VOLT TYPHOON, the suspected China-affiliated offensive cyber activity, has garnered substantial press regarding its aggressive intrusion activities into U.S. critical infrastructure.  First identified by Microsoft in May 2023, VOLT TYPHOON has reputedly compromised network equipment as part of its expansive effort eliciting concerns that such access could be used to execute disruptive and destructive attacks should the intent of the attackers shift from exploitation to attack.  Similar activities with the China-nexus dubbed FLAX TYPHOON (also discovered by Microsoft) and SALT TYPHOON have also been disclosed, potentially painting the picture of a brazen Beijing looking to expand its reach and position itself in an advantageous situation should relations between China and the United States deteriorate.  Recently, U.S. officials have pressed to understand SALT TYPHOON compromises of major U.S. broadband providers.

The United States, as well as many of its Western allies and friends, have continually cited Chinese cyber malfeasance, trying to tie Beijing to egregious sensitive data and intellectual property theft, charges Beijing has vehemently and repeatedly denied.  Most of those objections call out the general lack of evidence directly tying Chinese government assets to the activity, suggesting political motivations to smear China’ s global image and curtail China’s economic rise as motivation, as well as a desire for the United States to maintain its cyber hegemony.  In this day and age, it is extremely unlikely that major nation states are not involved in cyber spying to some degree, and that when it comes to putting their own states first, governments will engage in whatever activity it deems necessary to protect its interests and fulfill its objectives.  And with Beijing and Washington resolutely steadfast in their respective positions when it comes to which side is the worst purveyor of cyber malfeasance, the truth likely lies somewhere in the middle.  

No longer content with relying on its denials to combat the accusations, Beijing has leveraged its extensive media apparatus to take its case to the international audience to combat the negative press.  Since approximately 2020, Beijing has been on the offensive, borrowing a page from the U.S. playbook and calling out alleged U.S. cyber attacks and espionage using a combination of both government agency and Chinese cybersecurity company reports to provide similar technical analysis to support its claims.  Unsurprisingly, critics of these reports quickly try to suggest that they lack more concrete evidence and depend on broad unsubstantiated assertions that ultimately fall short of any robust analytic rigor.  While there may be some merit to these criticisms, the fact remains that after have long maintained its position of not accusing the United States of similar wrongdoings , Beijing has shed its reticence in favor of a more aggressive, direct media confrontation.

The last three reports produced by China not only focused on shifting the U.S. narrative of Beijing’s guilt in VOLT TYPHOON, but challenged it, suggesting that the United States was looking to engage in false flag operations to put China in a poor light.  The first two reports, “VOLT TYPHOON: A Conspiratorial Swindling Campaign targeting U.S. Congress and Taxpayers conducted by U.S. Intelligence Community” and “VOLT TYPHOON II: A Secret Disinformation Campaign Targeting U.S. Congress and Taxpayers” laid the foundation of its argument.  Like an attorney building a case, around the time U.S. government officials were placing emphasized focus on the Chinese cyber threat, these reports first sought to present an alternative theory of attribution of VOLT TYPHOON activity, incrementally building toward directly implicating the United State in its latest opus, “Volt Typhoon III: A Cyber Espionage and Disinformation Campaign Conducted by U.S. Government Agencies.”  

Perhaps learning from earlier criticisms of its reporting, this latest product bolsters its claims by relying on the alleged classified reporting exposed by Snowden and Wikileaks to provide incriminating circumstantial evidence that the United States and not China is behind VOLT TYPHOON.  The report links the tools and activities revealed in those documents, tying them to the types of activities that have been published about VOLT TYPHOON.  Taken collectively, the alleged classified leaks reveal the extensiveness of the U.S. cyber spying apparatus that is expansive and sophisticated, and includes deployment of thousands of implants worldwide to facilitate computer network exploitation; the tapping of key submarine cables; the execution of supply chain operations for pre-positioning purposes; and the orchestration of false flag operations (using a tool that could simulate multiple language characteristics, including Chinese, Russian, Persian, and Arabic – the languages of the United States’ foremost adversaries.) to deceive its intended audience. 

What’s more, the Chinese report frames the VOLT TYPHOON activity around three stages as summed up by one Chinese online periodical.  The preparation stage (January 2023-May 2023) occurred when the U.S. officials advocated the FISA extension; the implementation stage (June 2023-January 2024) initiated when U.S. officials used the fear of VOLT TYPHOON to continue to suppress Chinese tech interests; and the finally, the consolidation stage (February 2024-April 2024) started when U.S. government agencies used disinformation to influence lawmakers to continue to curb China’s interests.  Over this period, U.S. government and intelligence officials have provided numerous briefings about the Chinese cyber threat, as they meet to discuss supply chain threats, protecting critical infrastructure security, and even the drafting of legislative bills such as the CHIPS and Science Act and Strengthening Cyber Resilience Against State-Sponsored Threats Act to support increased cyber vigilance.

So, like a savvy defense attorney, Beijing has one primary focus – to raise reasonable doubt in the minds of the global public by showing that the United States engages in what it accuses others of doing by painting it as the primary world actor intent on exploiting the Internet to its own advantage, stealing data of not only the global community, but its own citizens as well.  

While this hardly constitutes definitive proof of any guilt, the argument being made is nevertheless interesting from an alternative hypothesis perspective, especially given the fact that history has proven that the governments, including that of the United States, can be involved in questionable activities, even if the there was good intent behind them.

What’s abundantly clear is that Beijing is unwilling to let any attack against it go unchecked to prove itself a peer to the United States, and a competing leader on the world stage. Over the past several months, United States has aggressively put public pressure on China, highlighting threats to critical infrastructure incursions and drafting a report stating that the United States is not prepared for cyberconflict with China with a series of recommendations that will no doubt require additional investment of funds to counter threats like VOLT TYPHOON.  While this may be valid, it does echo Beijing’s suspicions that China is being used as a reason to amp up U.S. cyber resiliency.  And though these recommendations can be considered “cyber defense” in theory, when pre-emptive attacks are reframed as “active defense,” it is understandable why some may be skeptical over the true intent behind their implementation.

Since its release, China’s TYPHOON VOLT III report has gained much traction in the news, and neither the U.S. government nor companies like Microsoft mentioned in it have responded to these accusations, as of this writing.  This is not to say that Beijing has flipped the tables on the United States, only that it has no qualms about meeting accusation with accusation and using the exposed information to support its claims.  It makes a compelling hypothetical, though one based on several pieces of circumstantial evidence.  But the same can be said for any cybersecurity report made public that tries to attribute activity against any foreign government.  Only many of those reports lack the type of documentation that, if legitimate, directly ties government agencies to such operations in such a detailed manner.  

After using a stick for much of its report, Beijing ends with a carrot stressing international cooperation being a necessity to normalize relations when discussing global cybersecurity issues.  It even advocates collaboration between cybersecurity companies and research institutions as a means to developing the technologies that make better products and services for people, a stark contrast to governments working with tech companies for their own benefit, as suggested in the report, as well as a clear knock against the recent CrowdStrike and Microsoft fiasco.  It remains to be seen if the VOLT TYPHOON III report will make a big impact.  But it doesn’t have to.  It just has to keep governments doubting, and the longer they waver on the threat posed by China in cyberspace, the more time Beijing has to build its influence and try and show itself to be a preferred international partner.