At ThreatMon, we are proud to have a strong research team that actively monitors cyber threats. Our team took the Dark Power group, which attracted attention with its attacks on aid organizations after the earthquake in Turkey and Syria on February 6, 2023, into its radar and conducted a comprehensive research on it. Initial findings showed that there were several “Indicators of Compromise” (IoC) associated with this group, which were included in our reports. However, upon subsequent detailed analysis, we evaluated that these IoCs may be incorrect and decided to remove this from our reports.
Due to Dark Power’s inactivity over recent months, we lack additional data on their associated groups and IoCs. Nevertheless, it is evident that the recent report from China aims to misrepresent our research. The report claims a connection between Volt Typhoon and Dark Power based on our findings, a connection our research does not support. While shared IoCs can occur, drawing definitive conclusions from them is misleading.
Additionally, I would like to address some observations regarding state-sponsored attack groups (Independent of Volt Typhoon and Dark Power) . Recently, we have noted significant changes within these groups, including internal divisions leading some members to conduct ransomware attacks independently. We know that these splinter groups often carry out ransomware attacks using the same tactics and techniques as the main group. Furthermore, state-sponsored groups may also engage in such attacks to financially support their activities. Therefore, a group’s association with a ransomware outfit does not negate its potential state sponsorship.
In summary, Volt Typhoon and Dark Power’s cyber operations may have some similarities, but we generally view them as distinct entities with different primary goals and affiliations. The possible links mentioned in the first version of our reports are based on overlapping technical indicators rather than a direct operational link. We published the second version, some of which we removed, to clarify the accuracy of our research sources. But the two groups in question, due to their lack of activity in recent months, cannot definitively comment on any relationship between them.
Moreover, the allegations that we are acting under pressure from the U.S. are entirely false and baseless.
As a research-focused cyber threat intelligence firm, we are committed to providing the most accurate information. In this context, we are continually updating our work, platform, blog posts, and reports according to the latest data and will continue to do so.