Of the cybersecurity dangers dealing with the United States right now, few loom bigger than the potential sabotage capabilities posed by China-backed hackers, which senior U.S. nationwide safety officers have described as an “epoch-defining risk.”
The U.S. says Chinese government-backed hackers have — in some circumstances for years — been burrowing deep into the networks of U.S. vital infrastructure, together with water, power, and transportation suppliers. The objective, officers say, is to put the groundwork for probably damaging cyberattacks within the occasion of a future battle between China and the United States, akin to over a doable Chinese invasion of Taiwan.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and trigger real-world hurt to American residents and communities, if or when China decides the time has come to strike,” then-outgoing FBI Director Christopher Wray informed lawmakers final 12 months.
The U.S. authorities and its allies have since taken motion in opposition to a few of the “Typhoon” household of Chinese hacking teams, and printed new particulars in regards to the threats posed by these teams.
In January 2024, the U.S. disrupted “Volt Typhoon,” a bunch of Chinese authorities hackers tasked with setting the stage for damaging cyberattacks. Later in September 2024, federal authorities took management of a botnet run by one other Chinese hacking group referred to as “Flax Typhoon,” which used a Beijing-based cybersecurity firm to assist conceal the actions of China’s authorities hackers. Then in December 2025, the U.S. authorities sanctioned the cybersecurity firm for its alleged function in “a number of laptop intrusion incidents in opposition to U.S. victims.”
Since the emergence of Volt Typhoon, one other new China-backed hacking group referred to as “Salt Typhoon” appeared within the networks of U.S. telephone and web giants, able to gathering intelligence on Americans — and potential targets of U.S. surveillance — by compromising telecom methods used for legislation enforcement wiretaps.
Here’s what we’ve got discovered in regards to the Chinese hacking teams gearing up for warfare.
Volt Typhoon
Volt Typhoon represents a brand new breed of China-backed hacking teams; now not simply geared toward stealing delicate U.S. secrets and techniques, however relatively making ready to disrupt the U.S. army’s “potential to mobilize,” in keeping with the then-FBI director.
Microsoft first recognized Volt Typhoon in May 2023, discovering that the hackers had focused and compromised community tools, akin to routers, firewalls, and VPNs, since a minimum of mid-2021 as a part of an ongoing and concerted effort to infiltrate deep into the methods of U.S. vital infrastructure. The U.S. intelligence group mentioned that in actuality, it’s doubtless the hackers had been working for for much longer, probably for so long as 5 years.
Volt Typhoon compromised 1000’s of those internet-connected gadgets within the months following Microsoft’s report, exploiting vulnerabilities in gadgets that had been thought of “end-of-life” and due to this fact would now not obtain safety updates. The hacking group subsequently gained additional entry to the IT environments of a number of vital infrastructure sectors, together with aviation, water, power, and transportation, pre-positioning for activating future disruptive cyberattacks geared toward slowing the U.S. authorities’s response to an invasion of its key ally, Taiwan.
“This actor shouldn’t be doing the quiet intelligence assortment and theft of secrets and techniques that has been the norm within the U.S. They are probing delicate vital infrastructure to allow them to disrupt main providers if, and when, the order comes down,” mentioned John Hultquist, chief analyst at safety agency Mandiant.
The U.S. authorities mentioned in January 2024 that it had efficiently disrupted a botnet, utilized by Volt Typhoon, consisting of 1000’s of hijacked U.S.-based small workplace and residential community routers, which the Chinese hacking group used to cover its malicious exercise geared toward focusing on U.S. vital infrastructure. The FBI mentioned it was capable of take away the malware from hijacked routers by the use of a court-sanctioned operation, severing the Chinese hacking group’s connection to the botnet.
By January 2025, the U.S. had found greater than 100 intrusions throughout the nation and its territories linked to Volt Typhoon, in keeping with reporting by Bloomberg. A lot of these assaults have focused Guam, a U.S. island territory within the Pacific and a strategic location for American army operations, the report mentioned. Volt Typhoon allegedly focused vital infrastructure on the island, together with its primary energy authority, the island’s largest cell supplier, and a number of other U.S. federal networks, together with delicate protection methods, primarily based on Guam. Bloomberg reported that Volt Typhoon used a wholly new sort of malware to focus on networks in Guam that it hadn’t ever deployed earlier than, which researchers took as an indication of the excessive significance that the area has to the China-backed hackers.
Flax Typhoon
Flax Typhoon, first outed by Microsoft a number of months later in an August 2023 report, is one other China-backed hacking group, which officers say has operated beneath the guise of a publicly traded cybersecurity firm primarily based in Beijing to hold out hacks in opposition to vital infrastructure lately. Microsoft mentioned Flax Typhoon — additionally lively since mid-2021 — predominantly focused dozens of “authorities businesses and schooling, vital manufacturing, and knowledge know-how organizations in Taiwan.”
Then in September 2023, the U.S. authorities mentioned it had taken management of one other botnet, which was made up of lots of of 1000’s of hijacked internet-connected gadgets, and utilized by Flax Typhoon to “conduct malicious cyber exercise disguised as routine web site visitors from the contaminated client gadgets.” Prosecutors mentioned the botnet allowed different China government-backed hackers to “hack into networks within the U.S. and around the globe to steal data and maintain our infrastructure in danger.”
The Department of Justice later corroborated Microsoft’s findings, including that Flax Typhoon additionally “attacked a number of U.S. and overseas companies.”
U.S. officers mentioned that the botnet utilized by Flax Typhoon was operated and managed by the Beijing-based cybersecurity firm, Integrity Technology Group. In January 2024, the U.S. authorities imposed sanctions on Integrity Tech over its alleged hyperlinks to Flax Typhoon.
Salt Typhoon
The newest — and probably most ominous — group in China’s government-backed cyber military uncovered in current months is Salt Typhoon.
Salt Typhoon hit headlines in October 2024 for a special sort of information-gathering operation. As first reported by The Wall Street Journal, the China-linked hacking group compromised a number of U.S. telecom and web suppliers, together with AT&T, Lumen (previously CenturyLink), and Verizon. The Journal reported later in January 2025 that Salt Typhoon additionally breached the U.S.-based web suppliers Charter Communications and Windstream. U.S. cyber official Anne Neuberger mentioned the federal authorities had recognized an unnamed ninth hacked telco.
According to at least one report, Salt Typhoon could have gained entry to those telcos utilizing compromised Cisco routers. Once contained in the telco’s networks, the attackers had been capable of entry buyer name and textual content message metadata, together with date and time stamps of buyer communications, supply and vacation spot IP addresses, and telephone numbers from over one million customers; most of which had been people positioned within the Washington D.C. space. In some circumstances the hackers had been able to capturing telephone audio from senior Americans. Neuberger mentioned {that a} “giant quantity” of those that had information accessed had been “authorities targets of curiosity.”
By hacking into methods that legislation enforcement businesses use for court-authorized assortment of buyer information, Salt Typhoon additionally probably gained entry to information and methods that home a lot of the U.S. authorities’s information requests, together with the potential identities of Chinese targets of U.S. surveillance.
It’s not but recognized when the breach of the wiretap methods occurred, however could date again to early 2024, in keeping with the Journal’s reporting.
AT&T and Verizon informed TechCrunch in December 2024 that their networks had been safe after being focused by the Salt Typhoon espionage group. Lumen confirmed quickly after that its community was free from the hackers.
FIrst printed October 13, 2024 and up to date.
