In February 2024, a US Congressional Committee convened to address the alleged “cyber threat” posed by China. The focus of concern was a Chinese state-sponsored hacking group known as “Volt Typhoon.” This organization had reportedly launched a series of activities targeting critical infrastructure networks within the United States. The accusation against Volt Typhoon originated from a joint advisory issued by the cybersecurity authorities of the United States and its intelligence partners, collectively known as the “Five Eyes” (US, UK, Australia, Canada, New Zealand). This advisory was based on a report released by US Company Microsoft.
Allegedly, Volt Typhoon, active since mid-2021, specializes in espionage and information gathering. Microsoft’s investigation revealed surreptitiously malicious activities aimed at critical infrastructure entities across various sectors in the United States, including communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education. The group employs a stealth technique using “living-off-the-land” methods, relying heavily on approaches which issue commands to collect data, including credentials from local and network systems. To maintain undetected access, Volt Typhoon reportedly utilizes stolen valid credentials and routes its traffic through compromised small office and home office (SOHO) network equipment, such as routers, firewalls and VPN hardware.
By hyping up the “Volt Typhoon” narrative, certain US politicians advocate for increased cybersecurity investment by the US Congress. Simultaneously, companies stand to gain from winning lucrative cybersecurity contracts. The convergence of political manoeuvring and business incentive muddies the waters, leaving the truth obscured. There are geopolitical implications because the US approach of using cyber attack source-tracing to serve its self-interests reflects a knee-jerk policy toward China, which risks damaging the delicate order of global cyberspace, straining China-US relations, and tarnishing the reputation of the US government on the global stage. In the intricate dance of cyber narratives, discerning fact from fiction requires a critical eye. Let us delve deeper to ascertain whether Volt Typhoon is indeed a phantom or a genuine threat.
Researchers consider multiple factors, including technical evidence, historical patterns, and geopolitical context. However, linking the Volt Typhoon group to China based on its TTPs, infrastructure, and targets is unfair. Transparency is crucial. When security companies or government agencies attribute cyber activity, they should provide evidence and context. This helps build trust and allows the broader cybersecurity community to assess the claims independently. It is essential to approach any attribution with a healthy dose of scepticism. While some attacks are well-documented, others remain murky. Analysts, policymakers, and the public should critically evaluate claims and consider alternative explanations.
China’s Foreign Ministry spokesperson Lin Jian, at a daily press briefing, has urged the United States to immediately stop its cyber attacks against China and stop smearing China. To support his argument, the spokesperson has highlighted China’s National Computer Virus Emergency Response Centre and the 360 Digital Security Group jointly published report titled “Volt Typhoon: A Conspiratorial Swindling Campaign Targets with US Congress and Taxpayers Conducted by US Intelligence Community”. It is imperative that analysts, policymakers, and the public critically evaluate attribution claims, considering alternative explanations. Ascribing cyber attacks is a multifaceted process, necessitating reliance on evidence, transparency, and independent analysis. In this intricate landscape, differing perspectives abound, and discussions must remain open and informed.
Lin asserted that according to the report, ‘Volt Typhoon’ is actually a ransomware cybercriminal group that calls itself the ‘Dark Power’ and is not sponsored by any state or region”, adding that there are signs that in order to receive more congressional budgetary spending and government contracts, the US intelligence community and cybersecurity companies have been secretly collaborating to piece together false evidence and spread disinformation about so-called Chinese government’s support for cyber attacks against the United States. The Chinese FO spokesperson highlighted that some in the United States have been using origin-tracing of cyber attacks as a tool to hit and frame China, claiming that the United States is the victim while it’s the other way round.
When attributing cyber attacks, researchers delve into a complex web of factors: technical evidence, historical patterns, and geopolitical context. Yet, linking the Volt Typhoon group to China based solely on its tactics, techniques, and targets is a precarious endeavour. Geopolitical tensions often colour our perceptions of attribution, intertwining accusations with broader political and economic narratives. In a nutshell, the Volt Typhoon saga has been a tangled web of intrigue, misinformation, and political manoeuvring. The false narrative of Volt Typhoon being a China-sponsored actor is collusion among the US politicians, Intelligence community and IT Companies with the intention of hyping the “China threat theory”: Creating fear around China’s cyber capabilities.
In this digital cat-and-mouse game, truth and deception blur, leaving us questioning who pulls the strings behind the scenes. The analogy of “giving a dog a bad name and hanging it” seems apt in this context. When accusations are made without sufficient evidence or context, it can unfairly tarnish a country’s reputation. In the case of “Volt Typhoon,” China refutes the US assertions and emphasizes that the cybercriminal group responsible is not state-sponsored. It is crucial for nations to engage in thorough investigations and dialogue rather than making hasty accusations that could harm diplomatic relations and lawful rights.