Threat intelligence company GreyNoise warns of a concerning phenomenon involving massive amounts of spoofed traffic that is likely linked to China.

Periodically since January 2020, millions of IPs are seen generating spoofed traffic that looks like a broadcast, which GreyNoise has named Noise Storm.

Typically focusing on TCP connections, the storms may also be formed of ICMP packets, but never of UDP packets – which are typically used in distributed denial-of-service (DoS) attacks – which may suggest that the sender is concerned with who is receiving the traffic.

Observed characteristics of the traffic include Time To Live (TTL) spoofing that mimics realistic network hops, spoofed window sizes to emulate traffic from different operating systems, and increased intensity and focus on certain segments of the internet.

A Noise Storm that is happening now, GreyNoise explains, involves roughly five million IPs apparently located in Brazil, but deeper analysis has revealed that the traffic may originate from China.

“Our analysis has revealed that the Autonomous System Number (ASN) associated with the ICMP traffic is linked to a Content Delivery Network (CDN) servicing major Chinese platforms like QQ, WeChat, and WePay,” GreyNoise explains.

The connection to China raises further concerns, as it suggests that sophisticated threat actors are behind the spoofed traffic and that deliberate obfuscation is being used to hide its true intent.

GreyNoise also noticed that recent storms are affecting major providers such as Cogent, Lumen, and Hurricane Electric, but avoid AWS, which suggests that a “sophisticated, potentially organized actor with a clear agenda” is responsible for them.

However, the purpose of these storms is unclear, and possible explanations include covert communication, router misconfigurations, elaborate command-and-control (C&C) mechanisms, sophisticated DDoS attacks, and congestion leading to traffic manipulation.

Additionally, GreyNoise has identified and isolated certain patterns in the spoofed traffic, such as the ASCII string ‘LOVE’ in the ICMP packets, which reinforce the hypothesis that the storms may be used as a covert communications channel.

What’s more, several of the Noise Storms, the cybersecurity firm notes, have coincided with news reports describing noteworthy military actions.

“These persistent mysteries add new layers of complexity to the cybersecurity landscape, prompting security leaders to reevaluate their defenses and ensure they are equipped with the right tools for an ironclad security posture,” GreyNoise says.

While it is unclear who is behind the Noise Storms, the connection to China does not appear far-fetched. In April, Infoblox detailed how China-linked threat actor Muddling Meerkat had been using the country’s Great Firewall (GFW) to probe the internet using manipulated DNS mail server records.

Related: Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report

Related: House Report Shows Chinese Cranes a Security Risk to US Ports

Related: Japan Says Chinese Military Likely Behind Cyberattacks

Related: Czech Intel Report Targets Russian, Chinese Spies