Who is Volt Typhoon? A State-sponsored Actor? Or Dark Power?
Cyber attribution is complicated. After all the publicity about Volt Typhoon as a Chinese state hacking group, we have more questions than answers.
Revelations about the Volt Typhoon hacking group’s targeting of US critical infrastructure shows Chinese cyber operations have permanently altered the cyberthreat landscape, US officials said at the RSA cybersecurity conference in early May. “China has moved beyond the traditional goal of nation-state hacking operations – spying on an adversary – into something more sinister.” If we recall, this was not the first time this year that US officials have called out the significance of Volt Typhoon campaigns. At the end of January, after the US Department of Justice (US DoJ) took down a botnet allegedly used by Volt Typhoon, US officials pointed out that China’s “historical focus on stealing state secrets and espionage,” meaning cyber espionage for political and economic interests, has evolved into a more ominous intention to prepare for destructive attacks. As US officials said, Volt Typhoon campaigns show “a new interest in preparing and launching destructive cyberattacks against US electricity systems, water utilities, military organizations and other critical services,” and the intent is to “cause disruption and sow societal panic, especially in the event of a military conflict.”
Each time the United States and the so-called Five Eyes countries emphasize the significance of Chinese state-sponsored cyber actor Volt Typhoon, China has followed closely with tit-for-tat responses comparable to the name-and shame techniques China has used before. China’s responses feature not only the usual accusations that the US is attempting to “defame China,” but also a detailed report. As described below, the report analyzes the Indicators of Compromise (IoCs) from Microsoft’s initial Volt Typhoon report and from a Joint Cybersecurity Advisory issued by the Five Eye countries (US, UK, Canada, Australia, and New Zealand), together with other related reports published outside of China, to allege that Volt Typhoon is “more likely a cybercrime group” rather than Chinese state-sponsored.
Well, who really is Volt Typhoon? In this posting, the Natto Team delves into reports related to Volt Typhoon, including technical reports and broader media coverage from Western sources and from China. We seek to understand not only who said what, but also what it means, who Volt Typhoon is, how Volt Typhoon was attributed, and why China said Volt Typhoon was not what the US said they are. Of course, this is not just simply “Say You, Say me.”
Say You: How was Volt Typhoon Attributed to China as a State-sponsored Actor?
Strategic attribution details are surprisingly hard to find in the publicly available Volt Typhoon-related reports published outside of China. Most of the reports have stayed at the tactical attribution level, citing clustered indicators of compromises (IoCs), malware and infrastructure. The major Volt Typhoon reports with relevant attribution statements are as follows:
May 24, 2023: Microsoft exposed Volt Typhoon – “A state-sponsored actor based in China”
The public first heard of Volt Typhoon and its activities on May 24, 2023, when Microsoft published the report “Volt Typhoon targets US critical infrastructure with living-off-the-land techniques.” The first paragraph of the report described Volt Typhoon as “a state-sponsored actor based in China.” Microsoft assessed with “moderate confidence” that the Volt Typhoon campaign Microsoft described “is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.” “Moderate confidence” in this case, according to the definition from the US government’s Title 50 War and National Defense, means “that a determination is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.” Following the first paragraph of the top-line assessment, the Microsoft report discussed Volt Typhoon’s technical tactics for targeting critical infrastructure providers, categorizing the techniques according to the MITRE ATT&CK framework, then provided “mitigation and protection guidance,” “detection details and hunting queries” and “indicators of compromise (IOCs).” The whole report mentioned “China” once as described in the first paragraph and did not give any other attribution details, such as how Microsoft came to the assessment Volt Typhoon is “a state-sponsored actor based in China,” not somewhere else.
May 24, 2024: The Joint Advisory – Volt Typhoon – “PRC state-sponsored cyber actor”
Microsoft’s Volt Typhoon report mentioned that the tactics, techniques, and procedures (TTPs) discussed in the company’s report have been published by the US National Security Agency (NSA). At the same time on the same day, the US NSA, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), along with other agencies from Five Eyes countries - the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) – issued a Joint Cybersecurity Advisory (joint advisory), “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.” The joint advisory named Volt Typhoon “a People’s Republic of China (PRC) state-sponsored cyber actor” and provided a hunting guide with potential indicators associated with Volt Typhoon’s cyber activity. Compared to Microsoft’s report – which mentioned Volt Typhoon as “a state-sponsored actor based in China,” with the choice of wording defining the actor’s geolocation rather than explicit state-affiliation – the joint advisory further clarified Volt Typhoon is a “PRC state-sponsored cyber actor.” However, the joint advisory has no other attribution details as well.
