"Volt Typhoon" III - Decoding the U.S. Government's Implementation of Cyber Espionage and Disinformation Operations

chief security officer • October 18, 2024 am7:30 am • CSO·Insight • 870 views

This report provides an in-depth analysis of cyber espionage and disinformation operations conducted by the U.S. federal government and its intelligence agencies around the world, and reveals the true extent of the massive surveillance and data theft that has been carried out by the U.S. federal government and its intelligence agencies through a variety of tactics, including Advanced Persistent Threats (APTs), supply chain attacks, and Operation False Flag, targeting cyber infrastructures and critical organizations in China, Germany, Japan, and other countries. The report points out that the NSA (U.S. National Security Agency) has been conducting large-scale surveillance and data theft against cyber infrastructure and key organizations in China, Germany, Japan and other countries. The report points out that the U.S. National Security Agency (NSA) and the Central Intelligence Agency (CIA) have been working together to take advantage of the technological superiority of the "Five Eyes Coalition" countries to control the world's important undersea fiber-optic cables and set up a full range of listening stations to carry out indiscriminate surveillance of Internet users around the world.

With regard to disinformation operations, the United States intelligence agencies have implemented "false flag operations" through the framework of "Operation Influence", in which they create and disseminate false information to mislead the traceability and attribution, cover up their own cyberattacks, and frame other countries. In addition, the report describes in detail the UpStream and Prism programs, which enable the NSA to obtain user data from major U.S. Internet companies, further expanding its intelligence-gathering capabilities.

The report also reveals that the U.S. Office of Specific Intrusion Operations (TAO) has launched covert cyber intrusion operations around the world, implanting espionage programs to infiltrate critical network systems in target countries. At the same time, the report reveals that the U.S. has abused Section 702 of the Foreign Intelligence Surveillance Act (FISA) internally to conduct illegal wiretapping and data collection of global Internet users, including U.S. citizens.

In terms of countermeasures, the report calls for strengthening international cooperation, upgrading cybersecurity protection capabilities, improving information monitoring and governance mechanisms, and formulating and improving relevant laws and regulations, so as to effectively respond to the cyber-hegemonic behavior of the United States and its allies. Finally, the report emphasizes the importance of global collaboration on cybersecurity and calls on all countries to work together to build a secure, stable and trustworthy Internet environment, and to prevent and curb the threats of cyber espionage and disinformation.

Table of contents

1. Introduction

On April 15 and July 8, 2024, China's National Computer Virus Emergency Response Center (NCERT), the National Engineering Laboratory of Computer Virus Prevention and Control Technology (NECVPCT), and the 360 Digital Security Group (360DSG) released a report entitled "Thehurricane Vodka--Volt Typhoon II - Exposing U.S. Intelligence Agencies' Collusive Fraud Operations Against the U.S. Congress and Taxpayers" and "Volt Typhoon II - Uncovering U.S. Government Agencies'Operation False InformationThematic reports of the "Thematic Reports. These reports provide comprehensive revelations about the U.S. federal government, intelligence agencies, and "Five-Eyed Alliance"State Implementation for Internet Users in China, Germany, and Other Countries and Globallycyber-espionagewiretapping activities, and through "False Flag Operation"Covering up its own malicious cyberattacks and framing others.

The report was released despite the fact that some former and current U.S. intelligence officials,cyber securityThe enterprises and the media have tried to sophistry, but have failed to effectively refute the evidence published in the two previous reports. This further exposes their true nature as "thieves in disguise".

2. "Chameleons" in cyberspace

2.1 U.S. Cyber Arsenal

As the world's largest arms supplier, the United States has a huge military industrial system and a powerful military-industrial complex that constitute important cornerstones of its political, economic and military policies. The United States has a large-scale, diverse and complex cyberweapon arsenal in cyberspace. China's National Computer Virus Emergency Response Center (NCERT) has previously publicly disclosed a variety of cyberweapons developed by the U.S. National Security Agency (NSA) andCentral Intelligence Agency (CIA)developed cyberweapons, these are only the U.S. "hackerThe "tip of the iceberg" of the cyber arsenal of the "Empire".

2.2 "Marble" toolkitorganizing plan

U.S. intelligence agencies have developed a "stealth toolkit", Marble, to conceal cyberattacks, frame other countries, and mislead traceability analyses. The framework of the tool can be integrated with other cyberweapons programs by obfuscating identifiable features in program code, erasing the developer's "fingerprints" and inserting strings in multiple languages to confuse investigators and frame China, Russia, North Korea, Iran, and the Arab states.

Figure 1: Project Marble Source Code

Figure 2: Obfuscated functions

Figure 3: Obfuscation algorithm

Figure 4: File Handling Function Functions

Figure 5: Document Processing Function Functions (continued)

Figure 6: Insertion of "foreign language" in the document

"The framework of the Marble toolkit shows that United States intelligence agencies conduct indiscriminate and bottomless cyber-espionage across the globe and mislead investigators through "false-flag operations" to pin the blame for cyber-attacks on other countries.

