Factbox: What is Volt Typhoon, the alleged Chinese-backed hacking group?

May 25 (Reuters) – Its name is reminiscent of an exotic electrical storm. But is the newly christened “Volt Typhoon” hacking group an imminent danger to American infrastructure, or just a new crop of digital spies playing an old game?

Here is what is known about the group and its potential threat:


Almost every country in the world uses hackers to collect information. Great powers like the United States and Russia have large stables of such groups – many of which have been given quaint nicknames by cybersecurity experts, such as “Equation Group” or “Fancy Bear”.

Experts worry when these groups turn their attention from intelligence gathering to digital sabotage. So when Microsoft Corp (MSFT.O) said in a blog post on Wednesday that Volt Typhoon was “pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and the Asia during future crises”, this immediately brought to mind rising tensions. between China and the United States over Taiwan. Any conflict between these two countries would almost certainly involve cyberattacks across the Pacific.


Does this mean that a group of destructive hackers is preparing to sabotage US infrastructure in the event of a conflict in Taiwan?

Microsoft called its assessment “moderate confidence,” intelligence jargon that typically means that a theory is plausible and credibly sourced but has yet to be fully corroborated. Different researchers have identified various aspects of the group. Not everyone has seen evidence of preparedness for sabotage.

So far, Volt Typhoon appears to be focused on stealing information from “organizations that hold data related to the United States military or government,” said Marc Burnard of Secureworks – an arm of Dell Technologies (DELL.N). While Burnard said the Volt Typhoon – which Secureworks calls the “Bronze Silhouette” – may well be positioning itself for disruption, he said what he’s seen of hackers suggests it’s being used “primarily for espionage purposes”. .


American technology company Cisco Systems Inc (CSCO.O) said it had seen disturbing evidence that the Volt Typhoon was preparing for something dangerous.

Like Microsoft and Secureworks, Cisco experts declined to say exactly where they found the group. Cisco’s director of threat intelligence, Matt Olney, said the company was called in to deal directly with a case at a critical infrastructure facility, where preparedness for sabotage appeared to be the best explanation.

The hackers were looking for documentation that showed how the installation worked, Olney said, and they didn’t appear to be after money. He did not provide details, but said “it’s the kind of critical infrastructure that would definitely be the target of a conflict.”

“We definitely had alarm bells going off,” he said.


Almost all cyber spies work to cover their tracks. Microsoft and other researchers said that Volt Typhoon was a particularly silent operator that concealed its traffic by routing it through hacked network equipment – such as home routers – and carefully eliminating evidence of intrusions from victims’ records.

China routinely denies hacking and did so again in the Volt Typhoon case. But documentation of Beijing’s cyber-espionage campaigns has been building for more than two decades. Spying has come into focus over the past 10 years, as Western researchers have linked breaches to specific People’s Liberation Army units, and US police have accused a string of Chinese officials of stealing US secrets.

Secureworks said in a blog post that Volt Typhoon’s interest in operational security likely stemmed from embarrassment over the US accusations and “increased pressure from the (Chinese) leadership to avoid public scrutiny of its cyberespionage activity.”

Reporting by James Pearson and Raphael Satter; Editing by Bill Berkrot

Our Standards: Thomson Reuters Trust Principles.

Raphael Satter

Thomson Reuters

Reporter covering cybersecurity, surveillance and disinformation for Reuters. Work has included investigations into state-sponsored espionage, deepfake-based propaganda and mercenary hacking.

James Pearson

Thomson Reuters

Reports on hacks, leaks and digital espionage in Europe. Ten years at Reuters with previous posts in Hanoi as bureau chief and Seoul as Korea correspondent. Author of ‘North Korea Confidential’, a book about daily life in North Korea. Contact: 447927347451

Leave a Reply

Your email address will not be published. Required fields are marked *