May 24, 2023 – Secureworks reported observed Volt Typhoon activities: Volt Typhoon – “likely operates on behalf of the PRC”
Secureworks, a US cybersecurity company which is majority-owned by Dell Technologies, referred to the joint advisory on Volt Typhoon technical details and reported on Volt Typhoon (a.k.a BRONZE SILHOUETTE) activities targeting US government and defense organizations since 2021, which Secureworks discovered in three incident response engagements. Secureworks assessed Volt Typhoon “likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these engagements overlap with other state-sponsored Chinese threat groups.”
May 26, 2023, updated February 14, 2024 – Unit 42 reported Volt Typhoon attacks on critical infrastructure: Volt Typhoon – “A PRC state-sponsored actor”: agree with the attribution made in Joint Cyber Security Advisories
Palo Alto Networks’ Unit 42 reported on Volt Typhoon (a.k.a Insidious Taurus) activities observed in late 2021, and the activities aligned with what Microsoft reported. Unit 42 stated that it “concurs with the attribution made in both Joint Cybersecurity Advisories [referring to the May 24, 2023 joint advisory and to a January 31, 2024 joint advisory mentioned below] that this activity is associated with a PRC state-sponsored actor,” but with no further explanation.
December 13, 2023 – Black Lotus Lab by Lumen Technologies reported overlap between the KV-botnet and Volt Typhoon
The Black Lotus Lab’s report stated that “Volt Typhoon is at least one user” of the so-called KV botnet, a small office/home office [SOHO] botnet comprising less-sophisticated “JDY” and more-sophisticated “KV” activity clusters. The report said this botnet “encompasses a subset of their (Volt Typhoon) operational infrastructure.” The report provided evidence for the group’s location but not necessarily for state sponsorship; it assessed that “Lumen’s global telemetry indicates this network was administered from IP addresses within the People’s Republic of China (PRC), and we observed operations during working hours that align to China standard time.”
January 31, 2024 – US government comments on disruption of KV botnet, reiterates assessment of PRC state sponsorship
The US government announced in January 2024 that it had disrupted the KV botnet in December. Commentaries by various US officials reiterated their conviction of Chinese state-sponsorship of Volt Typhoon. An additional Joint Advisory dated February 14 2024 provided additional information about the extent and longevity (at least five years) of Volt Typhoon activity.
Say Me: Is Volt Typhoon Really a Nation-State Actor?
The Chinese government most likely did not censor media reporting on Volt Typhoon- related news domestically. Instead, Chinese state media responded to the first Volt Typhoon report from Microsoft very quickly, portraying it as anti-Chinese propaganda.
May 25, 2023: China Daily – Volt Typhoon - “nothing more than political propaganda”
China Daily, the largest English language daily newspaper operated by the Publicity Department of the Chinese Community Party (CCP), was the first media outlet to publish an editorial in English, one day after the exposure of Volt Typhoon. The editorial described the background of Microsoft’s Volt Typhoon report, citing documents that former NSA employee Edward Snowden had leaked, purporting to show that Microsoft has “murky relations” with the US government. China Daily dismissed Microsoft’s reporting as “nothing more than political propaganda.” “No matter how many technical details [the report] has provided, [it] has stopped short of explaining on what grounds it has determined the hacker group is ‘state-sponsored’ by China,” the editorial said.
May 26, 2023: Chinese news headlines – “US pours dirty water on China”
Following the China Daily editorial, other online media in China reported the Volt Typhoon news as well, with headlines such as “US Military Base in Guam Hacked, US Pours Dirty Water on China.” Several Chinese information security companies — for example, Venustech, a company controlled by China Mobile and focused on serving Chinese government clients — referred to Microsoft’s Volt Typhoon report but without mentioning Volt Typhoon’s alleged Chinese government affiliations.
