report

Related: House Report Shows Chinese Cranes a Security Risk to US Ports

Related: Japan Says Chinese Military Likely Behind Cyberattacks

Related: Czech Intel Report Targets Russian, Chinese Spies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.