China Sort of Admits to Being Behind Volt Typhoon

The Wall Street Journal has the story:

Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.

The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said.

The admission wasn’t explicit:

The Chinese official’s remarks at the December meeting were indirect and somewhat ambiguous, but most of the American delegation in the room interpreted it as a tacit admission and a warning to the U.S. about Taiwan, a former U.S. official familiar with the meeting said.

No surprise.

Tags: , , ,

Posted on April 14, 2025 at 7:08 AM24 Comments

Comments

Clive Robinson April 14, 2025 1:07 PM

@ ALL,

When I read,

“Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter…”

A question arises in my mind.

“For whom do these ‘Chinese officials’ actually work for?”

That is,

1, The Chinese Citizens?
2, The National Government?
3, The Chinese Communist party?
4, A local regional Government?
5, A Chinese economic interest?

I know this might appear an odd question to ask, and some might say “what the heck who cares?”

But bearing in mind what is happening in several other regions of the world currently it’s rather more pertinent than many might think.

People need to remember that at one point even the US Government said it was considering kinetic responses to what it called Nation State Cyber attacks.

Thus knowing

A, That it’s going on.
B, Where it appears to originate from.

If not sufficient.

A lesson was proposed by Ex-NSA Chief General Michael Hayden’s 2014 statement of,

“We Kill People Based on Metadata”

It was an implicit admission that Western Nations do exactly what we accuse other Nations of for “political point scoring”.

Thus the question arises from it,

“What have we learned in the decade since about the morality of what some people do in the name of XXX?”

Then the next question which we all know was behind 9/11, 7/7, and many other attacks on the West,

“What response do we really expect and what mitigations do we have available that might be effective to protect National Citizens both at home and abroad?”

TimH April 14, 2025 1:19 PM

<

blockquote>People need to remember that at one point even the US Government said it was considering kinetic responses to what it called Nation State Cyber attacks./

<

blockquote>

Pot meet kettle. Stuxnet, anyone?

lurker April 14, 2025 2:33 PM

‘Distortion of facts’: Chinese FM refutes report claiming Beijing behind cyberattacks on US for its support to Taiwan island [1]

He said – she said

Whoever it was from @Clive’s list of possible suspects behind this “leak”, the precise words to use will have been carefully rehearsed, and the particular agent won’t be seen again.

[1] ‘https://www.globaltimes.cn/page/202504/1331927.shtml

Clive Robinson April 14, 2025 2:50 PM

@ TimH,

With regards,

“Pot meet kettle. Stuxnet, anyone?”

It did not turn out so well…

I have good reason to remember it very well. Because I was one of the very few people who worked out who the real target was and why and was happy to say so publicly.

I did this even before the NOKs who likewise worked it out took the action that humiliated certain US Politicians.

Then months later a “unnamed source” let out what the USG had been doing and how it had been caught effectively flat footed.

An admission that surprised me more than the fact the stuxnet mission had had the sign off from the highest in atleast two countries.

As we subsequently found out the Iranian Government Agencies not only worked out who had done it, they also had found “Agents working for the CIA” due to poor CIA “OpSec”. They passed this on to the Chinese who did a round up and execution party of the CIA agents they found in China.

Now was it retribution?

Who knows but the loss of those agents certainly hurt the CIA badly.

Bob April 14, 2025 4:43 PM

Good thing we’re keeping our allies so close and giving them every reason to continue trusting us with intelligence.

BW April 15, 2025 10:07 AM

China Sort of Admits?

Or U.S. Media Sort of Writes to Blame China?

“Chinese officials acknowledged in a secret December meeting” … “according to people familiar with the matter” … “the people, who declined to be named, said.”

“The admission wasn’t explicit”

So there was supposedly a secret meeting where this or that was said. Say people who declined to be named.

Truly convincing.

lurker April 15, 2025 1:54 PM

@BW

You missed that the “secret meeting” was reportedly held in Geneva, hot-bed of spies.

With the WSJ demanding .js ON, adbblocker OFF, and ca$h upfront, one wonders if this is a diversion from all the other excitement coming from Pennsylvania Ave.

ResearcherZero April 15, 2025 10:47 PM

@Clive Robinson, ALL

“What response do we really expect and what mitigations do we have available that might be effective to protect National Citizens both at home and abroad?”

