China, Volt Typhoon and the Dual Nature of Ransomware


April 23, 2024

World map

FBI Director has issued a stark warning that Chinese government-linked threat actors have “burrowed into U.S. critical infrastructure” and are awaiting "the right moment to deal a devastating blow” in what would likely be an attack in conjunction with a larger military operation.

“An ongoing Chinese hacking campaign known as Volt Typhoon has successfully gained access to numerous American companies in telecommunications, energy, water and other critical sectors, with 23 pipeline operators targeted," Reuters reports.

“Wray said China's hackers operated a series of botnets - constellations of compromised personal computers and servers around the globe - to conceal their malicious cyber activities,” but a Chinese Ministry of Foreign Affairs spokesperson said, "Volt Typhoon was in fact unrelated to China's government, but is part of a criminal ransomware group.”

Takeaway: One thing that is not being talked about enough by policy makers is the very real potential that some ransomware operations serve a dual purpose. Given how attribution is, while an attack can look like a cybercriminal operation, it may also serve as a proxy attack designed to further the interests of adversarial nations like China.

Given how serious the threat is to our critical infrastructure – including attacks on healthcare providers that have been linked to poor patient outcomes and possibly even contributing to early deaths - we cannot discount the dual nature of a good portion of today’s ransomware attacks.  

The fact that ransomware attacks appear on the surface to merely be cybercriminal activity provides a convenient level of plausible deniability when those attacks also serve the larger geopolitical goals of rogue regimes like China, Russia, Iran and North Korea.  

We know that a good portion of ransomware operators also participate in nation-state sponsored attacks, and there is also more than enough evidence of shared attack infrastructure and tooling between cybercriminals and nation-state operators.  

Research by Chainalysis found that 74% of all revenue from ransomware attacks in 2021 went to attackers "highly likely to be affiliated with Russia.” There is little doubt this level of activity is going unnoticed by the Putin regime.

This is why it is imperative that the US government and allied nations who are the targets of these attacks should consider differentiating at least some of the attacks and classify them as nation-state supported terrorist attacks – specifically those attacks that target healthcare and other critical infrastructure functions like utilities and elections.  

If we call these attacks what they are – terrorist attacks meant to instill fear and influence geopolitical agendas – then we unlock a whole host of options for both offensive cyber and even traditional kinetic military responses as a deterrence.  

Ransomware attacks against critical infrastructure are a form of terrorism in and of themselves, and the fact that many of the attacks are so closely related to the geopolitical interests of adversarial nations like China – and providing these nations plausible deniability – means we can no longer simply address these issues as a criminal matter. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.