Accusing the U.S. and its allies of concocting the fictitious entity known as the Volt Typhoon, China’s National Computer Virus Emergency Response Center (CVERC) has reinforced its stance.
Teaming up with the National Engineering Laboratory for Computer Virus Prevention Technology, the agency has pointed fingers at the U.S. federal government, intelligence agencies, and the Five Eyes nations for engaging in cyber espionage operations against various countries such as China, France, Germany, Japan, and global internet users.
An assertion was made about the presence of “solid evidence” suggesting that the U.S. conducts deceptive operations to mask its own malicious cyber assaults. The statement mentioned the fabrication of the “supposed threat of Chinese cyber attacks” by the U.S. and the establishment of an extensive global internet surveillance network.
“The Volt Typhoon, scripted, directed, and performed by the U.S. federal government, has been entirely discredited as the U.S. utilised supply chain attacks, inserted backdoors in internet products, and ‘pre-positioned’,” the agency expressed.
“The U.S. military base in Guam has not been subjected to the cyber attacks attributed to Volt Typhoon. Instead, it has been identified as the instigator of numerous cyber intrusions targeting China, Southeast Asian countries, and functioning as the central hub for siphoning off data.”
It’s important to highlight that a prior publication by CVERC in July described Volt Typhoon as a disinformation campaign orchestrated by U.S. intelligence bodies.
Volt Typhoon signifies a Chinese-affiliated cyber espionage faction believed to be operational since 2019, adeptly infiltrating critical infrastructure networks by rerouting traffic via edge devices, compromising routers, firewalls, and VPN hardware to blend in stealthily and avoid detection.
Recent developments in late August 2024 revealed its involvement in the exploitation of a zero-day vulnerability impacting Versa Director (CVE-2024-39717, CVSS score: 6.6) to distribute a web shell called VersaMem for streamlining credential theft and executing arbitrary code.
The Chinese-associated intrusion entities’ use of edge devices has evolved into a recognizable trend over the recent years, with certain operations deploying them as Operational Relay Boxes (ORBs) to evade detection.
Recently, a report by French cybersecurity firm Sekoia pointed fingers at threat actors likely from Chinese origins engaging in a widespread attack campaign infiltrating edge devices like routers and cameras to deploy backdoors such as GobRAT and Bulbature for subsequent targeted assaults.
“Bulbature, an implant undocumented in public sources, is potentially utilized to transform the compromised edge device into an ORB, facilitating attacks against networks of final victims,” stated the researchers informed.
“By organizing compromised edge devices as ORBs, operators can execute offensive cyber operations globally near their ultimate targets while concealing their whereabouts through custom proxy tunnels.”
According to a 59-page dossier, over 50 security professionals from the U.S., Europe, and Asia have contacted CVERC, expressing reservations regarding “the U.S. false narrative” concerning Volt Typhoon and the absence of proof connecting the threat entity to China.
Nevertheless, the CVERC withheld the identities of the mentioned experts and their rationale for supporting the hypothesis. Furthermore, it alleged that the U.S. intelligence agencies developed a clandestine toolkit named Marble prior to 2015 with the aim of complicating attribution efforts.
“The toolkit, a framework capable of merging with other cyber weapon projects, helps cyber weapon creators in obscuring identifiable features within code, effectively eradicating the fingerprints of developers,” it elaborated.
“Moreover, the framework boasts a more audacious capability by embedding strings in foreign languages such as Chinese, Russian, Korean, Persian, and Arabic, evidently intending to mislead investigators and pin the blame on China, Russia, North Korea, Iran, and Arab regions.”
The narrative continued to accuse the U.S. of leveraging its “innate technological supremacy and geographical positioning in internet infrastructure” to dominate fiber optic cables spanning the Atlantic and the Pacific, exploiting them for widespread internet user surveillance.
Furthermore, it claimed that companies like Microsoft and CrowdStrike have resorted to assigning “absurd” titles with “overt geopolitical undertones” to threat actor groups like “typhoon,” “panda,” and “dragon.”
“Once again, we appeal for extensive international cooperation in this domain,” it concluded. “Additionally, cybersecurity firms and research institutions should focus on advancing counter-cyber threat technologies and enhancing products and services for end users.”
About Author
