electra-supply.comOn April 15 and July 8 of this year, China’s National Computer Virus Emergency Response Center and other entities released two reports that exposed the actual intentions behind the U.S. using the so-called “Volta Typhoon” disinformation campaign to smear China. Today (14th), our cybersecurity institutions published a third report, further revealing activities by U.S. government bodies and the “Five Eyes” alliance aimed at spying on China, Germany, and other nations, as well as global internet users. The report provided evidence that the U.S. government has employed various means to frame other countries and conducted “supply chain” attacks by implanting backdoors in internet devices, ultimately shattering the narrative surrounding the so-called political farce orchestrated by the U.S. federal government.
According to the report, the U.S. has been actively implementing a “preemptive defense” strategy in cyberspace for a long time, employing tactics and operations like “forward hunting.” This approach involves deploying cyber warfare units near adversary nations to conduct reconnaissance and infiltration of online targets. To support this strategy, U.S. intelligence agencies developed a covert toolkit for disguising their malicious cyber activities and pinning the blame on other countries, codenamed “Marble.”
Du Zhenhua, a senior engineer at the National Computer Virus Emergency Response Center, explained, “Its primary function is to obfuscate or even erase identifiable features within the code of such cyber weapons, like spyware or malware. It effectively removes the developer’s fingerprints, making it extremely difficult to trace the origin of these weapons.”
The technical team conducting the investigation discovered that the source code and annotations of the “Marble” toolkit indicated it was part of a classified weapons development program that began no later than 2015. The toolkit reportedly employs over 100 obfuscation algorithms, capable of replacing readable variable names and strings in source code with unreadable content, while inserting specific disrupting strings as well.
Du elaborated, “The obfuscation data includes languages such as Arabic, Chinese, Russian, Korean, and Persian. After preparing this data in the buffer, it can be written to designated locations or relevant program files, deliberately leaving traces of these cyber weapons.”
Li Baisong, Deputy Director of the Technology Committee at AnTian Technology Group, noted, “This is a fairly common tactic in cyberattacks, where an organization disguises itself as another. This masquerade can manifest in multiple stages, such as during the setup of command control servers or while developing trojan software, complicating the traceability of their attacks.”
Through these acts of framing and fabrication, U.S. cyber warfare units and intelligence agency hackers can switch identities at will, impersonating other nations to conduct cyberattacks and spying activities globally, subsequently blaming these actions on the nations they impersonate.
The technical team’s findings indicate that the “Volta Typhoon” operation is a textbook example of a carefully crafted disinformation campaign that serves the interests of U.S. capital groups, aligning perfectly with the techniques employed by U.S. and “Five Eyes” nations’ intelligence agencies.
The report highlights that the U.S. government’s creation of a fictional “Volta Typhoon” hacking group allegedly linked to China is aimed at maintaining the “unfettered” surveillance authority granted by Section 702 of the Foreign Intelligence Surveillance Act (FISA), thereby upholding its extensive “no-limits” surveillance program. This section allows the U.S. government to implement indiscriminate monitoring of global internet users, even accessing user data directly from major U.S. internet companies’ servers, making the U.S. a true “snoop” in cyberspace.
Investigations revealed that internal top-secret documents from the U.S. National Security Agency (NSA) indicate that the U.S. strategically controls key internet nodes, such as major Atlantic and Pacific submarine cables. It has set up seven national full-traffic monitoring stations to analyze and extract data in collaboration with the UK’s National Cyber Security Centre, achieving indiscriminate surveillance of global internet users.
Du elaborated, “By extracting, aggregating, restoring, decoding, and decrypting the digital signals from these submarine cables, these operations can retrieve voice, text, video information, and even usernames and passwords. The beneficiaries of such intelligence are mainly twofold: the U.S. itself, particularly its military intelligence agencies, and also some of its intelligence partners, especially the ‘Five Eyes’ nations.”
The report indicates that the NSA has two primary projects, the “UpStream” and “Prism” programs, aimed at transforming the stolen data into readable, searchable intelligence information.