3. "Snoopers" in cyberspace

3.1 Choke on the "throat" of the Internet

The United States controls the world's most important undersea fiber-optic cables, relying on its technological and geographic advantage in Internet infrastructure. The U.S. National Security Agency (NSA) has established seven national-level, full-volume listening stations, with the U.S. Federal Bureau of Investigation (FBI) and the U.K. Nationalcyber securityCenter (NCSC) to collaborate on indiscriminate listening to Internet users worldwide.

Figure 9: Undersea fiber-optic cable listening stations established and operated by the U.S. National Security Agency (NSA)

Figure 10: List of "clients" of National Security Agency (NSA) Intelligence

3.2 Controlling the "reservoir" of Internet data

Through the UpStream and Prism programs, NSA retains and categorizes the full volume of intercepted undersea fiber optic cable communications data. Particularly in the context of increased encrypted traffic, these programs have enabled NSA to obtain user data from major United States Internet companies, further expanding its eavesdropping capabilities.

Figure 11: Two key projects of the U.S. National Security Agency (NSA) to implement global Internet wiretapping

3.3 Infiltrating the "source" of Internet data

The NSA's Office of Specific Intrusion Operations (TAO) has conducted covert cyber intrusion operations around the world, planting more than 50,000 spyware programs, with primary targets in Asia, Eastern Europe, Africa, the Middle East and South America. Most of the control centers for these spy programs are located at military bases outside the United States, such as Japan, South Korea, Guam and Hawaii.

Figure 12: Diagram of the U.S. National Security Agency's (NSA) "Special Intrusion Operations Office" (TAO) global network intrusion operations

Figure 13: Diagram of the U.S. National Security Agency's (NSA) "Office of Special Operations" (TAO) intrusion into Chinese networks

Figure 14: Image of a backdoor implanted by a technician from the U.S. National Security Agency's (NSA) "Office of Special Operations" (TAO)

3.4 The "give and take" of Internet intelligence

Through the authorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA), the NSA has established a globalized network of Internet wiretaps that provide the U.S. government with a large amount of high-value intelligence. This intelligence covers a wide range of areas, including diplomatic, military, economic, scientific and technological, and gives the United States a head start in international affairs.

Figure 15: U.S. National Security Agency (NSA) wiretaps against former French President Nicolas Sarkozy

Table 1: Selected U.S. National Security Agency (NSA) Intelligence Surveillance Records Against French Officials of the Current Administration

dates	Type of intelligence	Intelligence content
2004	Ambassador of France to Washington, D.C.	The French ambassador in Washington plans to release a list of U.S. companies that have profited from the Oil-for-Food program.
2006	High-level communications from the Government of France	The then President of France, Jacques Chirac, and the Minister for Foreign Affairs discuss matters relating to United Nations appointments.
2008	High-level communications from the Government of France	The French Director General of Finance and Economic Policy is unhappy with President Sarkozy's attitude in the WTO negotiations.
2008	High-level communications from the Government of France	French President Nicolas Sarkozy has blamed the U.S. government for the world economic crisis, saying that France will take the lead in pursuing changes in the world's financial system.
March 24, 2010	High-level communications from the Government of France	France's ambassador to Washington discusses with the president's diplomatic adviser sensitive topics such as the U.S. withdrawal from a bilateral intelligence cooperation agreement.
June 10, 2011	High-level communications from the Government of France	French President Nicolas Sarkozy has made strong statements on Israel and Palestine.
August 2, 2011	High-level communications from the Government of France	Washington-based French and European Union officials have criticized U.S. trade policy, calling the TPP a confrontation against China.
May 22, 2012	High-level communications from the Government of France	Concerns within France about the eurozone crisis, particularly Greece's exit from the eurozone.
July 31, 2012	High-level communications from the Government of France	French finance minister and senators discuss France's economic woes and future outlook.
2012	U.S. spy order against France	Requests for economic espionage against France to collect information on sales and financing in areas such as telecommunications, energy, the environment, etc.
2012	U.S. economic espionage order against France	Instructed to collect information on the sale and financing of major projects in France related to telecommunications, power generation, natural gas, etc., and to intercept contracts and transactions valued at more than $200 million.
2012	Information on the agenda of the meeting of French government officials	French finance ministry drafts talking points for G7 and G20 meetings, including urging U.S. banking reform.

