Speaking on condition of anonymity, an inside source has told the Wall Street Journal that a Chinese official admitted to culpability for the Volt Typhoon cyber attacks in a private meeting with US officials in Geneva late last year.
The Volt Typhoon campaign of cyber attacks has taken place since at least 2023 and involved breaches of assorted critical infrastructure in the US, with the apparent purpose of maintaining a presence to be used for disruption of service in the event of a war scenario in Taiwan. In public, China generally denies any linkage of its APT groups to such incidents. But the source says that US officials were taken aback by the unusually candid talk about the country’s hacking, taking it as a direct warning not to get involved militarily with Taiwan.
Chinese cyber attacks appear to be a direct warning
Speculation about a real shooting war over the destiny of Taiwan is not a new topic, but began to seem very real in 2022 when the Biden administration made several moves that caused China to escalate in its responses. It remains unclear what will ultimately happen, but the Trump administration has taken an even harder line with China since it came into office.
China has long been thought to have directed Volt Typhoon to infiltrate the US utility grids for this purpose, but the country also almost always follows linkage of its APT groups to cyber attacks with a fierce public denial. This is the first form of admission to any recent campaigns that has been reported, indirect as it is.
Volt Typhoon is thought to have been in operation since at least 2021, but really ramped up its campaigns and cyber attacks against US critical infrastructure targets in 2023. The group is sophisticated, but it largely relies on security hygiene oversights such as compromised accounts and published vulnerabilities to breach its targets (with a strong focus on known router vulnerabilities). It heavily restricts the use of malware to maintain its stealthy presence, settling into target systems for very long periods to exfiltrate intelligence.
Volt Typhoon link reportedly confirmed at secret meeting
China made the seeming admission at a secret meeting taking place in Geneva in December of last year. The WSJ source said that the admission of cyber attacks was not entirely direct, rather “somewhat ambiguous” in nature but still enough to “startle” US officials in attendance.
World governments have a certain level of permissiveness about espionage campaigns, since for the most part they all do it to each other. Though it grabbed headlines for penetrating essentially all of the US mobile carrier options, the Salt Typhoon cyber attacks during this period are an example of “business as usual” in this area with only high-level government officials and executives seemingly targeted. The Volt Typhoon campaign represents a significant escalation from this usual spying into a potential real-world attack, however, and appears to have been the central subject of the Geneva meeting.
The Trump administration has reportedly been briefed on the meeting and this admission. Neither of the governments have issued a comment on the WSJ report. It remains to be seen what impact this may have on the ongoing relationship, but for critical infrastructure firms and other potential targets it changes nothing going forward: assume that advanced nation-state hackers will continue looking for openings.
