< Lie to me />

Volt Typhoon III

― Unraveling Cyberespionage and Disinformation Operations
Conducted by U.S. Government Agencies
—1—
 Abstract: After the release of the first two
investigation reports on Volt Typhoon, the U.S.
federal government, mainstream media, and
Microsoft have remained silent collectively.
However, former and current U.S. intelligence
agencies and security network officials
represented by Robert Joyce, as well as some U.S.
network security companies and media have
spoken out and strained every nerve to quibble,
while keeping silent on the evidence we
published in the previous two reports, once again
fully exposing their guilty conscience. Based on
the previous two reports, this report further
discloses that the U.S. federal government,
intelligence agencies and Five Eyes countries
jointly conducted cyber espionage eavesdropping
activities against other countries such as China
and Germany, and Internet users around the world.
There’s ironclad evidence that they blame other
countries through the misleading traceability

—1—
attribution analysis of the stealth toolkit to carry
out False Flag operations and cover up their own
malicious cyberattacks. And the fact that the U.S.
adopted supply chain attacks, implanted
backdoors in Internet products and
“pre-positioned” has completely debunked the
Volt Typhoon ‒ a political farce written, directed
and acted by the U.S. federal government.
I. Introduction
The two reports entitled Volt Typhoon: A
Conspiratorial Swindling Campaign targeting
U.S. Congress and Taxpayers conducted by U.S.
Intelligence Community1 and Volt Typhoon II: A
secret Disinformation Campaign targeting U.S.
Congress and Taxpayers conducted by U.S.
Government agencies2 were jointly released by
China’s National Computer Virus Emergency
Response Center (CVERC), National Engineering
1
https://www.cverc.org.cn/head/zhaiyao/news20240415-FTTF.htm
2
https://www.cverc.org.cn/head/zhaiyao/news20240708-FTTFER.htm

—2—
Laboratory for Computer Virus Prevention
Technology and 360 Digital Security Group on
April 15 and July 8, 2024. The reports
comprehensively exposed the House of Cards
farce in which the U.S. government agencies
continue to control the so-called “warrantless
surveillance rights” to indiscriminately monitor
global telecommunications and Internet users,
obtain greater political and economic interests for
the relevant interest groups behind it, fabricating
the so-called danger of Chinese cyberattacks, and
conspiring to defraud U.S. Congressmen and
taxpayers. After the release of the reports, the lie
makers, the U.S. Agency for Global Media, and
the mainstream media in the U.S. and the West
under their control remained silent as always,
which nevertheless attracted widespread attention
in the international community. More than 50
cybersecurity experts from the U.S., Europe, Asia
and other countries and regions contacted

—3—
CVERC via various means. They believed that
the U.S. and Microsoft lacked effective evidence
to associate Volt Typhoon with China, and
expressed concern about the U.S. false narrative
of Volt Typhoon. Meanwhile, the rising popularity
of relevant topics online has made the
international community more clearly understand
the real purpose of the U.S. and its cyber
hegemony, and the real harm of the U.S.
indiscriminate monitoring of the world with
Internet. Therefore, it is necessary for us to
disclose more objective evidence of the U.S.
government agencies’ involvement in fabricating
the false narrative of Volt Typhoon, organizing
and implementing False Flag operations, and
launching cyberattacks against China, and
continue to reveal the U.S. tricks of a robber
acting like a cop, or an ostrich burying its head in
the sand.
II. “Chameleons” in Cyberspace

—4—
 As is known to all, the U.S. is the world’s
largest arms supplier. The huge military-industrial
system and powerful military-industrial complex
have become significant cornerstones of its
political, economic, and military policies. The
resulting cyber arsenal is not only large in scale
and diverse in form, but also complex in function
and rich in products. Previously, the CVERC has
publicly disclosed a number of cyber weapons
developed by the U.S. National Security Agency
(NSA) and Central Intelligence Agency (CIA).
The investigation report on the NSA’s network
attacks on China’s Northwest Polytechnical
University made a detailed analysis of the
function of the various weapons used by the U.S.
intelligent agencies in external cyberattacks, as
well as the highly stealthy attack techniques and
tactics. However, those are apparently only the tip
of the iceberg of the U.S. cyber arsenal.
For a long time, the U.S. has actively

—5—
pursued the strategy of “forward defense” in
cyberspace and carried out “hunt forward”
tactical operation, i.e., deploying cyber warfare
forces around the adversary countries to carry out
close reconnaissance and cyber infiltration of
cyber targets. To meet the tactical requirements,
the U.S. intelligence agencies developed a special
stealth toolkit codenamed “Marble” to cover up
their own malicious cyberattacks, blame other
countries, and mislead traceability attribution
analysis. The toolkit is a tool framework that can
be integrated with other cyber weapon
development projects to assist cyber weapon
developers in obfuscating various identifiable
features in program code, effectively “erasing”
the “fingerprints” of cyber weapon developers,
similar to changing the “rifling” of “firearm”
weapons, shifting the direction of weapons, and
making it impossible for investigators to trace the
true source of weapons from a technological

—6—
perspective. What’s more, the framework has a
more “shameless” function to insert strings in
other languages, such as Chinese, Russian,
Korean, Persian, and Arabic, which is obviously
intended to mislead investigators and frame
China, Russia, North Korea, Iran, and Arab
countries.
According to the Marble tool framework
source code and its annotations (as shown in
Figure 1), it was identified as a classified (and
non-disclosable) weapon development program
that began no later than 2015. Obviously, it was a
secret weapon tailored for itself by the U.S.
intelligence agencies, and it was strictly forbidden
to even disclose to the so-called “allied”
countries.

