Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,174
- Points
- 113
The West has accused China of hiding the traces of its cyberattacks.
China's national Cybersecurity Agency has faced accusations of misrepresenting data from Western cybersecurity companies.
Trellix shared with The Record Media its response to the CVERC report, which claims that the Five Eyes intelligence alliance fabricated evidence of cyber attacks. Trellix said that the Chinese government is trying to refute accusations that a Beijing-backed hacker group was involved in attacks on critical infrastructure in the West.
The Volt Typhoon and Bronze Silhouette hacking groups are making significant efforts to hide their ties to China, reflecting Beijing's growing sensitivity to allegations of cyberattacks. In February, the CISA agency warned that hackers are seeking to gain a foothold in IT networks for possible destructive attacks on critical US infrastructure in the event of a crisis or conflict with the US.
After the warning, CISA, CVERC and the English-language version of the Global Times newspaper (controlled by the Chinese Communist Party) said that such a threat does not exist. The CVERC report, coordinated with another article in the Global Times, claims that Volt Typhoon is a disinformation campaign deliberately attributing the Dark Power group's cyberattacks to the Chinese state.
According to Trellix, Dark Power is a targeted ransomware operation. Victim organizations are not clearly linked and are located in different countries (including the United States, France, Israel, Turkey, the Czech Republic, Algeria, Egypt, and Peru). The first attack was recorded by experts at the end of January 2023. Since the campaign was not advertised on hacker forums or in darknet spaces, it is most likely a private project.
The CVERC report contains many grammatical and spelling errors, even in the names of Chinese institutions. In one case, Northwestern Polytechnic University was named Northwestern Pyrotechnic University. SentinelOne noted that the Polytechnic University may have co-authored the report with the Global Times.
The CVERC report misrepresents the terms of intelligence analysis, claiming that there are differences between CISA assessments and private information security companies regarding the activities of hackers. CVERC quotes Mandiant, which links the activities of UNC5291 with Volt Typhoon, aimed at the US energy and defense sectors, with "average confidence".
Mandiant reported that it observed a campaign by the UNC5291 group investigating Ivanti Connect Secure devices in January, but did not record a successful hack by Volt Typhoon. The CVERC interpreted this as contradicting the CISA warning about exploiting a vulnerability in Ivanti Connect Secure.
The CVERC report also referenced reports from Trellix and ThreatMon that included a hash of the Dark Power ransomware sample that the companies linked to the Volt Typhoon group's IP addresses. Trellix said that their research does not confirm the link between Dark Power and Volt Typhoon, and CVERC uses the Trellix blog for misinformation.
Neither Mandiant nor ThreatMon responded to requests for comment. Other cybersecurity companies, including Bitdefender, Secureworks, and Microsoft, have also reported cases attributed to Volt Typhoon in which hackers targeted critical U.S. infrastructure.
Source
China's national Cybersecurity Agency has faced accusations of misrepresenting data from Western cybersecurity companies.
Trellix shared with The Record Media its response to the CVERC report, which claims that the Five Eyes intelligence alliance fabricated evidence of cyber attacks. Trellix said that the Chinese government is trying to refute accusations that a Beijing-backed hacker group was involved in attacks on critical infrastructure in the West.
The Volt Typhoon and Bronze Silhouette hacking groups are making significant efforts to hide their ties to China, reflecting Beijing's growing sensitivity to allegations of cyberattacks. In February, the CISA agency warned that hackers are seeking to gain a foothold in IT networks for possible destructive attacks on critical US infrastructure in the event of a crisis or conflict with the US.
After the warning, CISA, CVERC and the English-language version of the Global Times newspaper (controlled by the Chinese Communist Party) said that such a threat does not exist. The CVERC report, coordinated with another article in the Global Times, claims that Volt Typhoon is a disinformation campaign deliberately attributing the Dark Power group's cyberattacks to the Chinese state.
According to Trellix, Dark Power is a targeted ransomware operation. Victim organizations are not clearly linked and are located in different countries (including the United States, France, Israel, Turkey, the Czech Republic, Algeria, Egypt, and Peru). The first attack was recorded by experts at the end of January 2023. Since the campaign was not advertised on hacker forums or in darknet spaces, it is most likely a private project.
The CVERC report contains many grammatical and spelling errors, even in the names of Chinese institutions. In one case, Northwestern Polytechnic University was named Northwestern Pyrotechnic University. SentinelOne noted that the Polytechnic University may have co-authored the report with the Global Times.
The CVERC report misrepresents the terms of intelligence analysis, claiming that there are differences between CISA assessments and private information security companies regarding the activities of hackers. CVERC quotes Mandiant, which links the activities of UNC5291 with Volt Typhoon, aimed at the US energy and defense sectors, with "average confidence".
Mandiant reported that it observed a campaign by the UNC5291 group investigating Ivanti Connect Secure devices in January, but did not record a successful hack by Volt Typhoon. The CVERC interpreted this as contradicting the CISA warning about exploiting a vulnerability in Ivanti Connect Secure.
The CVERC report also referenced reports from Trellix and ThreatMon that included a hash of the Dark Power ransomware sample that the companies linked to the Volt Typhoon group's IP addresses. Trellix said that their research does not confirm the link between Dark Power and Volt Typhoon, and CVERC uses the Trellix blog for misinformation.
Neither Mandiant nor ThreatMon responded to requests for comment. Other cybersecurity companies, including Bitdefender, Secureworks, and Microsoft, have also reported cases attributed to Volt Typhoon in which hackers targeted critical U.S. infrastructure.
Source
