{ "id": "4d829027-4f05-4a8a-a6b9-6b49db376ade", "created_at": "2026-04-06T00:10:14.274963Z", "updated_at": "2026-04-10T03:34:44.478292Z", "deleted_at": null, "sha1_hash": "09afad7bf7cd130eb79cf4e2821c60ffece84eba", "title": "Chinese cyber agency accused of 'false and baseless' claims about US interfering in Volt Typhoon research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 87362, "plain_text": "Chinese cyber agency accused of 'false and baseless' claims about\r\nUS interfering in Volt Typhoon research\r\nBy Alexander Martin\r\nPublished: 2024-07-11 · Archived: 2026-04-02 12:45:22 UTC\r\nChina’s national cybersecurity agency was accused on Thursday of falsely claiming, citing an “anonymous” inside\r\nsource, that a Western threat intelligence company had “recalled” a publication under pressure from an\r\nunidentified U.S. intelligence agency.\r\nU.S.-based ThreatMon said China’s National Computer Virus Emergency Response Center (CVERC) completely\r\nmischaracterized the company’s changes to a report on the Dark Power ransomware group.\r\nIt’s the latest pushback from a Western company against a conspiratorial report that the CVERC published\r\nMonday, in which it attempted to deny that a Beijing-backed hacking group was behind attacks targeting critical\r\ninfrastructure in the West.\r\nThe CVERC argued that the China state-sponsored threat actor Volt Typhoon was an invention of Western\r\nintelligence agencies. It claimed that any real attacks that had taken place were instead conducted by the Dark\r\nPower ransomware gang, and that evidence revealing this was being suppressed.\r\nIt attempted to justify the claims of this conspiracy by citing reports from ThreatMon and Trellix, another U.S.-\r\nbased cybersecurity company.\r\nThe agency noted that ThreatMon had once published and then amended a report about Dark Power that included\r\nseveral Indicators of Compromise (IoCs) — digital forensics artifacts shared by cybersecurity defenders to\r\nuncover and attribute hacks — which Trellix had linked to Volt Typhoon.\r\nCiting an “anonymous source” from ThreatMon — the first time a report from the CVERC has presented alleged\r\nhuman intelligence — the agency claimed that ThreatMon had removed the indicators of compromise (IoCs)\r\nlinked to Dark Power from the amended version of its report after being “manipulated by intelligence agencies.”\r\nGökhan Yüceler, the chief technology officer at ThreatMon, told Recorded Future News that “the allegations that\r\nwe are acting under pressure from the U.S. are entirely false and baseless.”\r\nYüceler said that the company removed the IoCs from its amended Dark Power report after subsequent analysis\r\nsuggested they may be incorrect.\r\n“The recent report from China aims to misrepresent our research. The report claims a connection between Volt\r\nTyphoon and Dark Power based on our findings, a connection our research does not support. While shared IoCs\r\ncan occur, drawing definitive conclusions from them is misleading,” he said.\r\nhttps://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research\r\nPage 1 of 3\n\nThe cybersecurity company Trellix also pushed back against the CVERC’s claims. John Fokker, the company’s\r\nhead of threat intelligence, told Recorded Future News the CVERC report “uses our blog to support a false\r\nconclusion that there is a connection between Dark Power and Volt Typhoon, which our research does not\r\nsubstantiate. \r\n“This is likely an effort from the Chinese government to manipulate public perceptions of China threats,” Fokker\r\nsaid.\r\nAs researchers previously told Recorded Future News, the group tracked as Volt Typhoon by Microsoft and as\r\nBronze Silhouette by Secureworks has gone to great lengths to conceal its connections to China, suggesting that\r\nBeijing has become increasingly sensitive about being blamed for offensive cyber operations.\r\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) had in February warned that the hackers were\r\n“seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical\r\ninfrastructure in the event of a major crisis or conflict with the United States.”\r\nIt was shortly after this warning that the CVERC, alongside the English-language version of the Global Times\r\nnewspaper — controlled by the Chinese Communist Party — first claimed that the threat actor does not exist. The\r\nCVERC’s most recent report was again accompanied by another article in the Global Times.\r\nThe report includes a number of grammatical and spelling errors, even of Chinese institutions — in one case\r\ncalling the military-linked Northwestern Polytechnical University the Northwestern Pyrotechnical University.\r\nAccording to Dakota Cary, a consultant at SentinelOne, the report was potentially “co-authored by the\r\npropagandists at Global Times.”\r\nhttps://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research\r\nPage 2 of 3\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research\r\nhttps://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research" ], "report_names": [ "china-cyber-agency-claims-us-interference-volt-typhoon-research" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434214, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09afad7bf7cd130eb79cf4e2821c60ffece84eba.pdf", "text": "https://archive.orkl.eu/09afad7bf7cd130eb79cf4e2821c60ffece84eba.txt", "img": "https://archive.orkl.eu/09afad7bf7cd130eb79cf4e2821c60ffece84eba.jpg" } }