—7—
 Figure 1 Source code of Marble

The Marble’s tool framework can use over

100 obfuscation algorithms to replace readable
variable names, strings, and so on, in source code
files with unreadable (unrecognizable) content,
and can insert specific interfering strings (as
shown in Figures 2, 3, 4 and 5).

—8—
Figure 2 Obfuscation functions

Figure 3 Obfuscation algorithms

Figure 4 File handling functions

—9—
 Figure 5 File handling functions (continued)

We can even find out which foreign

language strings can be inserted from the source
code of the test example of Marble, which
includes only Arabic, Chinese, Russian, Korean,
and Persian (as shown in Figure 6).

— 10 —
 Figure 6 Inserting foreign languages into a file

The Marble toolkit framework fully exposes

the indiscriminate and bottomless cyberespionage
activities and False Flag operations carried out by
the U.S. intelligence agencies around the world to
mislead investigators and researchers and realize
the conspiracy of smearing adversary countries.
False Flag operations are not limited to code
signatures. By cleverly mimicking the attack
techniques and tactics of cybercrime gangs, the
U.S. intelligence agencies can also create all
kinds of perfect “pocket” organizations, which
has already been explained in our second report.

— 11 —
Therefore, the U.S. cyber warfare forces and
hackers in intelligence agencies act like
chameleons in cyberspace to change identities
and images at will, to “represent” other countries
to carry out cyberattacks and theft around the
world, and smear non-allied countries.
According to reliable sources, False Flag
operations are actually a major component of
Influence Operations by the U.S. intelligence
agencies. Secret documents from the U.S. and the
Five Eyes countries show that Influence
Operations mainly include two aspects:
Information Operations and Technical Disruption
Operations. The NSA has developed a playbook
for Technical Disruption Operations, and False
Flag operations are an important component.
Internal documents from the U.S. and the Five
Eyes countries also make it clear that the 4D
principles, namely, deny, disrupt, degrade, and
deceive, must be observed in the implementation

— 12 —
of Influence Operations. The 4Ds cover all the
core elements of Volt Typhoon (as shown in
Figures 7 and 8).

Figure 7 The definition of Influence Operations by the U.S. and the Five Eyes countries

— 13 —
 Figure 8 Disruption Operational Playbook by the U.S. and the Five Eyes countries

From the above evidence, it can be inferred

that Volt Typhoon is a typical, well-designed
disinformation operation (the so-called False Flag
operation) in the interest of the U.S. capital group.
Its techniques and tactics are fully consistent with
those used by the U.S. and the Five Eyes
countries’ intelligence agencies in Influence
Operations. It is of course very difficult to see
through this hoax elaborated by the U.S.
intelligence agencies. Due to the large amount of
interfering information, it is far from enough to

— 14 —
rely on technological analysis alone. It is
necessary to comprehensively analyze the
information and relevant materials of multiple
parties to discover the negligence and mistakes
inadvertently exposed by the U.S. intelligence
agencies, and to correctly understand and
interpret the sinister plans concocted by
intelligence agencies such as the NSA and CIA.
That’s what we did in the last two reports (Volt
Typhoon: A Conspiratorial Swindling Campaign
targets with U.S. Congress and Taxpayers
conducted by U.S. Intelligence Community and
Volt Typhoon II: A secret Disinformation
Campaign targeting U.S. Congress and Taxpayers
conducted by U.S. Government agencies).
III. “Snoopers” in Cyberspace
In the second report, we exposed the
political scandal of the U.S. federal agencies,
especially intelligence agencies, which fabricated
the so-called “external cyber threats” and

— 15 —
launched disinformation operations in order to
maintain their massive indiscriminate
surveillance programs to maintain their
unwarranted powers under Section 702 of the
Foreign Intelligence Surveillance Act (FISA). In
this report, we will further disclose the details of
the above-mentioned surveillance program.
(I) Choking the “Throat” of Internet
According to the NSA’s internal top-secret
data (as shown in Figure 9), the U.S. relies on its
innate technological advantages and geological
advantages in the construction of the Internet to
firmly control the world’s most important Internet
choke points such as the Atlantic submarine fiber
optic cable and the Pacific submarine fiber optic
cable. It has successively established seven
national-level full-traffic monitoring stations. The
NSA works closely with the Federal Bureau of
Investigation (FBI) and the British National
Cyber Security Center (NCSC) to carry out

— 16 —
protocol analysis and data theft of the full amount
of data transmitted in fiber optic cables, so as to
achieve indiscriminate monitoring of Internet
users around the world.

