Language : English 简体 繁體
Security

Volt Typhoon Cyber Threats: A Dedicated Scam or a Real Cyberbattle?

Sep 13, 2024
  • Zhonghua Sheng

    Researcher and Postdoctoral Fellow, Centre for Contemporary China and the World, The University of Hong Kong

In recent years, cybersecurity has emerged as a key flashpoint in the fraught relationship between China and the United States. Among the various issues straining the bilateral relationship, few have escalated as rapidly as cybersecurity, causing numerous frictions in a short period. Growing mutual distrust regarding each other's actions in cyberspace is deepening tensions and leading to serious negative impacts on the long-term strategic intentions of both nations. The situation took a significant turn in 2023 with the Volt Typhoon cyberattacks, which caused both technical and diplomatic confrontations between China and the U.S., raising the specter of a potential cyber war between the two powers.

The Volt Typhoon misinformation campaign was first named by Microsoft in a 2023 report, which noted that Volt Typhoon could disrupt critical communications infrastructure between the U.S. and Asian regions such as Guam during future crises. On May 24, 2023, the cybersecurity authorities of the Five Eyes alliance jointly issued a warning, stating that the Volt Typhoon hacker group had conducted cyber espionage activities targeting critical infrastructure in the U.S. On January 31, 2024, the U.S. House of Representatives Select Committee on the Chinese Communist Party held a hearing about Volt Typhoon. Attendees included multiple high-level U.S. cybersecurity officials, including General Paul Nakasone, the then Commander of U.S. Cyber Command and Director of the National Security Agency (NSA), Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), and Christopher Wray, Director of the Federal Bureau of Investigation (FBI). This hearing depicted Volt Typhoon as a “demon” Chinese government initiative capable of overthrowing the U.S. government through cyberattacks and endangering American lives by sabotaging critical infrastructure.

In response, China's National Computer Virus Emergency Response Center (CVERC) and other technical teams launched a traceability analysis and issued two response investigation reports in March and July 2024 respectively, including a special report titled "Volt Typhoon II—Unveiling the U.S. Government Agencies' Disinformation Campaign Against Congress and Taxpayers." These reports stated that Volt Typhoon was initiated at the beginning of 2023 or even earlier. They analyzed the sample information given in the technical characteristics of the two reports published by the U.S. and used the VirusTotal (VT) multi-engine virus file analysis platform from Google to search these samples one by one. In the end, they could only find the information from 13 samples, and each sample was associated with multiple IP addresses.

Subsequently, the joint investigation technical team used the threat intelligence association analysis tool of the VT platform to re-analyze the above five relatively concentrated IP addresses. There were two main findings: 1) the IP addresses used in Volt Typhoon were tied to other network attack incidents, and 2) there were additional IP addresses associated with the same attack incident/cybersecurity risk. Among them, a cyberattack incident report associated with the above five IP addresses was the "Research Report on the Dark Power Ransomware Gang," released by ThreatMon on April 11, 2023. After moving the back cover picture, the researchers found the IP address list of the desired Indicator of Compromise (IoC).

According to these address lists, CVERC found that the company had discovered the "Dark Power" ransomware organization as early as January 2023, and the organization's attack methods were very similar to those of Volt Typhoon. Additionally, the report found that the ransomware group that attacked Guam attacked other Pacific Island countries such as Vanuatu, not just U.S affiliates. After analyzing the technical characteristics of the malicious program samples reported in the relevant reports, CVERC concluded that the Volt Typhoon samples did not show clear behavioral characteristics of hacker organizations with national backgrounds but were more clearly related to cybercrime gangs such as the "Dark Force" ransomware virus.

There was no response from the CISA after China released these reports.. However, the ThreatMon company involved in the incident modified their report after supposedly being pressured by the U.S. government. The evidence originally attached to the back of the picture–which showcased the associated IP addresses–disappeared, according to Recorded Future News. This seems to indicate that the U.S. cybersecurity company could be tampering with their reports.

Whether Volt Typhoon is a state-sponsored attack or not is a complex cybersecurity technology analysis process, which is not the focus of our social science scholars. However, the evidence that the U.S. used to accuse China of launching a cyberattack is insufficient to truly determine if the attack was state-sponsored. Both the early warning notice of the "Five Eyes Alliance" and the technical reports from Microsoft only introduce the attacker's technical characteristics and IoCs. They do not give a specific traceability analysis process or label Volt Typhoon as a "hacker organization with Chinese government support." This is not backed by sufficient evidence as the virtuality and anonymity of cyberattacks pose challenges to cybersecurity evidence collection and tracing of Volt Typhoon.

