{ "id": "d3e902be-4e22-4328-9a71-dc8d5fad19bb", "created_at": "2026-04-06T00:17:16.811614Z", "updated_at": "2026-04-10T03:34:44.525473Z", "deleted_at": null, "sha1_hash": "b044c3af3cac8e59727aa39bbf66d90f1da755ca", "title": "Beijing accused of misusing Western research to claim Volt Typhoon is a ransomware group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88198, "plain_text": "Beijing accused of misusing Western research to claim Volt\r\nTyphoon is a ransomware group\r\nBy Alexander Martin\r\nPublished: 2024-07-10 · Archived: 2026-04-02 10:58:44 UTC\r\nChina’s national cybersecurity agency was accused on Wednesday of misrepresenting research from Western\r\ncybersecurity companies in an ongoing attempt to deny allegations that a Being-backed hacking group is behind\r\nattacks targeting critical infrastructure in the West.\r\nThe cybersecurity company Trellix pushed back against a conspiratorial report  published Monday by China’s\r\nNational Computer Virus Emergency Response Center (CVERC) claiming that the Five Eyes intelligence alliance\r\nhad concocted evidence about the hacking campaign.\r\n“This is likely an effort from the Chinese government to manipulate public perceptions of China threats,” said\r\nJohn Fokker, the head of threat intelligence at Trellix.\r\nAs researchers previously told Recorded Future News, the group tracked as Volt Typhoon by Microsoft and as\r\nBronze Silhouette by Secureworks has gone to great lengths to conceal its connections to China, suggesting that\r\nBeijing has become increasingly sensitive about being blamed for offensive cyber operations.\r\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) had in February warned that the hackers were\r\n“seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical\r\ninfrastructure in the event of a major crisis or conflict with the United States.”\r\nIt was shortly after this warning that the CVERC, alongside the English-language version of the Global Times\r\nnewspaper — controlled by the Chinese Communist Party — first claimed that the threat actor does not exist.\r\nIn the CVERC report published on Monday, coordinated with another article in the Global Times, the Chinese\r\nagency claimed that Volt Typhoon was a “misinformation campaign” intentionally misattributing cyberattacks by\r\nthe Dark Power ransomware group to the Chinese state.\r\nThe CVERC report includes a number of grammatical and spelling errors, even of Chinese institutions — in one\r\ncase calling the military-linked Northwestern Polytechnical University the Northwestern Pyrotechnical University\r\n— and according to Dakota Cary, a consultant at SentinelOne, was potentially “co-authored by the propagandists\r\nat Global Times.”\r\nIn its substance, the report misrepresents the vocabulary of intelligence analysis to claim there are disagreements\r\nbetween intelligence assessments made by CISA and private sector cybersecurity companies about activities\r\nlinked to this hacking group.\r\nIn one instance, the CVERC cited Mandiant using estimative language about a cluster of activity tracked as\r\nUNC5291 which Mandiant assessed “with medium confidence to be Volt Typhoon, targeting U.S. energy and\r\nhttps://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoon\r\nPage 1 of 3\n\ndefence sectors.”\r\nMandiant said that it had seen the UNC5291 campaign probe “Ivanti Connect Secure appliances in mid-January\r\n2024,” but had “not directly observed Volt Typhoon successfully compromise Ivanti Connect Secure.”\r\nThis was taken to contradict a CISA’s warning that the group had been exploiting vulnerabilities in networking\r\nappliances, including Ivanti Connect Secure, rather than simply a statement of Mandiant’s own observations.\r\nIn another instance the CVERC cited reports by Trellix and ThreatMon which included among their indicators of\r\ncompromise the hash of a ransomware sample from the Dark Power group, a sample which it claimed was\r\nconnected with IP addresses also linked to Volt Typhoon.\r\nFokker said the CVERC report “uses our blog to support a false conclusion that there is a connection between\r\nDark Power and Volt Typhoon, which our research does not substantiate.” \r\nNeither Mandiant nor ThreatMon were able to respond to requests for comment before publication. Numerous\r\nother cybersecurity companies have also reported incidents attributed to Volt Typhoon in which the threat actor\r\nhas targeted critical infrastructure in the United States, including Bitdefender, Secureworks, Microsoft and others.\r\nhttps://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoon\r\nPage 2 of 3\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoon\r\nhttps://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoon\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoon" ], "report_names": [ "china-accused-misusing-western-cybersecurity-research-volt-typhoon" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "42ee1c89-d75c-4e1e-91fa-dab8c0e83bf6", "created_at": "2024-04-20T02:00:03.5779Z", "updated_at": "2026-04-10T02:00:03.626285Z", "deleted_at": null, "main_name": "UNC5291", "aliases": [], "source_name": "MISPGALAXY:UNC5291", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434636, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b044c3af3cac8e59727aa39bbf66d90f1da755ca.pdf", "text": "https://archive.orkl.eu/b044c3af3cac8e59727aa39bbf66d90f1da755ca.txt", "img": "https://archive.orkl.eu/b044c3af3cac8e59727aa39bbf66d90f1da755ca.jpg" } }