{
	"id": "8b3e0dec-2da6-4f26-8ec3-beaf1e663a6f",
	"created_at": "2026-04-06T00:20:01.467149Z",
	"updated_at": "2026-04-10T13:11:50.790634Z",
	"deleted_at": null,
	"sha1_hash": "09d83c2e003e522a13b0d132ee47c6504fbc63c8",
	"title": "China Accuses U.S. of Fabricating Volt Typhoon to Hide Its Own Hacking Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 803522,
	"plain_text": "China Accuses U.S. of Fabricating Volt Typhoon to Hide Its Own\r\nHacking Campaigns\r\nBy The Hacker News\r\nPublished: 2024-10-15 · Archived: 2026-04-05 20:10:50 UTC\r\nChina's National Computer Virus Emergency Response Center (CVERC) has doubled down on claims that the\r\nthreat actor known as Volt Typhoon is a fabrication of the U.S. and its allies.\r\nThe agency, in collaboration with the National Engineering Laboratory for Computer Virus Prevention\r\nTechnology, went on to accuse the U.S. federal government, intelligence agencies, and Five Eyes countries of\r\nconducting cyber espionage activities against China, France, Germany, Japan, and internet users globally.\r\nIt also said there's \"ironclad evidence\" indicating that the U.S. carries out false flag operations in an attempt to\r\nconceal its own malicious cyber attacks, adding it's inventing the \"so-called danger of Chinese cyber attacks\" and\r\nthat it has established a \"large-scale global internet surveillance network.\"\r\n\"And the fact that the U.S. adopted supply chain attacks, implanted backdoors in internet products and 'pre-positioned' has completely debunked the Volt Typhoon – a political farce written, directed, and acted by the U.S.\r\nfederal government,\" it said.\r\nhttps://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html\r\nPage 1 of 3\n\n\"The U.S. military base in Guam has not been a victim of the Volt Typhoon cyber attacks at all, but the initiator of\r\na large number of cyberattacks against China and many Southeast Asian countries and the backhaul center of\r\nstolen data.\"\r\nIt's worth noting that a previous report published by CVERC in July characterized the Volt Typhoon actor as a\r\nmisinformation campaign orchestrated by the U.S. intelligence agencies.\r\nVolt Typhoon is the moniker assigned to a China-nexus cyber espionage group that's believed to be active since\r\n2019, stealthily embedding itself into critical infrastructure networks by routing traffic through edge devices\r\ncomprising routers, firewalls, and VPN hardware in an effort to blend in and fly under the radar.\r\nAs recently as late August 2024, it was linked to the zero-day exploitation of a high-severity security flaw\r\nimpacting Versa Director (CVE-2024-39717, CVSS score: 6.6) to deliver a web shell named VersaMem for\r\nfacilitating credential theft and run arbitrary code.\r\nThe use of edge devices by China-linked intrusion sets has become something of a pattern in recent years, with\r\nsome campaigns leveraging them as Operational Relay Boxes (ORBs) to evade detection.\r\nThis is substantiated by a recent report published by French cybersecurity company Sekoia, which attributed\r\nthreat actors likely of Chinese origin to a wide-range attack campaign that infects edge devices like routers and\r\ncameras to deploy backdoors such as GobRAT and Bulbature for follow-on attacks against targets of interest.\r\n\"Bulbature, an implant that was not yet documented in open source, seems to be only used to transform the\r\ncompromised edge device into an ORB to relay attacks against final victims networks,\" the researchers said.\r\n\"This architecture, consisting of compromised edge devices acting as ORBs, allows an operator to carry out\r\noffensive cyber operations around the world near to the final targets and hide its location by creating on-demand\r\nproxies tunnels.\"\r\nIn the latest 59-page document, Chinese authorities said more than 50 security experts from the U.S., Europe, and\r\nAsia reached out to the CVERC, expressing concerns related to \"the U.S. false narrative\" about Volt Typhoon and\r\nthe lack of evidence linking the threat actor to China.