So why did the U.S. choose to focus on Volt Typhoon at this point in time? The U.S. still claims that Volt Typhoon is supported by the Chinese government. Like other initiatives undertaken by the Select Committee, the continued insistence that Volt Typhoon is a Chinese government initiative helps to position China as an enemy of the U.S. The hegemony clause of Section 702 of the Foreign Intelligence Surveillance Act gives the U.S. "warrantless surveillance power" to continuously strengthen the ability to "fully control" global cyberspace and suppress and eliminate foreign competitors who are unwilling to cooperate with U.S. intelligence agencies in implementing cyber surveillance, maintaining U.S. cyber hegemony and protecting U.S. long-term interests. Claiming that Volt Typhoon and other related incidents are tied to the Chinese government drums up support for laws such as Section 702.

Since its implementation, "Section 702" has been controversial in the U.S. and around the world. The U.S. "Foreign Intelligence Surveillance Act (FISA)" was introduced after the Watergate incident. Its original intention was to prevent executive authorities from abusing their power and conducting arbitrary surveillance. However, Section 702, which was added in 2008, allows security departments to conduct surveillance without court permission. "Section 702" authorizes U.S. government agencies to conduct targeted intelligence surveillance on foreigners living outside the U.S., and forces internet technology companies such as Microsoft and Apple to hand over personal data of citizens collected during the company's operations.

December 31, 2023 was the sunset date of "Section 702." If Section 702 had expired, the internet intelligence collection methods that many U.S. intelligence agencies rely heavily on would have lost their legal basis. Major intelligence agencies would have had to suspend network and telecommunications monitoring activities, and the global monitoring and surveillance capabilities that U.S. intelligence agencies rely on would have been seriously weakened. By tying the Volt Typhoon hacker group to the Chinese government, the Select Committee strengthened the "China threat theory," garnering support for an extension of Section 702.

On April 18, 2024, FBI Director Christopher Wray delivered a public speech at Vanderbilt University in Tennessee, claiming that the Chinese government-backed Volt Typhoon organization successfully infiltrated numerous American companies, including 23 pipeline operators. Notably, the day after Wray's mention, Section 702 was authorized for extension. Additionally, on March 11, 2024, the Biden administration announced a record-breaking $13 billion cybersecurity budget request for civilian administrative departments and agencies in the 2025 fiscal year, a $1 billion increase from 2024. CISA requested a $3 billion budget, up by $103 million from the previous year. The Department of Justice and the FBI's budget included a $25 million increase specifically for enhancing "cyber and counterintelligence investigative capabilities."

Additionally, Volt Typhoon contributed to a further deterioration of the China-U.S. relationship, as the accusations of cyber espionage intensified existing tensions between the two countries. Such incidents typically lead to a hardening of positions and increased suspicion on both sides, making diplomatic engagement more challenging. The U.S. increased its defensive and offensive cyber capabilities, and China likely took steps to bolster its cyber defenses and possibly prepare for retaliatory actions. These types of tit-for-tat accusations often lead to further restrictions on trade and technology exchange between the two countries. Heightened fears of espionage and intellectual property theft result in more stringent regulations on Chinese tech companies operating in the U.S. and vice versa. In the U.S., the event provided a basis for policymakers to push for stricter cybersecurity laws and increased budgets for cyber defense. It also reinforced support for the renewal of surveillance laws such as Section 702.The Volt Typhoon issue arises from the structural contradiction between China and the U.S. Cyberattacks, and potential future AI attacks are the external manifestations of this structural contradiction. We need to expand the convergence of interests, because "there is no winner when the gun is fired." Whether it is a physical war or a cyber war, there will be no winners in a war between China and the U.S. Peace and security in cyberspace need to be maintained by the world, especially China and the U.S. As the two major AI powers, both countries must play their part. They should establish international frameworks, develop and participate in international cybersecurity cooperation, sign international agreements, and conduct information sharing and intelligence exchange on cyber threats from third parties. Through multilateral dialogues and communication mechanisms, effectively managing and addressing bilateral differences in cybersecurity issues, China and the U.S. can expand the intersection of their interests in cybersecurity so that both sides can coexist, and the world can benefit.

You might also like
Back to Top