Figure 9 Submarine fiber optic cable monitoring stations established and operated by the
NSA

There are many beneficiaries of the Internet

data surveillance and signal intelligence. In
addition to U.S. intelligence agencies and military
agencies, there are a large number of federal
government departments, including the White

— 17 —
House, cabinet officials, U.S. embassies abroad,
Office of the U.S. Trade Representative, the U.S.
Congress, as well as the U.S. Department of State,
Department of Agriculture, Department of Justice,
Department of Treasury, Department of Energy,
Department of Commerce, Department of
Homeland Security, etc. That is what we pointed
out in the second report: The participants in Volt
Typhoon were not limited to U.S. intelligence
agencies, but were intended to serve the common
interests of the so-called U.S. capital. Many U.S.
government agencies have helped intensify the
strength of billows and waves (as shown in
Figure 10).

— 18 —
 Figure 10 Customer list of the NSA intelligence

(II) Controlling the “Reservoir” of

Internet Data
The output of intelligence surveillance is
inevitably all kinds of readable information and
data. Therefore, it is another important task of the
NSA to convert and translate the transmission
traffic in the submarine fiber optic cable into
readable and retrievable intelligence information
in real time. With the growing proportion of

— 19 —
encrypted network traffic, this work has also
encountered tremendous challenges. To cope with
the situation, the NSA has implemented two key
engineering projects. The first is the UpStream
project, whose main function is to retain all the
original communication data of the submarine
fiber optic cables intercepted by the
above-mentioned monitoring stations in a
massive-scale data “reservoir.” The enormous
original data in the “reservoir” is the “upstream”
of the follow-up intelligence processing workflow.
It is worth noting that during the United Nations
General Assembly recently, the U.S. and some of
its allies issued a joint statement, declaring to
maintain the safety and reliability of submarine
cables. The second is the Prism project, whose
major function is, on the one hand, to classify the
original data in the UpStream project according to
the Internet application, and to analyze the
content; on the other hand, to effectively address

— 20 —
the prominent problems of encrypted data
cracking and incomplete coverage of network
communication traffic paths in the UpStream
project. The U.S. government mandated that the
Prism project directly obtain user data from the
servers of major U.S. Internet companies,
including Microsoft, Yahoo, Google, Facebook
(which has been renamed Meta), Apple, etc. Both
projects were built under the authority of Section
702, which has become not only the official basis
for U.S. intelligence agencies to legally, openly,
and continuously steal global Internet link data on
behalf of the U.S. federal government, but also
the solid and undeniable evidence of data theft (as
shown in Figure 11).

— 21 —
 Figure 11 Two key projects for global Internet surveillance conducted by the NSA

(III) Diving into the “Source” of Internet

Data
Although the NSA has deployed a large
number of surveillance systems on the Internet, if
the targets of these systems and their network
communication contents stay only in specific
areas covered by submarine fiber optic cables, the
data stolen by these monitoring systems would be
far from satisfying the NSA’s appetite for
intelligence. To solve the problem, the NSA has

— 22 —
conducted Computer Network Exploitation (CNE)
for specific targets located in the blind spots of
the monitoring system, and the NSA’s notorious
Office of Tailored Access Operation (TAO) is the
one that has done this dirty work. According to
top-secret NSA documents, the TAO has launched
indiscriminate CNEs around the world and
implanted more than 50,000 Implants (a spyware),
with targets in Asia, Eastern Europe, Africa, the
Middle East and South America. Almost all major
cities in China are within CNE, and a large
number of Internet assets have been compromised,
including those in the regions where the
Northwestern Polytechnical University and
Wuhan Earthquake Monitoring Center are located.
Many of the command-and-control centers for
these spyware programs are located at military
bases outside the U.S. mainland, including those
in Japan, Korea, Guam and Hawaii. Guam,
which is familiar to readers who have followed

— 23 —
our first two reports, can be called the original
source of Volt Typhoon fabricated by the U.S.
government, and it will forever be recorded in the
cybersecurity development history because of the
false narrative of Volt Typhoon. As a matter of
fact, the U.S. military base in Guam has not been
a victim of the Volt Typhoon cyberattacks at all,
but the initiator of a large number of cyberattacks
against China and many Southeast Asian
countries and the backhaul center of stolen data
(as shown in Figures 12 and 13).
For some high-value targets in other
countries with a high level of protection, which
are difficult to penetrate, the TAO would launch
supply chain attacks. To be specific, relying on
the advantages in advanced network security
technology and products, and with the
cooperation of large U.S. Internet companies or
equipment suppliers, the Tao would intercept and
disassemble the U.S. network products purchased

— 24 —
by the targets, implant backdoors and repackage
them for shipment to the targets. This method is
often applied in the attack of telecommunications
and network operators in other countries, which
can realize the intrusion control of the target
telecom operator’s call detail record billing and
other systems, and realize the monitoring of the
target’s mobile phone communication content. In
the case of the TAO cyberattack on Northwestern
Polytechnical University, relevant
telecommunications and network operators in
China were subject to such attacks. The target’s
call content, Internet records and real-life activity
tracks were all stolen by the TAO (as shown in
Figure 14).