Eleven months after Microsoft first exposed Volt Typhoon, China’s National Computer Virus Emergency Response Center (CVERC), a Chinese government agency, issued a report, “Volt Typhoon: A Conspiratorial Swindling Campaign Targets with US Congress and Taxpayers Conducted by US Intelligence Community,” in both English and Chinese languages.
April 15, 2024: CVERC report – China’s Volt Typhoon attribution
CVERC’s report accuses US cybersecurity authorities of utilizing the Volt Typhoon case to win more budget funding from the US Congress and claims that Microsoft and other US cybersecurity companies are “swindling” the American public to justify big government contracts. More specifically, CVERC’s report stated, its analysis shows that the evidence of Volt Typhoon attribution “is so insufficient that the actor has more correlation with a ransomware group or other cybercriminals” than to the Chinese state.
How did CVERC come to this conclusion? CVERC described its analysis process in the report. The details are as follows:
Focused on 29 malware samples listed in the Indicators of Compromise (IoCs) related to Volt Typhoon from Microsoft and the Joint Cybersecurity Adversary reports;
Searched for the 29 samples in Virus Total, an online service for malware detection and analysis;
Found 13 of the 29 samples in Virus Total. Discovered 5 IP addresses that link to multiple samples out of the 13. In turn, each of the 13 samples links to several of these 5 IP addresses;
Scanned the 5 IP addresses through Virus Total again and discovered that “these (IP) addresses are related to a lot of cyberattack events, and there are multiple IP addresses associated with the same cyberattack event or cybersecurity risks;”
Discovered one of the cyberattack events with connections to all 5 IP addresses is a ransomware group named Dark Power. CVERC cited a report “The Rise of Dark Power: A Close Look at the Group and Their Ransomware,” published on April 11, 2024 by ThreatMon, a cybersecurity vendor that gave an address in Northern Virginia, USA (see ThreatMon company details below). ThreatMon’s report listed all 5 IP addresses as IoCs related to ransomware group Dark Power. ThreatMon’s report also indicated that Dark Power used living-off-the-land techniques as described in Microsoft’s Volt Typhoon report. It noted that Dark Power has been active before March 2023 and that victims of Dark Power were from Algeria,Egypt, the Czech Republic, Turkey, Israel, Peru, France and the US.
Searched the malware samples and IP addresses related to the KV botnet from the Black Lotus Lab’s report in Virus Total and did not find any links to the IoCs of Microsoft’s Volt Typhoon report and the Joint Cybersecurity Adversary.
Concluded that therefore, Volt Typhoon actor is more likely a cybercrime group.
Say You: Did Volt Typhoon Reports from US Companies and the Joint Advisory have Sufficient Details for Attribution?
To answer this question, first let’s look at how cyber attribution has been done commonly. Many cyber threat intelligence (CTI) researchers understand that cyber attribution is a complicated issue. Not every CTI vendor is keen to identify the names and faces of an adversary because of their own business priorities, resources and client requirements. Over the years, we have seen various governments attributing threat activity to named individuals or organizations. For example, indictments from the US Department of Justice have named a company and individuals allegedly behind the APT41 group. In another example, Intrusion Truth, an anonymous cyber threat intelligence research group, has revealed actors and companies associated with four Chinese APT groups. The US DoJ has subsequently indicted alleged members of all four of these groups.
When it comes to cyber attribution, most CTI companies focus on tactical and operational attribution. Tactical attribution identifies and clusters relevant IoCs and attack-related technical details, such as malware used, typical attack process, or other technical artifacts. Operational attribution uses characteristics of activity clusters to infer operational profiles of cyber threat groups, as Jamie Collier and Shanyn Ronis from the threat intelligence company Mandiant, now a Google company, discussed in the blog “Navigating the Trade-Offs of Cyber Attribution.” These profiles draw on operational intelligence that answers questions such as the frequency and the geolocation of the activity and the victims being targeted. The last stage is strategic attribution, which is the identification of a threat group or threat actor. The identity can be an individual’s name or associations or can be defined by the sponsor of the threat operation, such as a state.