There are some options, but how effective any of them might be depends on how receptive the executive leadership is or if they then authorize any further investigation or response.

They might be more preoccupied with matters closer to home. Their homes. Not your homes. If they may decide that whatever information is not of significant enough concern and it later becomes apparent that it is, denials of any foreknowledge or briefing will be issued in a fashion that provides very wide latitude to escape being pinned down on what exactly they are denying.

If the denial becomes too difficult, a ‘scapegoat’ will be let be kicked out in front of the press pool to shift the focus from the issue itself – onto the hind-quarters of the scapegoat. Preferably the ‘scapegoat’ should be adorned in military fatigues or camouflage.

If this was looking to become a regular fixture, eliminating the wire service from the press pool at the “White House” and filling the slot with inexperienced “influencers”, will ensure that no unexpected questions are asked by the wide-eyed noobs – nor any uncomfortable details and statements recorded in perpetuity. No facts will be pinned down.

It might be that the United States has lost its rudder and is floating on the high seas, and wouldn’t it be uncomfortable to be asked if the bridge was manned by incompetent fools?

‘https://www.military.com/daily-news/2025/04/11/nsa-cybercom-firings-stir-worries-over-how-seriously-trump-administration-takes-cybersecurity.html

The law which makes foreign bribery a crime has been paused.
https://thedispatch.com/article/trump-white-collar-crime-fcpa-border-corruption/

Adversaries have noticed the ship is listing and are now taking aim.
https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security

ResearcherZero April 15, 2025 11:03 PM

@Clive

If I was to make an educated guess, I would assume that most politicians live either up on a hill or well out of the way of any designated flood zones. It is likely that they also do not live in a valley below a large body of water, rather in a position with a commanding view of all those down below – including any lakes or dams – inline with the asking price.

And if not, I assume they can afford to move if necessary or cover any losses.

Some 4,000 dams require monitoring and remediation work to reduce risk of flooding.

‘https://www.insurancejournal.com/news/national/2025/03/18/815920.htm

The Grid Deployment Office, which manages U.S. power grid issues, hit with large cuts.

(including hydroelectricity)
https://www.latitudemedia.com/news/the-end-of-doe-as-we-know-it/

Many projects to protect communities from flooding have had the funding revoked.
https://www.lohud.com/story/news/2025/04/14/how-fema-funding-cuts-could-endanger-westchester-ny-dam-fixes-meant-to-decrease-flood-risk/83045828007/

America’s future now looks much more precarious and dangerous.
https://abcnews.go.com/US/impacts-scientists-fear-epa-deregulation/story?id=119983525.

ResearcherZero April 15, 2025 11:40 PM

With the people who would normally manage the contracts and the security of government departments now largely gone, how anyone would go about investigating an intrusion or ensure the security of vital systems is called into question.

From the fallout of the ‘Houthi PC small group’, it is plain to see that even when there is an inquiry into what took place, a large chunk of any evidence has vanished from the public record. While the processes that protect critical systems are being dismantled.

‘https://www.nytimes.com/2025/04/15/us/politics/cia-director-leaked-chat.html

The risks to private sensitive data and national security continue to grow as a result.
https://www.wired.com/story/department-health-human-services-possible-collapse/

An absolutely enormous amount of private personal information can now be accessed about you with few checks or balances – amid a large reduction of the security normally in place:

https://gizmodo.com/heres-all-of-the-data-that-elon-musks-doge-may-have-on-you-and-your-family-2000587154

Clive Robinson April 16, 2025 2:45 AM

@ ResearcherZero, ALL,

With regards what Hellon Rusk has about citizens via his DOGiE Mutts, just remember he got it by “Smash and Grab” tactics.

But also the citizens who should be concerned are not just US citizens who might have “standing” should it ever get to court, but those citizens who will be denied any standing thus right of redress.