— 25 —
 U.S. military base in Guam

Figure 12 Sketch map of the TAO’s global cyber intrusion operations

U.S.
military
base in Guam

Figure 13 Sketch map of the TAO’s cyber intrusion in China

— 26 —
Figure 14 The TAO technicians disassemble the Cisco network equipment purchased by the
monitoring target and implant a backdoor

Ironically, the NSA used the tactical term

pre-position to describe this kind of supply chain
attack, which specifically refers to the preset
backdoor virus in the Internet products used by
the monitoring target, laying the groundwork for
the NSA’s subsequent attack, control and theft
activities. We found that the term pre-position
was also used by the U.S. federal agencies to
describe the tactics used by Volt Typhoon to
conduct cyberattacks on critical infrastructure
based in places like Guam. So, who on earth has

— 27 —
pre-positioned in the world’s critical
infrastructure? The facts are already very clear.
(IV) “Making Exorbitant Demand” for
Internet Intelligence
Authorized by Section 702, the U.S.
intelligence agencies have established a
large-scale global Internet surveillance network,
offering a huge amount of high-value intelligence
to the U.S. government agencies, enabling the
U.S. government to take the lead in diplomacy,
defense, economy, science and technology, etc.
Section 702 and the accompanying Internet
surveillance system have become the secret
weapon of the U.S. to maintain its hegemony at
this stage. With this huge first-mover
technological advantage, the U.S. federal
government and its intelligence agencies have
become increasingly unscrupulous and any target
could be on the key monitoring list. The
following is a brief review with facts.

— 28 —
 1. France
From 2004 to 2012, the U.S. conducted a
long-term espionage operation against France,
eavesdropping on French government policies,
foreign affairs, finance, international exchange,
infrastructure construction, commercial and trade
activities. Some of the vital intelligence was
authorized by the U.S. to be shared with the other
Five Eyes partner countries, which indicated that
the Five Eyes countries were also beneficiaries of
the U.S. espionage operations. The surveillance
records included phone calls from France’s core
political and economic departments, as well as
phone calls at the official residence of the French
president. Publicly disclosed classified U.S.
intelligence documents contain a number of
top-secret intelligence summaries stolen by
eavesdropping on conversations and
communications from senior French government
officials, including the former French president

— 29 —
(as shown in Figure 15), finance minister, foreign
minister, senators, French ambassador to the U.S.,
and officials responsible for EU trade policy.
The intelligence covered French
government’s policies and internal considerations
regarding the World Trade Organization,
Trans-Pacific Partnership Agreement, G7 and
G20, as well as France’s financial budget, decline
of the French automobile industry, and the
participation of French companies in the
Oil-for-Food program in Iraq, etc.
In the economic espionage order, the U.S.
explicitly required that information should be
collected on the sale and financing of all major
projects in France related to telecommunications,
electricity, gas, oil, nuclear and renewable energy,
as well as environmental and medical technology.
It also required the interception (theft) of every
contract or transaction of a French company
worth more than US$200 million, with a direct

— 30 —
impact on large French companies such as BNP
Paribas, AXA, Credit Agricole, Peugeot, Renault,
Total, and Orange, as well as the main
agricultural associations. A summary of some of
the intelligence captured by the NSA in its
espionage operations against France is show in
Table 1.

Figure 15 The NSA’s surveillance transcript of former French President Nicolas Sarkozy

Intelligence
Year/Date Intelligence Content
Type
The French ambassador to Washington
Intelligence on the
intends to release a list of U.S. companies
2004 French ambassador
purportedly benefiting from the
to Washington
Oil-for-Food program.
Intelligence on
correspondence The then French President Jacques Chirac
among senior and French Minister of Europe and Foreign
2006
French Affairs discuss matters on UN
government appointments.
officials

— 31 —
 Intelligence
Year/Date Intelligence Content
Type
Intelligence on
The head of the French finance and
correspondence
economic policy bureau is dissatisfied with
among senior
2008 the remarks of the then French President
French
Nicolas Sarkozy on the potential negative
government
impact of a WTO agreement on France.
officials
Intelligence on
The then French President Sarkozy blames
correspondence
global economic crisis on the U.S.
among senior
2008 Government, saying that France will take
French
the lead in pursuing transformation of the
government
world financial system.
officials
Dialogue between the French ambassador
to Washington and the advisor to the
French president on foreign affairs: The
then French President Sarkozy plans to put
forward some sensitive topics during his
meeting with the then U.S. President
Barack Obama in Washington on March
Intelligence on
31, 2010. These topics involves the U.S.
correspondence
withdrawal from the bilateral intelligence
among senior
March 24, 2010 cooperation agreement (the agreement may
French
constrain the U.S. ability to continue
government
monitoring France), and the likely promise
officials
of France on offering military training
aircraft to Afghanistan; a possible contract
on refueling aircraft between the European
Aeronautic Defense And Space Company
(EADS) and the U.S. military; the
trademark dispute involving French spirit
company Pernod Ricard.