Figure 16: Secret Stations Established by U.S. Intelligence Agencies in Germany

Figure 17: U.S. National Security Agency (NSA) Wiretapping Records of German Government Leaders

Figure 18: U.S. National Security Agency Wiretap Records Against the German Ministry of Defense

Figure 19: U.S. National Security Agency (NSA) wiretapping records of Japanese leaders

Figure 20: Violations of Section 702 in publicly available documents of the United States Foreign Intelligence Surveillance Court

Figure 21: U.S. Intelligence Agency Training Materials on Section 702 Compliance Requirements

4. There is a devil in everything that goes wrong

After the release of the second "Typhoon Volt" investigation report, despite the silence of the United States official agencies and its mainstream media, some former and current United States government officials and cybersecurity companies challenged the investigation report through social media and independent news media, claiming that the report had "distorted" or "misused" the research results of the United States companies concerned. Some former and current U.S. government officials and cybersecurity companies have challenged the report through social media and independent news outlets, claiming that the report "misrepresents" or "misuses" the research results of relevant U.S. companies. These companies have attempted to disassociate themselves from the report, displaying a clearly defensive posture.

Microsoft's Director of Threat Intelligence Strategy, Mr. DeGrippo, stated at the Black Hat conference on 11 August 2024 that the Volt Typhoon organization was still active, but did not provide conclusive evidence of support from the Government of China. In addition, on May 7, 2024, Microsoft deployed an offline version of its Artificial Intelligence Big Model and Assistant program for U.S. intelligence agencies to aid in the analysis of top secret intelligence information. At the same time, the release of Microsoft's "Copilot + PC" and "Recall" features raised privacy concerns among users.

Cybersecurity companiesCrowdStrikeThe company also suffered a product update bug on July 19 that caused millions of computers with Windows operating systems around the world to "blue screen" and stop working, affecting critical infrastructure in several countries. However, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was unusually tolerant of the incident, with Director Jane Easterly describing the incident as a "preview" of the Typhoon Volt attack at the Black Hat conference, and providing relief to the companies involved. The company's defense of the attack was a "preview" of the Volt Typhoon attack.

5. Concluding remarks

Over the years, United States federal government agencies have continued to politicize the issue of tracing cyberattacks out of self-interest. Some U.S. cybersecurity companies, such as Microsoft and CrowdStrike, are keen to name hacker organizations with geopolitical names, such as "Typhoon", "Panda" and "Dragon", to show their so-called technical and cultural heritage, but actually ignore the basic quality of their products, in the absence of sufficient evidence. "Dragons" to demonstrate their so-called technical and cultural heritage, while in fact ignoring basic product quality issues and undermining the industry's ethos.

China has consistently opposed the politicization of the issue of tracing and attributing cyberattacks, and advocates resolving cybersecurity issues through technical investigations. United States federal government agencies may ultimately suffer the consequences of their own ambitions by fabricating false threats of cyberattacks to gain access to congressional budgets and promote the "Volt Typhoon" program. U.S. politicians such as Christopher Wray, who has been challenged for covering up the truth in a number of incidents, may ultimately face justice.

Against the backdrop of the current intensification of geopolitical conflicts, normal international exchanges are particularly important to the cybersecurity industry. We call for extensive international collaboration, and cybersecurity enterprises and research organizations should focus on research on cybersecurity threat countermeasure technologies, improve the quality of their products and services, and ensure that the Internet plays a stabilizing role in promoting the common development of human society.

appendice

Appendix A: Explanation of relevant terms

APT(Advanced Persistent Threats): Organized and targeted cyberattacks aimed at long-term infiltration and sustained access to information.
False Flag operations (FFI):: Refers to an action to frame another country or party by creating a false attack.
Supply Chain Attacks: By attacking links in the supply chain and implanting backdoors or malware, control of the target system and information theft can be realized.
The "4D" principle: Deny, Disturb, Smear, Deceive, the main tactics used to carry out influence operations.

Appendix B: References

China National Computer Virus Emergency Response Center. The National Computer Virus Emergency Response Center of China.Volt Typhoon - A Collusive Fraud Operation by U.S. Intelligence Agencies Against the U.S. Congress and Taxpayers".
China National Computer Virus Emergency Response Center. The National Computer Virus Emergency Response Center of China.Volt Typhoon II - Exposing U.S. Government Agencies' Disinformation Operations Against the U.S. Congress and Taxpayers".
Li, M.. Cybersecurity and Intelligence Analysis . 2023 Publication .
Zhang Hua. Information Warfare and Social Stability . Published 2022 .
Spiegel. German Intelligence Working with NSA Report.
The Guardian. Crypto AG reports with CIA, BND.
U.S. Foreign Intelligence Surveillance Court Public Documents .................... link (on a website).
The Hill. FBI Misuse of Listening Tools Reported.
New York Post. FBI Director Christopher Wray Lies About Reporting.
New York Post. FBI Director Christopher Wray False Memo Reported.
NBC News. Christopher Wray's perjured report on the Trump shooting.
Bloomberg. Microsoft Deploys AI Models for U.S. Intelligence Agencies By.
Australian Expert . The Geopolitics of Cyber Espionage . link (on a website).

Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/usa-government-cyber-espionage-and-disinformation-operations.html