Those that are denied standing will includes citizens of other Nations (of which both you and I are)…

Consider in the UK case, the then Prime Minister and US born tax avoider Boris “the menace” Johnson, sold the most intimate and private records of all UK citizens to the US company Palantir,

https://en.m.wikipedia.org/wiki/Palantir_Technologies

Which is owned in a curious way by Peter Thiel, who we know has a very strange mental outlook at best. He has sold access to these UK private records to some of the same “US Agencies” that are now getting “ram raided” by Hellon Rusk’s DOGiE Mutts. Already famed for their,

“Proceed with negligence”

attitudes, inspired from their chain saw wielding leaders exhortation,

“To move fast and break things”

https://www.politico.com/news/magazine/2024/12/24/elon-musk-washington-congress-00196006

Such “breakages” that we now know also includes both,

1, The law of the land,
2, National Security,

Oh and,

3, International treaties,

As well as, I assume, any and all “tax laws” he can pretend nolonger apply in the faux-name of “saving the taxpayer money” by diverting gains to his organizations…

lurker April 16, 2025 8:55 PM

@ResearcherZero

He said – she said …

“China wants what we have — what every country wants — what we have, the American consumer,”
‘https://www.politico.com/news/2025/04/16/trump-china-trade-strategy-00291979

“The problem is the US has been living beyond its means for decades. … The US should stop whining about itself being a victim in global trade …”
‘https://www.chinadaily.com.cn/a/202504/15/WS67fe4f0ca3104d9fd381f77b.html

ResearcherZero April 16, 2025 9:31 PM

Chinese threat actors are using a new tool set with in-memory payloads. The intrusions targeted Linux based systems, but the toolkit does support iOS and Windows and is pretty stealthy. Even though it uses scripts in the initial delivery, it can slip past defenses.

‘https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/

Nation state actors increasingly hide their activities behind made-up personas and groups.
https://www.csoonline.com/article/3595792/nation-state-actors-increasingly-hide-behind-cybercriminal-tactics-and-malware.html

They also employ criminal tactics for espionage and to carry out attacks.
https://www.trellix.com/blogs/research/blurring-the-lines-how-nation-states-and-cybercriminals-are-becoming-alike/

ResearcherZero April 17, 2025 12:46 AM

@BW

If the U.S. conducts offensive cyber operations China would obviously conclude that it can do the same. However, no-one should underestimate the damage that could occur as a result.

Volt Typhoon has compromised thousands of devices around the world so that it could disrupt critical infrastructure in the event of increased geopolitical tensions or conflict. That disruption could take place to cut-off communications between the US and Asia, but this may have ramifications in many other regions around the world and encourage counter-attacks.

Everyone should pause to remember how much of modern life depends on connectivity.

Volt Typhoon has demonstrated advanced capabilities and persistence, often aiming to maintain long-term access to compromised networks without detection. It also employs botnets comprised of IoT devices to aid in its operations to stealthily gain access for lateral movement through networks. The botnets often consist of many tens of thousands of devices.

“This group has weaponized outdated routers on a global scale, weaving layers of obfuscation that mask their presence and make detection exceptionally difficult.”

Microprocessor without Interlocked Pipelined Stages

Analysts have identified MIPS-based malware on these devices, similar to Mirai, engineered to establish covert connections and communicate via port forwarding over 8443.

“These compromised routers act as digital chameleons, facilitating the covert movement of data while mimicking normal network traffic.”

‘https://securityscorecard.com/blog/botnet-is-back-ssc-strike-team-uncovers-a-renewed-cyber-threat/

Dragos attributes Volt Typhoon as a Chinese state operation targeting critical systems.
https://www.dragos.com/resources/reports/voltzite-espionage-operations-targeting-u-s-critical-systems/

Many other private companies and nations outside of the US have also attributed the intrusions carried out by Volt Typhoon to China, including the breach of Singtel in Asia.

https://www.bloomberg.com/news/articles/2024-11-05/chinese-group-accused-of-hacking-singtel-in-telecom-attacks

ResearcherZero April 17, 2025 12:49 AM

To put it more directly:

“Relatedly, policymakers must consider the downstream implications of conducting offensive cyber operations in response to cyber espionage. Put simply, it may set a precedent that the United States should expect the same response in kind.”

‘https://warontherocks.com/2025/02/a-tale-of-two-typhoons-properly-diagnosing-chinese-cyber-threats/

ResearcherZero April 17, 2025 12:52 AM

Guam is tiny little island, with rather small electric utilities and not many staff.

‘https://www.bloomberg.com/news/features/2025-01-03/chinese-cyber-hackers-terrify-us-intelligence-after-infiltrating-guam

Clive Robinson April 17, 2025 5:31 AM

@ ResearcherZero, ALL,

With regards,

<

blockquote>To put it more directly:≤/blockquote>

Back when Obama was US President, two things to do with what we now call “cyber security” came up,

1, The “Big Red Button”.
2, And “Send in the drones” kinetic response.

