U.S. intelligence agencies have carried out cyber espionage activities around the world and launched "false flag" operations to mislead investigators and researchers and frame "adversary countries," according to a report released by Chinese cybersecurity agencies on Monday.
The report is the third of its kind released by the National Computer Virus Emergency Response Center and the National Engineering Laboratory for Computer Virus Prevention Technology, and contains new revelations about cyber espionage operations targeting China, Germany and other countries, that were launched by the U.S. government, intelligence agencies and Five Eyes nations.
It reveals how the United States has been actively pursuing a "Defensive Forward" strategy in cyberspace, employing "Hunt Forward" tactics, which involves deploying cyber warfare units near adversaries' territories to conduct close-in reconnaissance and network infiltration. To facilitate these operations, U.S. intelligence agencies developed a covert toolkit codenamed "Marble" designed to mask their malicious cyber activities and shift blame to other nations, according to the report.
"Marble's primary function is to obfuscate or even erase identifiable characteristics within the code of cyber weapons like spyware or malware. This effectively removes the developer's fingerprints, akin to altering the rifling of a firearm, making it extremely difficult to trace the weapon's origin technically," said Du Zhenhua, senior engineer at China's National Computer Virus Emergency Response Center.
Analysis of Marble's source code and annotations by technical teams reveals it to be a classified weapons development program, originating no later than 2015, and deemed too sensitive to share with foreign entities. The framework employs over 100 obfuscation algorithms, replacing readable variables and strings with unidentifiable content and inserting distracting characters, Du explained.
"As you can see, this includes Arabic, Chinese, Russian, Korean, and Persian. After obfuscating the data in the buffer, it writes the buffer's contents to a specified location or into a program file. This allows for the deliberate insertion of traces of this network weapon," he said.
Other experts noted the complexity of these attacks which seek to cloud evidence of where they originate.
"This is actually a fairly common tactic in cyber attacks. It's like organization 'A' is disguising itself as organization 'B', and this kind of deception can occur in many different aspects. For instance, it can be used during the setup of command and control servers or in the development of espionage trojans. This makes tracing the attack back to its source very challenging," said Li Baisong, Deputy Director of the Technical Committee at Antiy Labs, a Chinese anti-virus research firm.
The report said these deceptive tactics allow U.S. cyber warfare units and intelligence agencies to operate under false identities, conducting cyberattacks and espionage globally while attributing these actions to non-allied nations.
It identifies the so-called "Volt Typhoon" campaign as a prime example of a meticulously crafted disinformation or "false flag" operation, aligning with the tactics employed by the U.S. and other Five Eyes intelligence agencies.
The report reveals that the U.S. government fabricated the "Volt Typhoon" narrative, attributing it to Chinese actors, to maintain the warrantless surveillance powers granted under Section 702 of the Foreign Intelligence Surveillance Act (FISA). This authority allows U.S. agencies to conduct indiscriminate and unrestricted surveillance on global internet users, including direct access to data from U.S.-based internet companies' servers, effectively making the U.S. a "peeping Tom" in cyberspace, the report alleges.
According to classified National Security Agency (NSA) documents, the U.S. leverages its advantageous position in internet infrastructure, controlling key internet nodes like transoceanic cables, and has established seven national-level full-traffic monitoring stations. In close collaboration with the UK's National Cyber Security Center, the U.S. intercepts, analyzes, and steals data transmitted through these cables, enabling indiscriminate surveillance of global internet users, the report says.
"Through extraction, aggregation, restoration, decoding, and decryption of the digital signals in these cables, they can obtain the voice, text, and video information in the cable communications, even sensitive intelligence using the original passwords. The beneficiaries are not only the U.S. government and its military and intelligence agencies, but also its intelligence cooperation partners, especially the Five Eyes alliance countries," said Du.
To transform the stolen data into readable and searchable intelligence in real-time, the U.S. National Security Agency has implemented two key project - "Upstream" and "Prism". "Upstream" extracts the raw network communication data from the undersea cables, while "Prism" conducts in-depth analysis and categorization of the data pool.
"The 'Upstream' project, as its name suggests, extracts raw network communication data from undersea cables, accumulating it into a massive data repository for subsequent in-depth analysis. The Prism program builds upon 'Upstream,' conducting deep analysis and classification of the traffic within this data pool. These two projects are complementary and integral components of the U.S.' network surveillance program," said Du.
According to cybersecurity experts, to overcome challenges such as decrypting data and incomplete coverage of network communication paths in the 'Upstream' project, the U.S. government also leverages Prism Program to directly obtain user data from the servers of major U.S. internet companies like Microsoft, Yahoo, Google, Facebook, and Apple.
Experts also pointed out that both the Upstream and Prism programs operate under the authority of FISA Section 702, making this clause the legal basis for the U.S. government's continuous, global internet surveillance and solidifying its reputation as a "surveillance empire."
New report uncovers cyber espionage, disinformation campaign conducted by US gov't agencies
