Reports indicate that Chinese officials admitted to the string of cyber attacks by Volt Typhoon that were aimed primarily at US infrastructure, though it is not a public admission.
The Chinese government usually responds to any linking of cyber attacks to its state-sponsored APT groups with a fierce denial and deflection. An inside source speaking to the Wall Street Journal says that their tone in a December meeting was much more forthright, to the point that it “startled” US officials in attendance.
Inside source says China admitted to Volt Typhoon campaign at Geneva meeting
The secret meeting took place in Geneva in December 2024. The source says that the remarks were “indirect” and “somewhat ambiguous,” but were enough to implicate Volt Typhoon and the Chinese government in the cyber attacks that have plagued US critical infrastructure for years now. The impression taken from the comments was also that the attack campaign was an intentional bid to dissuade the US from getting too deeply involved if a military conflict breaks out between China and Taiwan.
The campaign of cyber attacks is thought to have begun no later than 2023 and has involved major breaches of the country’s three leading phone service providers as well as electric utilities, IT companies and internet service providers, and government agencies. Volt Typhoon and Salt Typhoon were the two major Chinese APT groups implicated in these attacks, often shortly after they were first discovered and reported.
The Geneva meeting focused on the Volt Typhoon campaign as that was seen as a particularly egregious invasion. Salt Typhoon’s headline item was the hacking of the mobile phone carriers, which involved theft of messages from government officials and other possible eavesdropping.
While the US government is certainly not happy about that development, it is more in line with the general cyber espionage that all countries engage in regularly. The Volt Typhoon cyber attacks were seen as more of an escalation than usual as the group focused on burrowing into the energy grid and other critical infrastructure, learning how it works and positioning itself to potentially shut the lights or the water off if a war should break out in Taiwan.
The US delegation at the Geneva meeting was reportedly led by Nate Fick, ambassador-at-large for cyberspace and digital policy during the outgoing period of the Biden administration. The admission of the cyber attacks reportedly came from Wang Lei, one of the top cyber officials for China’s ministry of foreign affairs. The source says that the Trump transition team was briefed on the meeting as the new president prepared to take office. Thus far neither government has publicly commented on the WSJ report.
Cyber attacks meant to send message about Taiwan involvement
The future development of the China-Taiwan situation remains highly volatile and unpredictable. In recent months the Chinese government has ratcheted up tensions by conducting numerous military drills around the island, some of which simulate their invasion plans. Much of the recent escalation that the Volt Typhoon campaign is part of traces back to a diplomatic visit by then-US Speaker Nancy Pelosi to Taiwan in 2022, accompanied by a Biden administration promise to defend Taiwan militarily in the event of an invasion.
The Trump administration may escalate the situation even further. In mid-February it ceased to include the standard “We do not support Taiwan independence” statement in its regular updates on the country, adding that it now seeks to maintain the status quo peacefully but opposes any unilateral changes to the arrangement by either side. That was prior to what has become a trade war between China and the US, with each now maintaining tariffs of over 100% on the other. Trump has not been entirely friendly to Taiwan, however, also placing 32% tariffs on it (temporarily lowered to 10% for 90 days as negotiations take place) and pressuring its semiconductor manufacturing industry to move operations to the US.
All of this adds up to an expectation that campaigns of cyber attacks in the manner of Volt Typhoon should be expected to continue, if not get worse. Evan Dornbush, former NSA cybersecurity expert, advises maintaining any related defensive measures that have been put in place: “Last week it was announced in US press that Chinese representatives admitted connection to the “Typhoon” attacks that have broken into US infrastructure to include home routers and water filtration centers. This week China is alleging the US conducts cyberwarfare. The fact that both parties are publicly speaking about offensive cyber operations shouldn’t fundamentally change anything for the defensive community. Assume you are being targeted for exploitation and invest appropriately in risk mitigation strategies to include high quality monitoring and response capabilities.”
Volt Typhoon has existed since at least 2021 and specializes in long-term “living off the land” espionage operations. Though it is an advanced group, it tends to hunt for relatively easy entry points such as exposed credentials and unpatched software vulnerabilities. Malware use is relatively rare due to its focus on stealth and maintaining its foothold in target systems for potentially years at a time. It also focuses on capturing vulnerable home internet routers and security cameras, which are often poorly protected, as a means of disguising its traffic. Prior to the string of cyber attacks on US critical infrastructure it was known mostly for attacking government entities, but has also been linked to a major breach of Singapore telecoms giant Singtel that took place in June 2024.