\r\nThe CVERC, however, did not name those experts, nor their reasons to back up the hypothesis. It further went on\r\nto state that the U.S. intelligence agencies created a stealthy toolkit dubbed Marble no later than 2015 with the\r\nintent to confuse attribution efforts.\r\n\"The toolkit is a tool framework that can be integrated with other cyber weapon development projects to assist\r\ncyber weapon developers in obfuscating various identifiable features in program code, effectively 'erasing' the\r\n'fingerprints' of cyber weapon developers,\" it said.\r\nhttps://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html\r\nPage 2 of 3\n\n\"What's more, the framework has a more 'shameless' function to insert strings in other languages, such as Chinese,\r\nRussian, Korean, Persian, and Arabic, which is obviously intended to mislead investigators and frame China,\r\nRussia, North Korea, Iran, and Arab countries.\"\r\nThe report further takes the opportunity to accuse the U.S. of relying on its \"innate technological advantages and\r\ngeological advantages in the construction of the internet\" to control fiber optic cables across the Atlantic and the\r\nPacific and using them for \"indiscriminate monitoring\" of internet users worldwide.\r\nIt also alleged that companies like Microsoft and CrowdStrike have resorted to giving \"absurd\" monikers with\r\n\"obvious geopolitical overtones\" for threat activity groups with names like \"typhoon,\" \"panda,\" and \"dragon.\"\r\n\"Again, we would like to call for extensive international collaboration in this field,\" it concluded. \"Moreover,\r\ncybersecurity companies and research institutions should focus on counter-cyber threat technology research and\r\nbetter products and services for users.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html\r\nhttps://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html"
	],
	"report_names": [
		"china-accuses-us-of-fabricating-volt.html"
	],
	"threat_actors": [
		{
			"id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7",
			"created_at": "2023-06-23T02:04:34.793629Z",
			"updated_at": "2026-04-10T02:00:04.971054Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Bronze Silhouette",
				"Dev-0391",
				"Insidious Taurus",
				"Redfly",
				"Storm-0391",
				"UAT-5918",
				"UAT-7237",
				"UNC3236",
				"VOLTZITE",
				"Vanguard Panda"
			],
			"source_name": "ETDA:Volt Typhoon",
			"tools": [
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a88747e2-ffed-45d8-b847-8464361b2254",
			"created_at": "2023-11-01T02:01:06.605663Z",
			"updated_at": "2026-04-10T02:00:05.289908Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Volt Typhoon",
				"BRONZE SILHOUETTE",
				"Vanguard Panda",
				"DEV-0391",
				"UNC3236",
				"Voltzite",
				"Insidious Taurus"
			],
			"source_name": "MITRE:Volt Typhoon",
			"tools": [
				"netsh",
				"PsExec",
				"ipconfig",
				"Wevtutil",
				"VersaMem",
				"Tasklist",
				"Mimikatz",
				"Impacket",
				"Systeminfo",
				"netstat",
				"Nltest",
				"certutil",
				"FRP",
				"cmd"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b",
			"created_at": "2025-08-07T02:03:24.661509Z",
			"updated_at": "2026-04-10T02:00:03.644548Z",
			"deleted_at": null,
			"main_name": "BRONZE SILHOUETTE",
			"aliases": [
				"Dev-0391 ",
				"Insidious Taurus ",
				"UNC3236 ",
				"Vanguard Panda ",
				"Volt Typhoon ",
				"Voltzite "
			],
			"source_name": "Secureworks:BRONZE SILHOUETTE",
			"tools": [
				"Living-off-the-land binaries",
				"Web shells"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4ed2b20c-7523-4852-833b-cebee8029f55",
			"created_at": "2023-05-26T02:02:03.524749Z",
			"updated_at": "2026-04-10T02:00:03.366175Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"BRONZE SILHOUETTE",
				"VANGUARD PANDA",
				"UNC3236",
				"Insidious Taurus",
				"VOLTZITE",
				"Dev-0391",
				"Storm-0391"
			],
			"source_name": "MISPGALAXY:Volt Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434801,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09d83c2e003e522a13b0d132ee47c6504fbc63c8.pdf",
		"text": "https://archive.orkl.eu/09d83c2e003e522a13b0d132ee47c6504fbc63c8.txt",
		"img": "https://archive.orkl.eu/09d83c2e003e522a13b0d132ee47c6504fbc63c8.jpg"
	}
}