FACT CHECK: Beijing Claims ‘Volt Typhoon’ Is A US Disinformation Campaign

China’s National Computer Virus Emergency Response Center claimed that “Volt Typhoon” is a U.S. intelligence disinformation campaign.

Check out the latest report that reveals the #VoltTyphoon scandal—a disinformation campaign conceived & run by US intelligence community, along with other federal agencies, to frame China with cyberattack allegations.https://t.co/ZvRexMAbaa pic.twitter.com/TXxubPtRsa

— Spokesperson发言人办公室 (@MFA_China) July 8, 2024

Verdict: Misleading

Two of the three companies cited in the report have stated that their research has been misrepresented and mischaracterized. An expert told Check Your Fact that the report was “another instance of Chinese deflection.”

Fact Check:

“Zhang,” a representative from the People’s Republic of China’s embassy in the United States, reached out to Check Your Fact on July 10. (RELATED: Nikki Haley Claims China Has The Largest Navy In The World)

“I noticed Check Your Fact is a media to check the fact of statements or news. It’s very helpful for people to identify the facts and get to know what really happened,” Zhang wrote. “Today, I would like to share a public report with you, which reveals the scandal about the US framing China for being responsible for ‘Volt Typhoon’ in order to advance the US’s geopolitical agenda, which begun at least since 2023.”

What is Volt Typhoon?

Volt Typhoon is a “PRC state-sponsored cyber group” that “has compromised the IT environments of multiple critical infrastructure organizations,” according to a joint cybersecurity advisory from the Cybersecurity and Infrastructure Agency (CISA), several other intelligence agencies and other nations, such as New Zealand.

Volt Typhoon’s “choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operation,” according to the advisory. Volt Typhoon was previously identified by Microsoft in May 2023, which stated that the group “has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States.”

What is the National Computer Virus Emergency Response Center?

The National Computer Virus Emergency Response Center (CVERC) “is the only specialized agency in [China] responsible for computer virus emergency response,” according to its website

“Its main responsibilities are to quickly discover and deal with computer virus epidemics and network attack incidents, and to protect the security of [China’s] computer networks and important information systems,” reads the agency’s website.

What Does This Report Allege? 

The report alleges that Volt Typhoon is a “misinformation campaign” aimed at “U.S. Congress and taxpayers” that was “planned and conducted by U.S. intelligence agencies.”

“During the operation, U.S. intelligence abuse their power to manipulate cybersecurity firms and other agencies, intimidate the American people and congress members with hyping the ‘China threat theory’ and silence the domestic opponents,” the report alleges.

The report also alleges that it was actually the group known as “Dark Power” that was responsible, not Volt Typhoon. It points to research from Trellix and ThreatMon, both private cybersecurity companies.

“U.S. intelligencemanipulated [sic] ThreatMon to modify their report related to the ransomware group ‘DarkPower,’” the report also alleges. It further states, “Apparently, U.S. intelligence have a guilty conscience and manipulate ThreatMon to falsifythe [sic] report under desperation.”

The report also states to have an “anonymous source” within ThreatMon that says the company had to “recall the previous version of the ‘Dark Power’ report and erase the IP list.”

“In fact, as stakeholders, it is very common that cybersecurity firms in U.S. manipulated by intelligence agencies. However, they met someresistance [sic] from ThreatMon. ‘Covering up’ the IP list with a ‘Dark’ back cover picture is agood [sic] metaphor. We must pay our respects to the honest person, and everyone reading this report should do it as well,” reads the report.

The report alleges that U.S. mainstream outlets have been not covered this “disinformation campaign,” while it has has been covered by Chinese state media such as Global Times, CGTN and Xinhua.

Lin Jian, China’s Ministry of Foreign Affairs spokesperson, mentioned the report during a press conference in Beijing, which the Zhang directed Check Your Fact to.

“Actually, back in April, relevant Chinese agencies revealed the scandal about the US framing China for being responsible for “Volt Typhoon” in order to advance the US’s geopolitical agenda. The latest report further revealed that this disinformation campaign is conceived by NSA, FBI and other members of the US intelligence community with the participation of congressional China hawks and multiple federal agencies as well as cybersecurity agencies from other Five Eye countries, and aimed to manipulate public opinion,” Jian said.

Richard Forno, the assistant director of the University of Maryland, Baltimore County’s Center for Cybersecurity, told Check Your Fact that the report “is poorly written, has a very reactionary & sensational tone, and its many grammatical errors make it hard to take seriously.

“That it was released on the same day that a clearly pejorative Global Times piece echoing the report’s conspiratorial sentiment came out leads me to question if this isn’t a coordinated disinformation attempt to shape domestic Chinese public opinion,” Forno said, referencing this Global Times article.

Dakota Cary, an analyst at the SentinelOne, said that the report was potentially “co-authored by the propagandists at Global Times,” according to The Record. Forno said, “More interestingly, the report (and GT article) seem to focus on Section 702 renewal being the reason Volt Typhoon was making news seems like a convenient red herring, [in my honest opinion.]”

Forno further said that “the report seems to only focus on Volt Typhoon over the past year and the current-day politics of S702 to justify their reactionary allegations.”

“That being said, it’s not beyond belief that major cyber incidents are used to justify legislation and/or regulatory changes (which does happen in the US and elsewhere) but that may well be simply the necessary ‘nugget of truth’ needed to add a degree of believability to the claims made in this report in the eyes of domestic readers in China,” Forno said.

