China Exposes US Lies about Volt Typhoon

[Father]

Mutual throwing at the fan in the field of infosec between the United States and China, represented by their leading information security vendors, is reaching a new level.

Earlier last month, SentinelOne published a report in which it wrote with a grin how China fails to attribute cyber attacks to the United States and reproached for constant links in its reports to old incidents.

After that, the Chinese Antiy responded to the SentinelOne report with a deeper assessment of the hostile cyberactivity of American companies from a technical point of view, attributing their attacks (including Stuxnet) in retrospect and connections with special services quite tightly and thoroughly.

And in order to finally wipe the nose and "at the request of TV viewers" from SentinelOne, the Chinese side, represented by the national CERT, rolled out a report (PDF) attributing Volt Typhoon to the activities of a group called Dark Power.

In their opinion, the United States carried out a cunning propaganda operation with the creation and promotion of the Volt Typhoon threat cluster, the aggressive image of which was imposed on China in many recent information security reports.

The purpose of the fraud is to "kill two birds with one stone at once", inflating the "theory of a global Chinese threat" for the national and other CII and inciting the US Congress to allocate appropriate appropriations.

It all started in May 2023, when the Five Eyes cybersecurity authorities rolled out a message about the discovery of allegedly pro-Chinese ART.

For confirmation, Microsoft was involved, which released the necessary report, which was then replicated by major Western media such as Reuters, the Wall Street Journal and the New York Times.

Later, Lumen Technologies also joined, also linking the KV botnet with Volt Typhoon.

All the companies involved in infosec after this feint received fat state contracts and project financing.

Of course, they forgot about clear attribution.

But Chinese researchers did not, they were able to expose the mentioned attacks and correlate them with cybercriminals from Dark Power, which ThreatMon previously reported in its report.

According to them, the group was active long before the events of 2023 and was involved in incidents in Algeria, Egypt, the Czech Republic, Turkey, Israel, Peru, France and the United States.

Thus, according to the Chinese side, "tracking cyber attacks" has essentially become a tool in the hands of the United States to politicize information security issues and exert international pressure on the PRC, which, in turn, called the United States*the largest source of cyber attacks and the greatest threat to overall cybersecurity.

 

[Man]

The United States continues to connect improvised infosec companies and has even used the capabilities of its partners, continuing to bend the line about the ubiquitous Chinese cyber espionage and promote the Volt Typhoon APT profile created for this purpose.

This time, the British Sophos was thrown into the attack, which turns out to have been fighting the Chinese threat for five years and on this occasion, right after the revelations of Beijing, immediately after Beijing's revelations, suddenly finished and rolled out its report "Pacific Rim" with the results of five years of research.

It claims that the main centers for the development of exploits for Sophos firewalls were the University of Electronic Science and Technology of China and the private company Sichuan Silence Information Technology from the city of Chengdu.

At the same time, the developed exploit chains were then used in campaigns by several Chinese APT groups over the past five years, among which Volt Typhoon, APT31 and APT41 (Winnti) were named.

The attacks were aimed at well-known manufacturers of network devices, including Fortinet, Barracuda, SonicWall, Check Point, D-Link, Cisco, Juniper, NetGear, Sophos (and others), and were carried out through botnets, new exploits, and special malware.

Researchers managed to reach these centers after attackers targeted the headquarters of Cyberoam, a subsidiary of Sophos in India, in 2018.

To do this, they have developed their own implant for espionage and interception of exploits developed by the Chinese at the stage of their testing on its devices in two locations.

Sophos believes that many zero-day vulnerabilities are being developed by Chinese researchers who share them not only with vendors, but also with the Chinese government and associated APTs.

In addition to Sophos's accusations, a new batch of disclosures was immediately presented by Microsoft with a report on the Quad7 botnet (also known as CovertNetwork-1658 or xlogin), which is based on compromised SOHO routers.

When devices are compromised, attackers deploy malware that provides remote access to devices via Telnet. In other cases, attackers install SOCKS5, which is used to proxy or relay malicious attacks.

Despite the fact that the botnet was not associated with a specific attacker, it was still associated with the Chinese side. And Microsoft believes that the credentials stolen through CovertNetwork-1658 are being used by several Chinese threat actors.

In general, with access to the operations of Chinese APTs in a real-time counter-surveillance format, it is easy to draw an analogue of such groups as in the case of the Volt Typhoon.

But we will see how our Chinese colleagues respond.