— 32 —
 Intelligence
Year/Date Intelligence Content
Type
Intelligence on
Dialogue between the then French
correspondence
President Sarkozy and French Minister of
among senior
June 10, 2011 Europe and Foreign Affairs: Sarkozy
French
makes strong statement on the
government
Israeli-Palestinian issue.
officials
Intelligence on
correspondence Dialogue among French and EU officials
among senior in Washington: They are highly critical of
August 2, 2011
French the U.S. trade policies, saying that the TPP
government is targeted at China.
officials
The French government is concerned about
the impact of the continuing eurozone
crisis, particularly the Greek withdrawal
from the eurozone, on the interest of
Intelligence on
France and French companies. The then
correspondence
French President Francǫis Hollande is
among senior
May 22, 2012 dissatisfied with the then German
French
Chancellor Angela Merkel’s
government
uncompromising stance on the crisis.
officials
Sarkozy agrees to the holding of a secret
meeting among French officials and
German opposition party members to
discuss crisis without informing Merkel.
Intelligence on
Dialogue between the French economy and
correspondence
finance minister and a senator: The
among senior
July 31, 2012 minister states that the French economy
French
has been in crisis and is expected to be in a
government
dire situation in the following two years.
officials

— 33 —
 Intelligence
Year/Date Intelligence Content
Type
The order requires engaging in long-term
economic espionage to obtain details on
the economic activities of French
companies and the economic policies and
The U.S. decisions of the French government.
2012 espionage order It also involves issues such as the
targeting France economic relationship of France with the
U.S., other countries and international
agencies, French financial and trade
policies, and the French perspective on G8
and G20 agendas.
The order instructs U.S. spies to collect
sales and financing information of all
major French projects relating to
telecommunication, power generation,
natural gas, petroleum, nuclear energy and
The U.S. renewable energy, as well as environment
2012 espionage order on and medical technology. Meanwhile, the
French economy spies are asked to intercept and report to
the higher body all contracts and
negotiations of French companies that
worth more than $200 million. Related
intelligence will be submitted to U.S. trade,
political and intelligence agencies.
Intelligence on The French Economy and Finance
agendas of Ministry drafted talking points for G7 and
meetings among G20 meetings, including urging the U.S.
2012
French banking reform, and planning to support
government the U.S. on the strategic petroleum reserve
officials initiative.
Table 1 The NSA’s surveillance records of French government officials in office at the time

— 34 —
 2. Germany
An NSA confidential document shows that
the Germany Federal Intelligence Service (BND)
and the Federal Office for the Protection of the
Constitution (BfV) and other intelligence
agencies have provided active cooperation for
their U.S. counterparts several times to conduct
surveillance activities in Europe and Germany
itself.3 They also joined hands with the CIA in
acquiring and operating the Switzerland-based
encryption technology company Crypto AG, and
offered encryption products with backdoor to the
targets of surveillance.4 In spite of that, the U.S.
has excluded Germany from the Five Eyes, and
categorized Germany as a third-tier partner,
regarding Germany as both a partner of interests
and an untrustworthy target of surveillance.
In fact, the U.S. Army, Air Force, and Navy,
3
https://www.spiegel.de/international/world/german-intelligence-worked-closely-with-nsa-on-data-surveillance-a-
912355.html

4
https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-cia-bnd-germany-intelligence-report

— 35 —
as well as the NSA have set up a large number of
covert intelligence stations in Germany to keep
close watch on Germany and other European
countries (as shown in Figure 16).

Figure 16 Covert intelligence stations set up in Germany by the U.S. intelligence agencies

The NSA has long been monitoring

correspondence among senior German
government officials, including chancellors,
ministers of foreign affairs, ambassadors and
consul- generals abroad. The surveillance content

— 36 —
is extensive, including the German government’s
perspective on the international situation and
emergencies, as well as private discussions
among Germany officials after they attend
international exchanges with the U.S., covering
such important fields as politics, military affairs,
economy, diplomacy, policy, ethnicity, security,
resources, etc. What’s worth mentioning is that
the U.S. intelligence agencies have a keen interest
in the internal considerations of EU countries,
especially their solutions to guarding against
financial risks (as shown in Figure 17).

— 37 —
 Figure 17 The NSA surveillance records of German government leaders

Even after the Snowden leaks, the U.S. has

not relaxed its surveillance on Germany. It has
done so with a more covert approach. In May
2021, Danish media5 exposed the cooperation
between the NSA and the Danish Defense
Intelligence Service (FE) on monitoring Internet
cables in Denmark. The targets included state
leaders, as well as senior politicians and officials
of Germany, Sweden, Norway, and France. The
then German Chancellor Angela Merkel, then
5
https://www.dr.dk/nyheder/indland/forsvarets-efterretningstjeneste-lod-usa-spionere-mod-angela-merkel-franske- norske

