Investigation announced: The United States is purely framing China

According to the CCTV news client, on the morning of April 15, China's National Computer Virus Emergency Response Center released a report on "Typhoon Volt - U.S. Intelligence Agencies' Conspiracy and Fraud Against the U.S. Congress and Taxpayers", which exposed the huge scandal of U.S. intelligence agencies using the unsubstantiated excuse of the so-called "Chinese cyber attack threat" to smear China without a bottom line, in exchange for U.S. government funding.

On February 1 this year, the U.S. House of Representatives held a hearing on the so-called "Chinese cyber attack threat", which mainly focused on the "Volt Typhoon" hacker group disclosed by Microsoft Corporation in May 2023, which claimed that the hacker group "has a background of Chinese government support" and said that it launched cyber attacks on critical infrastructure in the United States and tried to further sabotage, posing a serious threat to U.S. national security. In response to this accusation, China's joint investigation technical team conducted a traceability analysis and found that the relevant accusations lacked evidence, and were purely framed for the purpose of suppressing China's external image and development.

Du Zhenhua, Senior Engineer of the National Computer Virus Emergency Response Center: The name of the Volt Typhoon organization comes from Microsoft, which has its own naming system for so-called hacker groups with state-backed backgrounds. The alias Typhoon is actually a name for Microsoft's so-called hacking group with a Chinese state-backed background.

It is understood that on May 24, 2023, Microsoft released a technical analysis report on "Volt Typhoon Group Uses Evasion Detection Technology to Launch Attacks on U.S. Critical Infrastructure", claiming that the "Volt Typhoon" hacker group "has a background of Chinese government support". In response to the allegations in the report, China's National Computer Virus Emergency Response Center and 360 Digital Security Group immediately set up a technical team to carry out investigation, and formed a "Volt Typhoon" traceability report.

Du Zhenhua, Senior Engineer of the National Computer Virus Emergency Response Center: Microsoft has attached a lot of so-called infection indicators to the report, and the infection indicators are actually hash values. These hashes can be thought of as the encoding and unique number of a malicious program, and through the hash values of these malicious programs, a search on a public platform finally found that there are 5 IP addresses (associated samples) with the highest concentration. These five IP addresses are also related to many security incidents, one of these security incidents is called Dark power, a so-called ransomware gang has an analysis report, who made this analysis report? It is ThreatMon in the United States, also known as Threat Alliance.

The joint investigation technical team found that on April 11, 2023, in the "Research Report on the "Dark Power" Ransomware Gang released by the American Threat Alliance, it was shown that the technical characteristics of the above-mentioned malware sample were similar to those of a malicious program named "Dark Power" The ransomware cybercrime gang was first detected in January 2023, and in March 2023 alone, at least 10 organizations around the world were attacked and extorted, including Algeria, Egypt, the Czech Republic, Turkey, Israel, Peru, France, the United States, etc.

Bian Liang, cybersecurity expert of 360 Digital Security Group: In addition to the analysis of IP addresses, we also analyzed the malicious samples mentioned in the report, which mainly used fileless attacks, unlike traditional virus Trojans, the attack payload does not need to be written to disk, the malicious code is executed in memory, and it disappears after restarting and shutting down. The function of the samples is only to encrypt the user's documents and extort ransom, so we believe that these samples and the corresponding IP addresses point to ransomware criminal gangs.

After tracing and analyzing the origins, the joint investigation technical team believes that the virus programs mentioned in the national reports of Microsoft and the "Five Eyes" alliance do not show clear characteristics of hacker groups with national backgrounds, but are more obviously related to ransomware cybercrime gangs. In this case, Microsoft and the "Five Eyes" countries only rely on the vague attribution factors of the victim unit and the attacker's attack techniques and tactics to label the "Volt Typhoon" as a so-called "Chinese government-backed background hacker group", which is very imprecise and unprofessional, and there must be a deeper reason behind it.

The attribution of cyber attacks is an international problem that needs to be managed in a coordinated manner

According to cybersecurity experts, different security companies in the United States also have different views on the attribution analysis of the "Volt Typhoon" organization, some security vendors believe that it is a botnet, some believe that it is an APT (national hacker) organization, and some believe that it is a ransomware criminal gang. Attribution analysis of cyber attacks has always been an international problem, but the U.S. government has used the attribution of cyber attacks on other countries to portray itself as a so-called "victim" of cyber attacks, and at the same time win the support of international public opinion, it also uses it as a political bargaining chip to put pressure on other countries in international disputes, and then seek excess benefits.

According to cybersecurity experts, attribution to hacker groups is a complex process in which attackers hide their true identities and geolocation through a variety of means, such as using virtual private networks (VPNs), jump servers, and hijacking infected computers as relay points to launch attacks, all of which make it extremely difficult to trace the original source of the attack.

