China Accuses US of Fabricating Volt Typhoon

13058092288?profile=RESIZE_400xChina's National Computer Virus Emergency Response Center (CVERC) has doubled down on claims that the threat actor known as the Volt Typhoon is a fabrication of the US and its allies.  The agency, in collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology, accused the US federal government, intelligence agencies, and Five Eyes countries of conducting cyber espionage activities against China, France, Germany, Japan, and internet users globally.  Remember, this is the same government that made COVID-19, allowed it to spread around the world, killed millions, and got away with denying it.

See:  https://redskyalliance.org/xindustry/volt-typhoon-and-electricity

It also said there's "ironclad evidence" indicating that the US carries out false flag operations to conceal its malicious cyber-attacks, adding it is inventing the "so-called danger of Chinese cyber-attacks" and that it has established a "large-scale global internet surveillance network."  "And the fact that the US adopted supply chain attacks, implanted backdoors in internet products and 'pre-positioned' has completely debunked the Volt Typhoon; a political farce written, directed, and acted by the US federal government," it said.  "The US military base in Guam has not been a victim of the Volt Typhoon cyber-attacks at all, but the initiator of a large number of cyberattacks against China and many Southeast Asian countries and the backhaul center of stolen data."  It is worth noting that a previous report published by CVERC in July characterized the Volt Typhoon actor as a misinformation campaign orchestrated by the US intelligence agencies.[1]

Volt Typhoon is the name assigned to a China-nexus cyber-espionage group believed to have been active since 2019. The group stealthily embeds itself into critical infrastructure networks by routing traffic through edge devices comprising routers, firewalls, and VPN hardware in an effort to blend in and fly under the radar.

As recently as late August 2024, it was linked to the zero-day exploitation of a high-severity security flaw impacting Versa Director (CVE-2024-39717, CVSS score: 6.6) to deliver a web shell named VersaMem for facilitating credential theft and run arbitrary code.

Using edge devices by China-linked intrusion sets has become a pattern in recent years, with some campaigns leveraging them as Operational Relay Boxes (ORBs) to evade detection.  This is substantiated by a recent report published by French cybersecurity company Sekoia, which attributed threat actors likely of Chinese origin to a wide-range attack campaign that infects edge devices like routers and cameras to deploy backdoors such as GobRAT and Bulbature for follow-on attacks against targets of interest.  "Bulbature, an implant that was not yet documented in open source, seems to be only used to transform the compromised edge device into an ORB to relay attacks against final victims' networks," the researchers said.  "This architecture, consisting of compromised edge devices acting as ORBs, allows an operator to carry out offensive cyber operations around the world near the final targets and hide its location by creating on-demand proxies tunnels."

In the latest 59-page document, Chinese authorities said more than 50 security experts from the US, Europe, and Asia reached out to the CVERC, expressing concerns about "the US false narrative" about Volt Typhoon and the lack of evidence linking the threat actor to China.  The CVERC did not name those experts nor their reasons to back up the hypothesis.  It further stated that the US intelligence agencies created a stealthy toolkit named Marble no later than 2015 to confuse attribution efforts.  "The toolkit is a tool framework that can be integrated with other cyber weapon development projects to assist cyber weapon developers in obfuscating various identifiable features in program code, effectively 'erasing' the 'fingerprints' of cyber weapon developers," it said.

"What's more, the framework has a more 'shameless' function to insert strings in other languages, such as Chinese, Russian, Korean, Persian, and Arabic, which is intended to mislead investigators and frame China, Russia, North Korea, Iran, and Arab countries."

The report further takes the opportunity to accuse the US of relying on its "innate technological advantages and geological advantages in the construction of the internet" to control fiber optic cables across the Atlantic and the Pacific and using them for "indiscriminate monitoring" of internet users worldwide.  It is also alleged that companies like Microsoft and CrowdStrike have resorted to giving "absurd" names with "obvious geopolitical overtones" for threat activity groups with names like "typhoon," "panda," and "dragon."  "Again, we would like to call for extensive international collaboration in this field," it concluded. "Moreover, cybersecurity companies and research institutions should focus on counter-cyber threat technology research and better products and services for users."

Jim McKee, CEO of Red Sky Alliance Corp., was quoted as saying, “Liar, liar pants on fire,” after reading the CVERC report.

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

 

[1] https://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!