— 38 —
German Minister of Foreign Affairs Frank-Walter
Steinmeier and then Germany opposition leader
Peer Steinbruck, to name a few, were all main
targets of the surveillance project between the
NSA and the FE. The person in charge of the
project happened to be the then U.S. Vice
President Joe Biden, who is currently the U.S.
President.
The exposure of the project once again
aroused dissatisfaction of Germany, France, and
other European countries. The then German
Chancellor Merkel and French President
Emmanuel Macron had publicly stated that the
U.S. surveillance targeting its allies was
“unacceptable.” However, the U.S. was obviously
indifferent to the feeling of its “allies.” In April
2023, the U.S. surveillance targeting German
Federal Ministry of Defense was exposed again.6

6
https://www.tagesschau.de/investigativ/kontraste/pentagon-papiere-leaks-bundesverteidigungsministerium- 100.html

— 39 —
 Figure 18 The NSA’s surveillance records of the German Federal Ministry of Defense

The NSA top-secret document (as shown in

Figure 18) shows that the activity monitored this
time was the meeting on military and foreign
affairs between the German Federal Ministry of
Defense and a visiting delegation of the Ministry
of National Defense of China on February 20,
2023. The records revealed that the main focus of
the U.S. was the views and stance of Germany on
military cooperation with China.
In 2022, the U.S. and Europe have
established a new “U.S.-EU Trans-Atlantic Data
Privacy Framework”, and the United States
promised to give more supervision of cyber
surveillance operation in Europe for tricking the

— 40 —
so-called allies into agreeing to transmit data to
the United States. In fact, the US has never
stopped wiretapping its European Allies.
3. Japan
The external surveillance database of the
NSA included a list of important Japanese
political and economic targets. The list showed
that the NSA espionage monitoring activities
targeting the Japanese cabinet, government
departments and zaibatsus could be traced back to
the Shinzo Abe administration. Phone
surveillance targets included the office
switchboard of the Japanese cabinet, executive
secretary of the then chief cabinet secretary
Yoshihide Suga, a large number of Japanese
central bank officials, the natural gas department
of the Mitsubishi Corp., and the petroleum
department of the Mitsui & Co. Machine Tech
Ltd. A record titled “A Confidential Proposal on
Climate Change that Japan Plans to Release at the

— 41 —
G8 Summit” (as shown in Figure 19) clearly
marked “REL TO USA, AUS, CAN, GBR, NZL,”
meaning that the intelligence report was officially
approved by the senior U.S. government authority
to be shared with the Five Eye allies, creating
conditions for them to come up with special plans
targeting Japan. Relevant intelligence was
suspected to be stolen from Japanese government
agencies, which further demonstrated the
extensive coverage of the U.S. government
surveillance targeting its Japanese counterpart.
Specific contents of concern were: disputes on
agricultural product imports and trade, Japan’s
stance at the WTO Doha Development Round,
Japan’s climate change policies, its nuclear
energy and energy policies and carbon emission
plans, correspondence between Japan and
international agencies such as the International
Energy Agency, the prime minister’s briefings at
Shinzo Abe’s official residence, and much more.

— 42 —
 Figure 19 The NSA’s monitoring records of Japanese leaders

4. Ordinary U.S. Citizens

Our second investigation report has made it
clear that there has been a public outcry of justice
against Section 702. Although the section claimed
that the U.S. intelligence agencies such as the
NSA only collect information from overseas
non-American, obviously, the overall mission of
such monitoring plans is to illegally obtain full
information data of global Internet users, as
shown in the aforementioned technical route of
the NSA surveillance plans. The targets

— 43 —
absolutely include U.S. citizens. When
intelligence analysts set selectors, they are asked
by the NSA and the rest of the U.S. intelligence
community to “try to” avoid covering U.S.
citizens at home and U.S. citizens abroad. But
unfortunately, such measures that rely almost
entirely on “self-discipline” are merely symbolic.
On May 19, 2023, the U.S. Foreign Intelligence
Surveillance Court publicly released a document,7
showing that the U.S. intelligence community had
carried out thousands of operations that violated
Section 702 (as shown in Figure 20). The
document particularly pointed out that when the
FBI collected foreign intelligence, it repeatedly
misused telecommunication and online
surveillance tools, including monitoring U.S.
citizens related to the Capitol riot on January 6,
2021, and the “Black Lives Matter” social
movement in 2020. The court order was later
7
https://www.intelligence.gov/assets/documents/702%20Documents/declassified/21/2021_FISC_
Certification_Opinion.pdf

— 44 —
publicly exposed and questioned by the media.8
As a matter of fact, during the “Occupy Wall
Street” populist movement, agencies including
the FBI, NSA and CIA carried out
non-differentiated monitoring of on-site protesters
and their contacts throughout the whole process.
Similar methods were adopted during the
“Sunflower” riot in China’s Taiwan region and
the illegal “Occupying Central” in China’s Hong
Kong Special Administrative Region. Thus, it can
be seen that surveillance on U.S. citizens has
never been absent.

Figure 20 Cases of Section 702 violation revealed in the U.S. Foreign Intelligence

8
https://thehill.com/policy/national-security/4012650-fbi-misused-surveillance-tool-fisa-section-702/

— 45 —
 Surveillance Court document

The underlying reason of such Internet

surveillance misuse is that the U.S. intelligence
community has adopted an excessively lenient
attitude in enforcing Section 702 (as shown in
Figure 21). Intelligence agencies have even made
it clear in their internal training materials that if
intelligence analysts “accidentally” find personal
information of U.S. citizens, it is not a violation
of rules and it’s not necessary to report.

