China’s National Computer Virus Response Center (CVERC) doubled down on claims that the threat, known as Volt Typhoon this is an invention of the USA and its allies.
The agency, in cooperation with the National Computer Virus Prevention Technology Laboratory, accused the US federal government, intelligence agencies and the “Five Eyes” countries of cyber espionage against China, France, Germany, Japan and Internet users worldwide. .
It also said there was “ironclad evidence” that the US was conducting false flag operations to try to hide its malicious cyber attacks, adding that it was inventing the “so-called danger of Chinese cyber attacks” and that it had created a “large scale global online surveillance network’.
“And the fact that the US has embraced supply chain attacks, implemented backdoors into online products, and ‘pre-positioned’ has completely debunked Volt Typhoon – a political farce written, directed and executed by the US federal government,” it said. said.
” US military base in Guam was not at all a victim of the Volt Typhoon cyberattacks, but the initiator of a large number of cyberattacks against China and many countries in Southeast Asia and the center of the transfer of stolen data.
It should be noted that a preliminary report published by CVERC in July character Volt Typhoon as a misinformation campaign organized by American intelligence services.
Volt Typhoon is the alias given to a China-linked cyberespionage group believed to have been active since 2019 by stealthily embedding itself into critical infrastructure networks routing traffic through edge devices compromising routers, firewalls and VPN equipment in an effort to blend in with the radar.
Back in late August 2024, it was linked to zero day operation about a high-severity security flaw affecting Versa Director (CVE-2024-39717, CVSS Score: 6.6) to create a web shell called VersaMem to facilitate credential theft and the execution of arbitrary code.
Using edge devices with China-related intrusion kits is a table something with a sample Art recent yearswith some companies using them as operational relays (ORBs) to avoid detection.
This is confirmed by a recent report published by French cyber security company Sekoia, which attributed threat authors of likely Chinese origin to a large-scale attack that infects edge devices such as routers and cameras to deploy backdoors such as GobRAT and Bulbature for follow-up attacks on interesting targets.
“Bulbature, an implant that has not yet been documented in open source, appears to be used only to transform a compromised edge device into an ORB to transmit attacks against victims’ end networks,” the researchers said. said.
“Consisting of compromised edge devices acting as ORBs, this architecture allows an operator to conduct offensive cyber operations around the world close to end targets and hide their location by creating proxy tunnels on demand.”
In the latest 59-page document, Chinese authorities said more than 50 security experts from the US, Europe and Asia had approached CVERC expressing concern over the “false US narrative” about the Volt Typhoon and the lack of evidence of a link to a threat to China.
CVERC, however, did not name these experts or their reasons to support the hypothesis. It went on to say that US intelligence agencies created a covert toolkit called Marble no later than 2015 with the intention of obfuscating attribution attempts.
“The toolkit is a tool framework that can be integrated with other cyberweapons development projects to assist cyberweapons developers in obfuscating various identifiable functions in software code, effectively erasing the cyberweapons developers’ fingerprints,” it said.
“Furthermore, the framework has a more ‘shameless’ feature to insert strings in other languages, such as Chinese, Russian, Korean, Persian, and Arabic, which is clearly designed to mislead investigators and implicate China, Russia, North Korea, Iran and Arab countries.”
The report also takes the opportunity to accuse the US of relying on its “inherent technological and geological advantages in building the Internet” to control fiber optic cables across the Atlantic and Pacific oceans and use them to “indiscriminately monitor” Internet users. all over the world.
It also alleged that companies such as Microsoft and CrowdStrike give “absurd” aliases with “obvious geopolitical undertones” to threat groups with names such as “typhoon”, “panda” and “dragon”.
“Again, we would like to call for extensive international cooperation in this area,” he concluded. “Furthermore, cybersecurity companies and research institutions should focus on researching cyber-threat technologies and improving products and services for users.”