The theory was that like the nuclear football Obama would have another “football to carry around”. This one would “shutdown the Internet” rather than “blow up the world”. The idea got scupper when it was realised that “shutting down the Internet” would not only not be possible, it would not achieve any real benefit, just a lot of harm”.

As for “send in the drones” that would still even to day be a “primary act of war” which does not look good or stop a massive counter strike retaliation, with full on nuclear capability.

Fun thought from 2001, it’s known that the Secret Service up on the roof of 1600 Pennsylvania Ave Washington used to have shoulder fired anti-aircraft missiles. Because it was assumed an attacking aircraft would be a light aircraft with maybe 100kg of explosives[1]. Then 9/11 happened and somebody asked,

“What effect a fully loaded and fueled up 747 would have if it hit 1600?”

and,

“What effect a shoulder launched missile would have on the 747?”

To which the two answers were in short,

1, Devastating, even to the underground areas.
2, Next to no effect what so ever.

It kind of makes the point, something’s can be made so big, the problems they might cause are realistically impractical to stop.

So 747’s and the Internet are just two of many technological developments that create potential problems way bigger than the myriad of lesser problems they solve.

But worse, the more technological a nation has become, the more fragile it is when that technology is turned against it…

[1] Apparently there are such light aircraft flights on “auto pilot” one way from the Ukraine to military supply depots deep in Russia and even more sophisticated air defence systems are not stopping them “getting on target” and lighting up the sky for miles around.

Clive Robinson April 17, 2025 9:14 AM

@ ResearcherZero,

Have you fully read that war on the rocks article?

Because it smacks of being “stitched together” AI written segments.

ResearcherZero April 23, 2025 1:11 AM

@Clive Robinson

Yeah, that article is pretty piecemeal. I think parts are borrowed or replicated from another article written a while back, but I could not remember who wrote the other one.

The quote does some up the precarious situation the court jester and his troop of performers have placed everyone in with their truly awful play.

Consumed with one frantic act after another, the farce continues desperately onward, hoping to somehow present the entire show as a work of genius. The White House is now putting out comedy reels, while even the Murdoch press already reviewed the show as a complete bust.

Consumer sentiment has declined along with the economic outlook and this is just the opening act. Even if they managed to burn down the Globe it could not improve the show.
Attempting every idea that pops into their heads – all at once – while firing everyone behind stage who knows what they are doing, rarely draws in enthusiastic crowds.

“No. No. This is not true,” they exclaim! Before lurching inexplicably into manic ranting.

…The only thing going for them is, there are so many disasters it is hard to keep track.
Who will be keeping track? The spying campaigns targeting government and communications.

‘https://www.security.com/threat-intelligence/billbug-china-espionage

Billbug uses third-party cloud services, AV binaries and DLL side-loading to hide.
https://blog.talosintelligence.com/lotus-blossom-espionage-group/

ResearcherZero April 23, 2025 1:27 AM

Currently the U.S. administration should be cheering for anything they claim distracts from foreign policy. Have they tried belting out covers of ‘Jesus Built My HotRod’ on TikTok?

ResearcherZero April 27, 2025 4:13 AM

A new RAT, DslogdRAT has been found hiding on Ivanti systems.

‘https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html

A hidden webshell was deposited on Ivanti ICS last year allowing the new RAT to be uploaded.
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day

Two different Chinese threat groups have been targeting Ivanti products in recent attacks.
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability

ResearcherZero April 27, 2025 4:22 AM

@Clive Robinson

It sums it up, rather than “somes” it up. Or perhaps I should say, “one only needs to open one’s mouth to confirm that they are indeed an idiot,” would be more appropriate.

Clive Robinson April 27, 2025 5:42 AM

@ ResearcherZero,

Funny you should mention rockabilly meets heavy metal…

Back when it was suggested that we stop using immemorable passwords and start using memorable passphrases it was suffering a resurgence, and the thought occured to me,

“How many games players have been a ‘Sleepwalker’ into using ‘dingadingdangmydangalonglinglong’ as a passphrase?”

I guess few outside the UK realised the game was made to support the “Comic Relief” charity and the voices of UK comics Lenny Henry and Harry Enfield were not just recognisable but prominent. The latter saying,

“Comic Relief or som’ing”

Just to give people a hint 😉

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.