The United States government and intelligence agencies carried out a false flag operation for misleading and insulting other countries and planted backdoor malware into U.S.-made IT devices to penetrate the network infrastructure of other countries, according to an investigation report released by Chinese cybersecurity agencies on Monday.

"We decided to publish this report for the purpose of further disclosure of the cyber espionage operations targeting China, Germany and other countries, which were launched by the U.S. government, intelligence agencies and Five Eyes countries," reads the report jointly released by China's National Computer Virus Emergency Response Center and the National Engineering Laboratory for Computer Virus Prevention Technology.

Titled "Volt Typhoon III: A Cyber Espionage and Disinformation Campaign Conducted by U.S. Government Agencies," the third report on the issue slams operation "Volt Typhoon" as a political farce staged by the U.S. government. It says that the U.S. government agencies, mainstream media and technology giant Microsoft have remained silent about the previous two reports released in April and July, and only former U.S. intelligence official Robert Edward Joyce and some cybersecurity firms have tried to argue and deny the findings, but avoided mentioning what was disclosed in them in an attempt to "distort facts."

In February, a joint advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) described "Volt Typhoon" as a Chinese state-sponsored actor that has allegedly compromised and maintains persistent access to critical U.S. infrastructure. On its official website, Microsoft claimed "Volt Typhoon" has been active since mid-2021 and typically focuses on espionage and information gathering.

According to Chinese cybersecurity agencies, over 50 cyber security experts from the U.S., Europe, Asia and other countries and regions agree that the U.S. government and Microsoft have linked "Volt Typhoon" to the Chinese government without any concrete evidence, also expressing concern about the U.S. government's fabrication of "Volt Typhoon."

The cyber chameleon

The report explains how the U.S. maintains a "Defend Forward" strategy in cyberspace and has implemented "Hunt Forward" operations for deploying cyber-warfare forces surrounding adversary countries to conduct close-in reconnaissance and network penetration.

The investigation found that U.S. intelligence agencies have developed a customized stealth "toolkit" codenamed "Marble" to cover up their Computer Network Exploitation (CNE) operation, mislead attribution analysis and place blame on other countries.

The report argues that the "toolkit" is a framework that can be integrated with other cyber weapons development projects, assisting developers to obfuscate various identifiable strings in program code, effectively "erasing" the "fingerprints" of cyber weapons developers, which is similar to changing the "rifling" of "firearms," making it technically impossible to attribute the true source of cyber weapons technically.

In addition, the investigation found the "Marble" framework also has a "dirty" feature, which is the ability to insert strings in other languages at will, such as Chinese, Russian, Korean, Persian and Arabic. "This is clearly intended to mislead investigators and defame China, Russia, North Korea, Iran and Arab countries," the report adds.

This kind of false flag operation is not limited to coding, but also includes imitating the tactics, techniques and procedures (TTPs) of cybercrime groups. Therefore, hackers working for U.S. cyber forces and intelligence agencies can disguise themselves like "chameleons" in cyberspace, pretending to be located in other countries to carry out cyberattacks and espionage around the world.

The false flag operation is actually an important component of the U.S. intelligence agency's "EFFECTS Operation," known as the "Online Covert Action" in the United Kingdom. The internal documents of the U.S. and "Five Eyes Alliance" clearly indicate that the implementation of this "EFFECTS Operation" must adhere to the "4D principle" – deny, disrupt, degrade and deceive. And these four main principles precisely cover all the core elements of the "Volt Typhoon" operation.

The cyber peeper

In its second edition, published in July, the report by Chinese cybersecurity agencies had disclosed that U.S. government agencies – and intelligence agencies in particular – have been fabricating cyber threats abroad, conducting misinformation operations in the context of Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA), often referred to as the "warrantless surveillance act." The latest report provides new details on the surveillance programs.

It suggests that advanced U.S. internet infrastructure has controlled key internet "choke points" and there are at least seven access sites for tapping and with coverage of all submarine optical cables from the Atlantic to the Pacific Oceans.

The NSA has launched two relevant projects, "UpStream" and "Prism." "UpStream" was designed to store all raw data intercepted from submarine optical cables and to build a huge "data reservoir" for subsequent processing. "Prism" would decode the data and categorize them by many different internet applications, then try to recover the content of communications.

Both projects were authorized by Section 702 of FISA, which has provided the legal basis for spying on the internet globally, according to the latest report, which also notes that many of the spyware programs' command and control centers are located in U.S. overseas military bases, including Japan, South Korea, Guam and Hawaii.

That explains why Guam, a U.S.-controlled territory in the Pacific Ocean, is believed to be the original source of the "Volt Typhoon" false narrative created by the U.S. government. So, the U.S. military infrastructure in Guam is not a "victim" but the command and control center that attacks China and many Southeast Asian countries.

Through the authorization of Section 702, the U.S. has established a large-scale global internet surveillance network, extending operations against France, Germany, Japan and even its own citizens involved in "Black Lives Matter" and "Occupy Wall Street" protests.

The hidden truth

Previous two reports by Chinese cybersecurity agencies on "Volt Typhoon" said that Microsoft increased its cooperation with the U.S. military and intelligence agencies, and that cooperation has intensified in 2024.

The U.S. technology giant provided offline versions of its artificial intelligence models and assistance to U.S. intelligence agencies, where they were used to help analyze highly classified intelligence information, according to Bloomberg's report on May 7.

The same month, Microsoft released a new AI solution and introduced the "Recall" feature, which allows the Windows operating system to record every action taken by the user and provide it to the AI assistant for learning. In June, OpenAI, a company partnered with Microsoft, welcomed former NSA Director Paul Nakasone as a member of its board of directors.

"As an important partner in the Section 702 wiretap programs, Microsoft is increasingly influenced and manipulated by U.S. intelligence agencies," the latest report says. "In return, it could be said that the U.S. government agencies have given the green light to Microsoft's abuse of its dominant position in the market and its use of Windows and Office updates to bundle and push software products in a way that could be perceived as a disguised form of monopoly."

The report also reiterates that China has consistently opposed the political interference in technical investigations into cybersecurity incidents and the politicizing of the issue of cyberattack attribution, urging extensive international collaboration in cybersecurity.

The report also revisits the former two editions: "Volt Typhoon: A Conspiratorial Swindling Campaign Targeting U.S. Congress and Taxpayers Conducted by U.S. Intelligence Community" and "Volt Typhoon II: A Secret Disinformation Campaign Targeting U.S. Congress and Taxpayers Conducted by U.S. Government Agencies," concluding that Washington's narrative about the campaign was designed to protect the warrant-less snooping powers on massive surveillance globally, and the political and economic benefits of the group of stakeholders.

For more: https://www.cverc.org.cn/head/zhaiyao/futetaifeng3_EN.pdf

(Cover from VT report)