Mandiant’s iconic 76-page report on Chinese military hacker group APT1, published in 2013, is an excellent example showing how cyber attribution was done at the tactical, operational and strategic level. The APT1 report demonstrated the data collected and analyzed at each level and made explicit the connections and correlations of this information to arrive at attribution.
Compared to the APT1 report, Volt Typhoon-related reports published by the US companies and from the Joint Cybersecurity Adversary reports since May 2023 are shy on strategic attribution details to define the sponsor of the threat operation. They provide no identified names or associations. In this case, companies may be hesitant to expose threat actors because of adversary reprisals and added difficulties in tracking threat groups in the future. There may be some other non-disclosed reasons as well – such as an ongoing law enforcement investigation – if we assume Microsoft and other companies had evidence to identify the sponsor of the threat operation, not just stating “a state-sponsored actor based in China.”
When Mandiant explained why they were exposing APT1, they wrote:
“The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”More than 11 years after the publication of Mandiant’s APT1 report, it may be hard to swallow that this time the adversary has taken advantage of the missing links in Volt Typhoon’s attribution to make an argument point in the court of world opinion.
Say Me: Did Volt Typhoon have more Correlation with Dark Power than with a State-Sponsored Actor?
CVERC, dismissing Microsoft’s and the Joint Advisories’ Volt Typhoon attribution as “so insufficient,” provided its own analysis, attributing Volt Typhoon activity to cybercrime group Dark Power. Is CVERC’s attribution solid? We are afraid to say it is not.
The Natto Team consulted several technical experts about whether it is sufficient to determine Volt Typhoon is more likely Dark Power because of the overlaps of 5 IP addresses, as CVERC stated. The answer was no. Virus Total indicated these IPs are associated with Content Delivery Networks (CDNs), cloud service servers, and the certificate authority (CA) of Online Certificate Status Protocol (OCSP) servers. According to Virus Total’s Community Note, some of these IPs have a history of being utilized as infrastructure for cybercrime groups. However, this association does not necessarily point to a link between Volt Typhoon and Dark Power. It is possible that Volt Typhoon used infrastructure that happened to be hosted at the same IP addresses that Dark Power had used at some point. IP addresses are not generally valuable for attribution unless they are hardcoded in the malware.
One detail in the CVERC report deserves special mention. CVERC noted that the ThreatMon report on Dark Power promised to provide IoCs for further research, but the IoCs could not be seen. CVERC suspected that ThreatMon was hiding the IoCs to hinder other researchers from checking ThreatMon’s work. CVERC managed to discover the IoCs in the back cover of the ThreatMon by moving the back cover picture, which had obscured them. As of the time of this writing, the online version of ThreatMon’s report has removed the IoCs from the back cover. However, the web archive version of the report can still find the IoCs hiding in the back cover. ThreatMon identifies itself as a US company and says it has an address in Sterling, Virginia. That address is shared with two entities called National Cyber Group and CyberNow Labs. ThreatMon’s LinkedIn page appears to have a Turkish contact phone number, which it shares with a Turkish company named Infinitum IT. Several Infinitum IT “alumni” now work for ThreatMon, according to ApolloIO.
At least three other companies reported on Dark Power more than one year earlier than ThreatMon’s Dark Power report, but none of them list the IP addresses reported by ThreatMon.
Fortinet reported on Dark Power on March 30, 2023 :“Ransomware Roundup – Dark Power and PayMe100USD Ransomware”
Trellix reported on Dark Power on March 23, 2023: “Shining Light on Dark Power: Yet Another Ransomware Gang”
SentinelOne reported on Dark Power, date unknown: “Dark Power Ransomware: In-Depth Analysis, Detection, and Mitigation”
More information about ThreatMon would help facilitate an assessment of the validity of their reporting on Dark Power. In turn, a close analysis of reporting on Dark Power and comparison with publicly available reporting on Volt Typhoon would help researchers assess CVERC’s claim that Volt Typhoon is not a Chinese state-sponsored group.
Say you, say me. Can it say together? The Natto Team is afraid to say probably not. Cyber attribution is complicated. It looks as if we have more questions than answers after all.
CVERC very publicly making the same mistake that every trainee intrusion analyst has at some point...
...confusing network traffic from the underlying operating system of an analysis environment with network traffic producer by whatever got detonated in that environment.