slider

Signal or Noise? The Chaos of Chinese Noise Storms

GreyNoise Intelligence has been tracking something alarming since early 2020: a phenomenon they’ve named “Noise Storms,” which involves waves of spoofed web traffic originating from millions of IP addresses. These storms have cybersecurity experts on edge as they attempt to piece together what’s really happening. While the exact origins remain murky, GreyNoise’s research suggests a possible link to China—raising serious concerns about global internet security.


Origins and Characteristics of Noise Storms

Noise Storms typically involve TCP connections, though some use ICMP packets as well. Interestingly, there’s never been any UDP traffic involved, which is notable because UDP is often associated with DDoS attacks. This suggests that whoever’s behind these storms is being selective about how the traffic moves, indicating a high level of control. The precision of the attacks further points to a sophisticated player who likely has a specific agenda in mind.

One of the key tactics in these attacks is the use of Time To Live (TTL) spoofing, which makes the traffic look like it’s hopping between legitimate network nodes. Adding to the complexity, the storms spoof window sizes to imitate traffic from various operating systems, making it even harder for cybersecurity teams to distinguish between real and fake data. What’s also puzzling is that the storms seem to avoid big players like AWS, instead focusing on other internet providers like Cogent, Lumen, and Hurricane Electric.


Unusual Traffic Patterns and Tactics

A current Noise Storm GreyNoise is watching involves roughly five million IPs, seemingly based in Brazil. However, deeper analysis points back to China as the true source. The Autonomous System Number (ASN) linked to the ICMP traffic is tied to a Chinese content delivery network (CDN) that supports major platforms like QQ, WeChat, and WePay. This connection has raised suspicions that a sophisticated, state-sponsored actor could be pulling the strings.

In some recent storms, researchers found a curious and somewhat eerie detail: the ASCII string ‘LOVE’ embedded in the ICMP packets. While it seems harmless, this odd inclusion fuels theories that the storms might be more than just cyberattacks—they could be a covert communication channel or something even more complex. The timing of these storms has also coincided with significant military events, adding another layer of suspicion to their purpose.


Suspicious Links to Chinese Infrastructure

China’s involvement in large-scale cyber activities is nothing new, and the evidence pointing to Chinese infrastructure in these Noise Storms is a big red flag. Just this past April, the cybersecurity firm Infoblox reported on the Chinese-linked threat actor “Muddling Meerkat,” which was using China’s Great Firewall to probe the internet via DNS mail server records. It’s clear that China has leveraged its internet infrastructure for cyber espionage and other malicious actions before, and these storms might be yet another example.

Despite years of tracking, no one has definitively figured out the true aim of these Noise Storms. Theories within the cybersecurity world range from misconfigured routers to covert communication systems to efforts to manipulate network traffic for intelligence gathering. Some even believe the storms might represent a new kind of DDoS attack designed to create congestion for nefarious purposes.

These developments have serious implications for internet providers and cybersecurity professionals everywhere. The fact that they’re targeting specific internet infrastructure and selectively avoiding major providers points to a well-funded and highly capable adversary.

The level of these attacks is clear. The attackers are using tactics like TTL manipulation and operating system spoofing, which make it tough to differentiate between legitimate and malicious traffic. Recent storms have set TTL values between 120 and 200, making the traffic look more like standard network behavior. Meanwhile, the selective targeting of internet providers shows that the attackers have a deep understanding of global internet infrastructure and are fine-tuning their approach to have the most impact.


Possible Motivations Behind Noise Storms

The frequency and persistence of Noise Storms raise big questions about the overall strategy at play. Given their connection to major Chinese platforms and the timing of certain storms with geopolitical events, it’s possible that these storms are part of a larger, state-sponsored campaign—whether for espionage, cyber warfare, or something else entirely. While much of this remains speculative, the link to Chinese infrastructure can’t be ignored.


GreyNoise’s Call for Global Collaboration

GreyNoise has urged security leaders to take these threats seriously and to rethink their defense strategies. Traditional methods for detecting DDoS attacks or network anomalies may not be enough to deal with threats like Noise Storms. GreyNoise stresses the need for advanced, real-time monitoring tools that can pick up on unusual patterns in TCP and ICMP traffic, as well as more proactive measures to stay ahead of these sophisticated threats.

In the meantime, GreyNoise is continuing its investigation and has called on the cybersecurity community to help analyze the traffic associated with Noise Storms. The company has shared packet captures (PCAPs) of recent storms on its GitHub, inviting researchers to collaborate and uncover more about this mysterious activity. While much remains unknown, the persistence and evolution of Noise Storms over the past four years show that this is a threat we can’t afford to ignore.

As this situation unfolds, it’s crucial for the cybersecurity community to stay engaged and keep exploring what these Noise Storms might mean. While the full purpose behind them is still unclear, the evidence so far points to a well-coordinated effort by a capable adversary—one whose intentions, though still a mystery, could have serious consequences if left unchecked.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact


Copyright © Netizen Corporation. All Rights Reserved.