Volt Typhoon III report exposes US cyber forces operations

Hackers from United States cyber forces and intelligence agencies disguise themselves like "chameleons" in cyberspace by posing as other countries to conduct global cyberattacks and espionage operations, while also pouring dirty water on non-US allies like China, an investigative report published on Monday said.

According to the report Volt Typhoon III: A Cyber Espionage and Disinformation Campaign conducted by US Government Agencies, evidence has shown that "Volt Typhoon", which US politicians, intelligence communities and companies claimed to be a China-sponsored hacking organization, had launched a series of operations targeting networks across critical US infrastructure sectors, as just one of many operations initiated by the US intelligence agency.

The report was jointly published by the National Computer Virus Emergency Response Center and the National Engineering Laboratory for Computer Virus Prevention Technology.

Also, according to the top-secret files of the National Security Agency, the US has for long been taking advantage of its well-developed information and communication technology industry to construct internet infrastructures to control the "Choke Points" of the internet.

There are at least seven access sites for tapping with coverage over all submarine optical cables spanning from the Atlantic to the Pacific. All these access sites are operated by NSA, the Federal Bureau of Investigation and the National Cyber Security Centre from the United Kingdom. Each information packet intercepted through the access sites are thoroughly inspected indiscriminately, the report said.

Furthermore, the NSA will directly use the "supply chain" attack method, which capitalizes on the advantages of the advanced US information and communication technology industry and products, against a variety of high-valued targets of other countries that have high levels of protection and are challenging to penetrate in cyberspace.

With the cooperation of large internet enterprises or equipment suppliers in the US, NSA is able to intercept the US-made network products purchased by its targets. The products will then be unpacked and implanted with backdoor malware before repackaging and shipping to the various targets.

The method is usually used in attack operations against other countries' telecom and network operators. When NSA gets control of the target telecom network operator's system, they will be able to monitor the target's cellphone communication content. In the attack against the Northwestern Polytechnical University, the relevant internet service provider located in China was compromised by NSA with the "supply chain" attack method. As a result, the telephone calls and internet activities of the victims were tracked by NSA in real time.

NSA used the term "pre-position" when introducing the method in top secret documents, which specifically refers to the implant "backdoor" in IT products used by the targets, which is activated through NSA's subsequent operations. Ironically, the term "pre-position" was also used by US government agencies to describe the tactics used by so-called "Volt Typhoon" groups which carried out cyberattacks on critical US infrastructure in places like Guam. The question surrounding "pre-position" in critical infrastructure worldwide is quite clear.

Previously on April 15 and July 8, the two institutions published two investigative reports on "Volt Typhoon", which launched a series of operations affecting networks across critical US infrastructure sectors.

The reports stated that analysis by Chinese technical teams showed that many of the IP addresses used by "Volt Typhoon" to launch the attacks were previously used by a ransomware group named "Dark Power", which had no country and sectoral connection. And the US government agencies orchestrated and hyped up the "Volt Typhoon" cyberthreat narrative to secure additional funding from the US Congress and to bolster the cyber-infiltration capabilities of US intelligence agencies.

The allegation originated from a joint advisory by the cybersecurity authorities of the US and its "Five Eyes" allies — the United Kingdom, Australia, Canada and New Zealand. With the advisory issued based on information released by US tech company Microsoft, which has failed to provide a detailed analytical process for source tracing of the cyberattacks from "Volt Typhoon".

Click here to read the full text of the report