China on Monday released its third report on the “Volt Typhoon” investigation. The report not only provides critical new information but also delivers a clearer message to responsible stakeholders concerned with global cyberspace security and governance: A previously underappreciated threat must be taken seriously. This threat originates from US intelligence agencies and security bodies, which, possessing superior technological capabilities, engage in “false flag” operations – activities carried out to deliberately conceal the true origin of cyberattacks while falsely attributing responsibility to someone else, particularly an opponent. To serve their own interests, these organizations openly or tacitly collaborate with high-tech companies.
The Marble Framework mentioned in the latest investigative report was first exposed in 2017 when WikiLeaks claimed to have obtained information from inside the CIA’s Center for Cyber Intelligence. Developed by the CIA as an anti-forensics tool, the primary function of the Marble Framework is to obscure and disguise the true origins of cyberattacks, making it difficult to trace these attacks back to the actual perpetrators.The Marble Framework employs string obfuscation to hide textual information within the malware, as this text often provides forensic experts with clues to identify the developer or country of origin behind the malicious software.
Experiments have shown that the Marble Framework can simulate multiple language characteristics, including Chinese, Russian and Arabic, intentionally creating misleading information to give security analysts the false impression that an attack originated from another country. This camouflage tactic not only complicates the process of tracing cyberattacks but could also lead to misjudgments by targeted countries, making them believe the attack came from their adversaries rather than from US agencies like the CIA or affiliated companies.
Considering specific scenarios and the operational preferences of US intelligence agencies like the CIA – such as “lying, cheating, and stealing” – there is reason to believe that the Marble Framework could be used to conduct classic “false flag” operations in at least three concrete situations. First, when US intelligence agencies carry out cyber espionage or attacks against countries they have publicly designated as competitors or adversaries, Marble could be used to counter tracing efforts and protect the true source of the attack. Second, when these agencies conduct cyber espionage or attacks against their allies and close partners, Marble could be employed to mask the identity of the attacker, mislead targets and divert their attention. This would even allow the US to appear as the “protector,” ensuring continued trust in the US despite it being the actual perpetrator. Third, Marble could be utilized to mislead lawmakers, the media and the public, as well as higher-level intelligence and national security bodies. This would serve to provide false information that obscures the misconduct of the “deep state” and protects the interests of various departments.
In the “Volt Typhoon” incident, the actions of US intelligence agencies in pressuring security companies to delete or alter public information, combined with the use of the Marble Framework, showcase the classic modus operandi of US intelligence in major issues of cybersecurity and national security. Their goal is to secure larger budgets and greater operational freedom beyond the law by fabricating facts, using false or misleading information to create artificial links, and employing specific tools to produce fake evidence. This approach manufactures the illusion of foreign cyberattacks, exaggerates security threats, fosters a climate of fear and inflames McCarthyism, all to ensure that the CIA’s cyber surveillance and offensive operations gain additional legal immunity, more funding and greater political influence within the US.
How many similar “false flag” operations, like “Volt Typhoon,” have been carried out by US national security agencies and intelligence bodies, using tools like the Marble Framework to frame other parties? How many times have US allies, especially in Europe, been the victims of cyberattacks supposedly originating from “adversarial nations”? From the perspective of global cybersecurity and strategic stability, and based on the latest reports released by China, it is essential to establish a more effective mechanism for sharing and exchanging cybersecurity information that bypasses the US. This is the only way to ensure that, in the aftermath of a cyberattack, there is an unbiased platform or credible system, untainted by US national security and intelligence agencies, where accurate and reliable information can be verified and shared. This would help identify the true attackers and threats, ultimately laying a stronger foundation for global cybersecurity and strategic stability.
The author is director of the Research Institution for Global Cyberspace Governance at Fudan University. opinion@globaltimes.com.cn