Du continued, “The ‘UpStream’ project extracts raw data from submarine cables to form a vast data reservoir for deep analysis. The Prism program, built upon UpStream, categorizes and deeply analyzes this data pool. These projects complement each other and are crucial components of the U.S.’s cyber surveillance initiatives.”
According to cybersecurity experts, the U.S. government also resorts to acquiring user data directly from the servers of leading American internet companies like Microsoft, Yahoo, Google, Facebook, and Apple to address challenges in decrypting data and covering communication pathways.
Moreover, these projects operate under the authorization of Section 702 of the Foreign Intelligence Surveillance Act, which serves as the official justification for U.S. intelligence agencies to legally and continuously siphon data from global internet connections and constitutes solid evidence of a U.S. “spying empire.”
The report reveals that, in response to intelligence needs, the NSA’s “Specific Intrusion Operations Office” conducts covert cyber intrusions targeting what it deems “blind spots” in its monitoring system. Evidence indicates that over 50,000 spyware programs have been implanted in targeted regions, predominantly in Asia, Eastern Europe, Africa, the Middle East, and South America.
The investigation found that most major cities in China fall within the purview of these secret cyber operations, with numerous internet assets compromised, including institutions like Northwestern Polytechnical University and the Wuhan Seismic Monitoring Center.
Li pointed out, “The U.S. has various methods to control spyware. A more apparent one is through remote control operations online. They also use a device codenamed ‘Water Viper,’ which resembles a USB connector, to masquerade as interfaces like keyboards or mice and can infiltrate physically isolated networks to transmit stolen data and even allow remote control.”
Experts noted that to overcome the challenges of high-security intrusions, especially against high-value targets that are harder to breach, the Specific Intrusion Operations Office employs “supply chain” attacks. This involves intercepting targeted attacks during logistics or disassembling U.S. networking devices to implant backdoors before repackaging them for shipment to the targets.
Li cautioned, “Once these tampered devices are put to use, they become entry points for attackers. The vulnerabilities and backdoors allow intruders access to internal networks without detection.”
Du emphasized, “This tactic is primarily aimed at highly secured targets, making long-term covert spying activities possible due to its strong stealth nature. The potential consequences are severe, posing significant risks in terms of data leakage and security concerns, including the possibility of causing network paralysis.”
As the report indicates, under the authorization of Section 702, U.S. intelligence agencies have created a vast global internet monitoring network, yielding valuable intelligence that grants the U.S. government advantages in diplomatic, military, economic, and technological fields. The Section and its associated monitoring systems effectively serve as the “secret weapon” for maintaining U.S. hegemony.
The report reveals that under the robust technological advantages the U.S. possesses, any target can be placed on the “high-priority monitoring list,” including even allied countries like France, Germany, Japan, and ordinary American citizens.
Du remarked, “This indiscriminate and limitless surveillance fundamentally stems from the U.S. Foreign Intelligence Surveillance Act, particularly Section 702. It is often referred to as the ‘warrantless surveillance act,’ granting tremendous power with minimal constraints, enabling the U.S. to engage in unchecked cyber surveillance activities.”
Moreover, experts point out that the staggering budget required to maintain such extensive surveillance plans drives U.S. government agencies and intelligence agencies to conspire and promote initiatives like the “Volta Typhoon.”
Du noted, “The volume of data generated daily is astounding, requiring an immense resource investment, and significant funding is essential. The ‘Volta Typhoon’ narrative is essentially a ruse to extract more funding from Congress for these competitive projects. This is one of its main purposes; at the same time, it aims to protect the ‘warrantless monitoring’ rights under Section 702 and discredit China.”
The report underscores that, for years, U.S. government institutions have continuously politicized the issue of attributing cyberattacks for their own interests. Companies like Microsoft, seeking to align with U.S. politicians, government bodies, and intelligence agencies, have contributed intelligence under the banner of the “China cyber threat” to further their commercial interests.
China has consistently opposed the political manipulation of technical investigations into cybersecurity incidents and the politicization of attributing cyberattacks. The report calls for broader international cooperation on cybersecurity, urging major cybersecurity firms and research institutions to focus on developing countermeasures against cyber threats and delivering higher-quality products and services to users.