Bian Liang, cybersecurity expert of 360 Digital Security Group: Another challenge is that attackers may deliberately leave some misleading clues, and they may use other countries' languages, symbols, Timestamps are disguised as specific patterns of behavior of other hacking groups to mislead investigators, so the attribution of APT (National Background Hacking) groups is usually based on the collection of a large amount of data, and based on the possibility of weighing the data, the attribution usually only achieves a certain level of trust, and it is very difficult to achieve absolute certainty.

The report on the Prism Gate incident in the United States mentions that the NSA will invade and infiltrate foreign assets, use middleman hijacking technology, steal tools of other countries, and achieve the purpose of interference; the CIA report mentions that it will avoid hostile foreign intelligence organizations, law enforcement, incident response, and reverse engineering through interference; the "Five Eyes Alliance" The Canadian Communications Agency's security architecture design mentions that through relevant deception techniques, false flag operations are used to create instability, change adversary perceptions, and blame other countries for interference, so the attribution of APTs is usually based on weighing the likelihood of evidence, rather than absolute black and white.

In recent years, China's public security organs have uncovered cyber attacks by the US National Security Agency and the CIA on many institutions such as Northwestern Polytechnical University and Wuhan Earthquake Monitoring Center, showing that the United States is the real "hacker empire" and "secret theft empire".

Du Zhenhua, Senior Engineer of the National Computer Virus Emergency Response Center: The NSA (National Security Agency) and the CIA (Central Intelligence Agency) in the United States have had many cyber weapon leaks, which has led to the current situation of increasing attack capabilities in cyberspace. As a result, many cybercriminal gangs actually have strong attack capabilities.

According to cyber security experts, at present, cyber attacks are mainly cross-border crimes, and countries need to strengthen cooperation under the framework of Interpol, jointly share intelligence information and collaborative governance of cyber crimes, and jointly confront cyber security threats, rather than a few countries forming small circles.

Interview with the Cyber Affairs Coordinator of the Ministry of Foreign Affairs

In response to the report released by the National Computer Virus Emergency Response Center, CCTV reporters interviewed Wang Lei, the network affairs coordinator of the Ministry of Foreign Affairs. Wang Lei pointed out that this report exposes a huge scandal that can be exchanged for US government funding as long as there is no bottom line to smear China.

According to the traceability report, the time node of January 31, 2024 is very critical. Under U.S. law, the president must submit a budget request for the federal government for the next fiscal year by the first Monday of February each year, which is February 5, 2024. In the fiscal year 2025 budget request document released by the Biden administration on March 11, 2024, the overall cybersecurity budget of the U.S. federal government and the cybersecurity budget of related intelligence agencies have been significantly increased. Therefore, the report believes that the "Volt Typhoon" is a conspiracy by US intelligence agencies and anti-China politicians against the US Congress and taxpayers. That is, on the one hand, by manipulating Microsoft and other cybersecurity companies to chase after the wind and make false narratives, and on the other hand, using the executive power in their hands to hype up the "threat of China's cyber attacks" and deceive the US Congress into increasing the cybersecurity budget.

Wang Lei, Cyber Affairs Coordinator of the Ministry of Foreign Affairs: Senior US officials have vowed that Chinese-backed hacking groups have carried out cyberattacks on Guam's critical infrastructure. In response to this allegation, the report reveals an important truth and draws important conclusions. The true face of this so-called "Volt Typhoon" is the international ransomware group. However, the collusion of US cybersecurity agencies and enterprises in corruption and framing China has not only gained departmental and economic benefits, but also added irrational factors to US relations with China.

Wang Lei stressed that cyber security has always been an important and special issue in China-US relations.

Wang Lei, Coordinator of Cyber Affairs of the Ministry of Foreign Affairs: The whole world wonders why the United States, the largest "Matrix Empire", hypes up the "China Hacker Threat Theory" every once in a while. The report released today provides an important basis and reference for us to unravel the truth of the problem. What is even more concerning is that during the hype of "Typhoon Volta", the US for the first time linked cyber security to the situation in the Taiwan Strait. Our position is very clear, we oppose the US using the cyber security issue to interfere in China's internal affairs, and we will remain vigilant against the real intention of the US to create issues first and then use them to play a role. On the Taiwan issue, it is in vain to play any card.

Wang Lei said that the protection of critical infrastructure is a common concern of all countries, and maintaining peace and stability in cyberspace is in the common interests of China, the United States and other countries around the world.

Wang Lei, Cyber Affairs Coordinator of the Ministry of Foreign Affairs: As a major country, we hope that the US side will adopt a more serious and responsible attitude, not overestimate its "strength" in arbitrarily and unilaterally formulating rules, let alone underestimate China's determination to maintain China-US cyber relations on an equal footing.

Source: CCTV news client