— 46 —
Figure 21 Training material of the U.S. intelligence community on Section 702 compliance
requirements

The aforementioned examples demonstrate

that the U.S. global online surveillance plan and
monitoring stations are like ubiquitous lurkers on
the Internet, which eavesdrop and steal data from
online users all over the world in real time. Such
surveillance capacity is an indispensable
foundation for the U.S. to build a Matrix and
espionage empire. To maintain such a large

— 47 —
surveillance plan requires an astonishing annual
budget. The need for more budget comes with the
explosive growth of online data. That is the main
driving force for the U.S. federal government and
intelligence community to jointly push for the
planning and development of Volt Typhoon.
It is not a rare case for U.S. politicians to
cheat the U.S. Congress for their personal gains.
The FBI Director Christopher Wray, who has
played an important role in the Volt Typhoon false
narrative campaign, is a habitual liar. In July 2022,
Wray and the U.S. Attorney General Merrick
Garland were questioned by senators for covering
up the evidence of crime by President Biden’s
son.9 In August 2023, Wray faced questions by
several Congress members for submitting fake
memo to Congress.10 In July 2024, Wray, again,
perjured himself at a House hearing on the

9
https://nypost.com/2022/08/31/fbi-agents-say-christopher-wray-has-got-to-go-report/

10
https://nypost.com/2023/08/10/fbi-head-chris-wray-lied-about-targeting-catholics-he-owes-america-answers/

— 48 —
shooting of former U.S. President Donald Trump
when he claimed that Trump wasn’t hit by a
bullet,11 while concealing the real health
condition of the current President Biden. For that
matter, Trump strongly urged Wray to resign
immediately.
IV. Demon behind Unusual Events
We have taken into notice that after we
released the second investigation report on Volt
Typhoon, although the U.S. authorities and the
mainstream media kept silent, some former and
current U.S. government officials and Internet
security companies expressed their views on our
report via social media, media of the U.S. Internet
security and independent media, including a
unanimous negative opinion, saying that the
report “distorted” and “misused” the research
outcome of relevant U.S. companies. The U.S.

11
https://www.nbcnews.com/politics/donald-trump/republicans-rip-fbi-directors-testimony-trump-might-not-hit-bullet-
rcna163653

— 49 —
companies were also eager to disassociate
themselves with the report. Therefore, we feel
that it’s necessary to point out that in
investigation and research of cyberattack
incidents, citing and referring to research results
of other professional agencies is nothing new but
a normal practice. Being considered “distorting”
and “misusing” the results of some U.S.
companies just because we came up with
different conclusions made us realize the power
of U.S. Internet hegemony. It also made us
believe that these companies had expressed their
view under tremendous external pressure.
ThreatMon’s change of statement is quite
intriguing. It claimed during a media interview
that it revised the original report because it found
out in its follow-up research mistakes in the early
indicators of compromise related to the Volt
Typhoon investigation report. Such perfunctory
explanation makes it even more suspicious. For

— 50 —
one thing, the time it revised the report raises
doubts; for another, the entire page deleted from
the original report not only included an IP address
list, but key evidence such as command and
control server addresses and ransomware
cryptocurrency wallet addresses. Is it possible
that these data all went wrong during the
collection process? What has happened to
ThreatMon’s scientific research attitude, technical
expertise and competence? Is it ThreatMon’s
academic spirit to strictly keep its report the same
as the reports of other obedient U.S. Internet
security agencies under the pressure of U.S.
authorities? If the follow-up research was
thorough and rigorous, why didn’t ThreatMon
provide an explanation in the revised version and
revise the content page accordingly? The only
explanation for ThreatMon’s fishy move is that
the original report was changed in a rush due to
strong external pressure. Of course, we have

— 51 —
already presented in our latest report more
evidence, which can fully prove the Internet
espionage that the U.S. intelligence community
has conducted on China, Russia, Iran and Arab
countries, as well as the fact that fake information
has been given to the U.S. Congress and tax
payers.
The response from Microsoft is worth noting,
too. During the BlackHat USA 2024 on August
11, Sherrod DeGrippo, Director of Microsoft’s
Threat Intelligence Strategy, said that the
so-called “Volt Typhoon” was still active with no
signs to stop. However, she failed to provide
concrete evidence of Volt Typhoon as a so-called
“Chinese government-sponsored cyber actor.” As
a matter of fact, the behavior of Microsoft has
been suspicious since 2023. It has strengthened
cooperation with the U.S. military and
intelligence community, as we pointed out in the
previous two reports. The cooperation has gone

