Security
Headlines
HeadlinesLatestCVEs

Headline

China Accuses U.S. of Fabricating Volt Typhoon to Hide Its Own Hacking Campaigns

China’s National Computer Virus Emergency Response Center (CVERC) has doubled down on claims that the threat actor known as the Volt Typhoon is a fabrication of the U.S. and its allies. The agency, in collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology, went on to accuse the U.S. federal government, intelligence agencies, and Five Eyes countries of

The Hacker News
#web#microsoft#intel#backdoor#auth#zero_day#The Hacker News

China’s National Computer Virus Emergency Response Center (CVERC) has doubled down on claims that the threat actor known as the Volt Typhoon is a fabrication of the U.S. and its allies.

The agency, in collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology, went on to accuse the U.S. federal government, intelligence agencies, and Five Eyes countries of conducting cyber espionage activities against China, France, Germany, Japan, and internet users globally.

It also said there’s “ironclad evidence” indicating that the U.S. carries out false flag operations in an attempt to conceal its own malicious cyber attacks, adding it’s inventing the “so-called danger of Chinese cyber attacks” and that it has established a “large-scale global internet surveillance network.”

“And the fact that the U.S. adopted supply chain attacks, implanted backdoors in internet products and ‘pre-positioned’ has completely debunked the Volt Typhoon – a political farce written, directed, and acted by the U.S. federal government,” it said.

“The U.S. military base in Guam has not been a victim of the Volt Typhoon cyber attacks at all, but the initiator of a large number of cyberattacks against China and many Southeast Asian countries and the backhaul center of stolen data.”

It’s worth noting that a previous report published by CVERC in July characterized the Volt Typhoon as a misinformation campaign orchestrated by the U.S. intelligence agencies.

Volt Typhoon is the moniker assigned to a China-nexus cyber espionage group that’s believed to be active since 2019, stealthily embedding itself into critical infrastructure networks by routing traffic through edge devices compromising routers, firewalls, and VPN hardware in an effort to blend in and fly under the radar.

As recently as late August 2024, it was linked to the zero-day exploitation of a high-severity security flaw impacting Versa Director (CVE-2024-39717, CVSS score: 6.6) to deliver a web shell named VersaMem for facilitating credential theft and run arbitrary code.

The use of edge devices by China-linked intrusion sets has become something of a pattern in recent years, with some campaigns leveraging them as Operational Relay Boxes (ORBs) to evade detection.

This is substantiated by a recent report published by French cybersecurity company Sekoia, which attributed threat actors likely of Chinese origin to a wide-range attack campaign that infects edge devices like routers and cameras to deploy backdoors such as GobRAT and Bulbature for follow-on attacks against targets of interest.

“Bulbature, an implant that was not yet documented in open source, seems to be only used to transform the compromised edge device into an ORB to relay attacks against final victims networks,” the researchers said.

“This architecture, consisting of compromised edge devices acting as ORBs, allows an operator to carry out offensive cyber operations around the world near to the final targets and hide its location by creating on-demand proxies tunnels.”

In the latest 59-page document, Chinese authorities said more than 50 security experts from the U.S., Europe, and Asia reached out to the CVERC, expressing concerns related to “the U.S. false narrative” about Volt Typhoon and the lack of evidence linking the threat actor to China.

The CVERC, however, did not name those experts, nor their reasons to back up the hypothesis. It further went on to state that the U.S. intelligence agencies created a stealthy toolkit dubbed Marble no later than 2015 with the intent to confuse attribution efforts.

“The toolkit is a tool framework that can be integrated with other cyber weapon development projects to assist cyber weapon developers in obfuscating various identifiable features in program code, effectively ‘erasing’ the ‘fingerprints’ of cyber weapon developers,” it said.

“What’s more, the framework has a more ‘shameless’ function to insert strings in other languages, such as Chinese, Russian, Korean, Persian, and Arabic, which is obviously intended to mislead investigators and frame China, Russia, North Korea, Iran, and Arab countries.”

The report further takes the opportunity to accuse the U.S. of relying on its “innate technological advantages and geological advantages in the construction of the internet” to control fiber optic cables across the Atlantic and the Pacific and using them for “indiscriminate monitoring” of internet users worldwide.

It also alleged that companies like Microsoft and CrowdStrike have resorted to giving “absurd” monikers with “obvious geopolitical overtones” for threat activity groups with names like “typhoon,” “panda,” and “dragon.”

“Again, we would like to call for extensive international collaboration in this field,” it concluded. “Moreover, cybersecurity companies and research institutions should focus on counter-cyber threat technology research and better products and services for users.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

When Startup Founders Should Start Thinking About Cybersecurity

Most investors aren't demanding cybersecurity preparedness from startups, but founders should still be worried about the risks.

New 0-Day Attacks Linked to China’s ‘Volt Typhoon’

Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.

Chinese Volt Typhoon Exploits Versa Director Flaw, Targets U.S. and Global IT Sectors

The China-nexus cyber espionage group tracked as Volt Typhoon has been attributed with moderate confidence to the zero-day exploitation of a recently disclosed high-severity security flaw impacting Versa Director. The attacks targeted four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early

CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a security flaw impacting Versa Director to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS score: 6.6), is case of file upload bug impacting the "Change Favicon" feature that could allow a threat actor to