Private Companies State Their Research Was Misrepresented 

John Fokker, Head of Threat Intelligence for Trellix, told Check Your Fact that the report’s use of Trellix’s research is “likely an effort from the Chinese government to manipulate public perceptions of China threats.”

“The report uses our blog to support a false conclusion that there is a connection between Dark Power and Volt Typhoon, which our research does not substantiate. This is likely an effort from the Chinese government to manipulate public perceptions of China threats,” Fokker said.

A spokesperson for ThreatMon told Check Your Fact in an email that the company “can confirm that no authorized ThreatMon personnel have provided information to this report.”

“Furthermore, we did not grant permission for our research to be used in this context,” the spokesperson said and provided a statement from Gökhan Yüceler, ThreatMon’s chief technology officer.

“Due to Dark Power’s inactivity over recent months, we lack additional data on their associated groups and IoCs. Nevertheless, it is evident that the recent report from China aims to misrepresent our research. The report claims a connection between Volt Typhoon and Dark Power based on our findings, a connection our research does not support. While shared IoCs can occur, drawing definitive conclusions from them is misleading,” the statement says.

“Moreover, the allegations that we are acting under pressure from the U.S. are entirely false and baseless,” Yüceler’s statement further reads.

These pushbacks were also covered by the Record. (RELATED: China Claims It Doesn’t Interfere In The Internal Affairs Of Other Countries)

CISA Pushback Against The Report, Experts Say Report Is Lacking

CISA executive director Brandon Wales told Check Your Fact that the agency stood by its findings, saying China’s claims were “outlandish.”

Despite outlandish claims from the Chinese government, we stand by the findings we published on February 7, which stem from our threat hunting and incident response support to multiple victims, as well as the collective partnerships we’ve built with industry, other government agencies, and international partners,” Wales said. 

Forno said that the “report reads like something from entry-level conspiracy theorists.”

John Price, the CEO of cybersecurity firm SubRosa, told Check Your Fact that the report’s claims “lacks evidence of a misinformation campaign or manipulation, not to say that it didn’t happen.”

Quentin Hodgson, a senior international and defense researcher at RAND, told Check Your Fact that the “report is another instance of Chinese deflection.”

“Whenever the United States points out malicious cyber activity coming from China, the first response from the Communist Party is to deny it, and to blame the United States for any cyber activity,” Hodgson said.

Hodgson referenced the joint advisory, which also included countries such as New Zealand and the United Kingdom, saying that “report asserts that the US recruited these governments and Microsoft to reinforce a conspiracy, which is far-fetched.”

Hodgson also addressed the “differences of analytic conclusions between the US government agencies and some cybersecurity firms like Mandiant.”

“It is not unusual for there to be different views because of the data available to intelligence agencies compared to those available to private sector companies. Also, there is often a lot of uncertainty especially when newer groups are identified because the levels of confidence to tie a set of actions to a group and then to a government will vary across different organizations. The fact that companies and the US come to slightly different conclusions is not surprising and does not mean that one or the other is per se wrong,” Hodgson said.

“The report lists a series of events that occurred in sequence, but none of that means they are related. Renewal of section 702 authority and emerging indicators of Chinese compromise of critical infrastructure occurred in roughly the same time period, but that does not mean one is a result of the other. That’s a basic logical flaw in their argument. If my car broke down shortly after I asked for a raise at work, it does not follow that my need for a raise caused my car to break down,” Hodgson continued.

Hodgson further argued that “the report is not persuasive at all” when it argued for a conspiracy from the U.S. intelligence community.

“It transitions to making the claim that the Volt Typhoon attribution to China is just a means to seek renewal of section 702 authority and is part of a general campaign against Chinese firms. But the report just makes assertions to that end with no evidence,” Hodgson said.

On the broader point of a connection between Dark Power and Volt Typhoon, Hodgson said,” That’s hard to judge based on the report.”

“The Chinese report claims they found IP addresses hidden under the back cover of a cybersecurity firm’s report about Dark Power which are the same as those associated with Volt Typhoon. A revised edition of the report no longer has those IP addresses hidden behind the back cover. I can’t independently verify that, and there could be other reasons why that happened (e.g., re-using a file template that had old information in it),” Hodgson said.

Price said that he hasn’t “seen evidence of the link between” Dark Power and Volt Typhoon but warned “that’s not to say that there couldn’t be a connection between the two.”

The Record reported that the CVERC “report misrepresents the vocabulary of intelligence analysis to claim there are disagreements between intelligence assessments made by CISA and private sector cybersecurity companies about activities linked to this hacking group.”

Price further said reports like this one should be done with “critical analysis.”

“The wider impact of it could be, whether they’re or true or not, of geopolitical cybersecurity issues and the relationship between U.S, and China is not always great. Approaching reports should be done with critical analysis and thinking the importance of looking at sources, potential political biases and making sure the evidence is cross-verified to make sure allegations like this are validated,” Price said. 

Embassy Does Not Answer Questions About Pushback

Check Your Fact asked the embassy about the pushback from Trellix and ThreatMon. Zhang referred Check Your Fact to Jian’s comment and an earlier report from the CVERC. After Check Your Fact asked again, this time specifically about ThreatMon’s disputation, the embassy representative said they did not have any more comments.

“I think we don’t have any more comments on it. If you quote our comments, please tell me,” Zhang said.

Check Your Fact has reached out to the Office of the Director of National Intelligence, the House Select Committee on the Chinese Communist Party, the National Security Agency and Mandiant for comment.

Facebook
Twitter
LinkedIn
Telegram
Tumblr