— 52 —
further in 2024. According to an article published
on Bloomberg on May 7,12 Microsoft has
deployed an offline AI large model and assistant
program for U.S. intelligence agencies to conduct
auxiliary analysis of top-secret information.
What’s more worrying is the excessive attention
Microsoft has paid to the private information of
its users. On May 21, the company released the
new AI solution Copilot+ PCs and the “Recall”
feature, with which the Windows operating
system is able to record every user operation for
its AI assistant to learn. Although Microsoft
explained that the feature is only limited to local
operation, and the data are stored in an encrypted
form, users’ doubts about the misuse of Recall
and leakage of personal information cannot be
dispelled. Overwhelmed by the massive
controversy, Microsoft had to postpone the Recall
feature that should have been pushed with
12
https://bloomberg.com/news/articles/2024-05-07/microsoft-create-top-secret-generative-ai-service-for-us- spies

— 53 —
Windows updates. On June 13, OpenAI, of which
Microsoft is the largest stakeholder, appointed
Paul Nakasone to its board of directors. All of
these moves by Microsoft fully indicate that the
company, as a crucial partner of the Section
702-related surveillance project, has been
increasingly influenced and controlled by the U.S.
intelligence community. In return, the U.S.
government agencies have turned a blind eye to
Microsoft’s disguised monopolistic behaviors
‒abusing its dominant market position and using
Windows and Office updates to push bundled
software products.
Here, we must mention the famous U.S.
cybersecurity firm CrowdStrike’s update flaw on
July 19, which caused the Blue Screen of Death
on millions of computers installed with the
Windows operating system. The accident also led
to serious losses of public transportation, health
care and other key information infrastructure

— 54 —
industries for a number of countries. Such an
accident is not what global cybersecurity
practitioners would like to see. Particularly, for
professionals in the field of computer virus
prevention and control, such incident will
definitely deal a heavy blow to user confidence in
third-party antivirus programs, and further affect
the ecosystem of the global Internet security
industry. Nevertheless, facing such a serious
accident, the Cybersecurity and Infrastructure
Security Agency (CISA), as the main
cybersecurity authority of the U.S., showed
abnormal “leniency” to Microsoft and
CrowdStrike. The CISA did not take any action.
Instead, its director Jen Easterly called the
accident a “dress rehearsal” for Volt Typhoon
attacks at the BlackHat USA 2024, actively
absolving Microsoft and CrowdStrike from their
blame and diverting public attention. These
nonsensical and shameless statements and actions

— 55 —
have profound underlying reasons. In fact, the
accident demonstrated the significant advantage
of the U.S. in the IT supply chain. As important
partners of the U.S. intelligence community,
Microsoft and CrowdStrike were surely able to
receive “protection” from the U.S. government
agencies. They would not be punished. On the
contrary, under the shelter of the authorities and
the disguise of the so-called “China cyber threat,”
they would continue to expand their influence on
the global market and deliver more information to
the Section 702 database.
In the meantime, we have also noticed that
many well-known media, international figures
and industrial experts from America, Europe,
Asia and Africa have raised voices of justice on
the truth of Volt Typhoon. Notably, an Australian
expert published a feature commentary article
title The Geopolitics of Cyber Espionage,13
13
https://johnmenadue.com/the-geopolitics-of-cyber-espionage/

— 56 —
clearly pointing out that the U.S. government and
Microsoft reports lack concrete evidence, and
revealing that “the Volt Typhoon threat was
mostly a work of fiction, crafted by U.S.
intelligence agencies to win public support and
pressure policymakers to allow the extension of
invasive U.S. surveillance powers.” We would
like to express our sincere appreciation for their
outspoken advocacy of justice.
V. Conclusion
For years, the U.S. federal government, out
its selfish interest, has turned the tracing of
cyberattacks the into a political issue. To cater to
U.S. politicians, government bodies and
intelligence agencies, some U.S. companies, such
as Microsoft and CrowdStrike, for their
commercial interest and without sufficient
evidence and rigorous technical analysis, have
been keen on coining various absurd code names
with obvious geopolitical overtones for hacker

— 57 —
groups, such as “typhoon,” “panda,” and “dragon,”
instead of “Anglo-Saxon,” “hurricane,” and
“koala.” They flaunted their “superb” skills and
cultural “deposits,” but ignored the most basic
issue of product quality, corrupting the overall
culture of the industry. We have reiterated
multiple times in our previous reports that China
has always been opposing technical investigation
of cybersecurity incidents manipulated by
political games and the politicization of the
tracing of cyberattacks. On the contrary, the U.S.
federal government has been persistently inciting
and abetting from the shadow, fabricating
fictitious cyberattacks to scam for budget from
Congress. As its ambitions grow larger, it is
bound to shoot itself in the foot one day. Wray
and other unethical politicians, who have been
utilizing the Volt Typhoon deceptive narrative to
cheat the U.S. Congress and public and obtain
illicit gains, are destined to face a just judgment

— 58 —
from the American people.
Against the backdrop of today’s increasingly
intense geopolitical conflicts, normalized
international exchange is what the cybersecurity
industry needs the most. Again, we would like to
call for extensive international collaboration in
this field. Moreover, cybersecurity companies and
research institutions should focus on
counter-cyber threat technology research and
better products and services for users. That is the
right way forward for the Internet to contribute
steadily to the common progress of mankind.

National Computer Virus Emergency Response

Center
National Engineering Laboratory for Computer
Virus Prevention Technology

October 14, 2024

— 59 —