Chinese 'Typhoon' Hackers: Preparing for Cyber Warfare?

The Escalating Cybersecurity Threat from China

Among the cybersecurity challenges confronting the United States currently, the potential for sabotage by hackers linked to China represents a significant concern. Senior U.S. national security personnel have characterized this as a threat of “epoch-defining” proportions.

Infiltration of Critical Infrastructure

The U.S. government asserts that hacking groups supported by the Chinese government have been gaining access to, and establishing a presence within, the networks of vital U.S. infrastructure. This includes sectors like water, energy, and transportation.

Officials indicate that this activity aims to establish a foundation for potentially damaging cyberattacks should a conflict arise between China and the United States. A potential Chinese invasion of Taiwan is often cited as a possible trigger.

Warnings from U.S. Officials

Christopher Wray, the then-outgoing FBI Director, cautioned lawmakers last year that China’s hackers are actively positioning themselves within American infrastructure. Their intention is to inflict disruption and cause tangible harm to American citizens and communities, should China deem the moment appropriate to launch an attack.

Government Response and Disruptions

The U.S. government, alongside its allies, has responded by taking action against several Chinese hacking groups belonging to the “Typhoon” family. Detailed information regarding the threats posed by these groups has also been released.

Recent Disruptions of Chinese Hacking Operations

In January 2024, operations of “Volt Typhoon,” a Chinese government-backed hacking group focused on preparing for destructive cyberattacks, were disrupted by U.S. authorities.

Further action was taken in September 2024, with federal authorities gaining control of a botnet operated by “Flax Typhoon.” This group utilized a cybersecurity firm based in Beijing to mask the activities of China’s government hackers.

Subsequently, in December, the U.S. government imposed sanctions on the cybersecurity company for its alleged involvement in “multiple computer intrusion incidents” targeting U.S. entities.

Emergence of New Threat Actors

Since these actions, a new China-linked hacking group, “Salt Typhoon,” has been detected within the networks of major U.S. telecommunications providers. This group possesses the capability to gather intelligence on American citizens and potential targets of U.S. surveillance by compromising telecom systems used for law enforcement wiretaps.

Resurgence of Known Threat Actors

Additionally, “Silk Typhoon” (formerly known as Hafnium), a hacking group active since at least 2021, reappeared in December 2024. They initiated a new campaign specifically targeting the U.S. Treasury.

Understanding the Chinese Hacking Groups

These developments highlight the increasing readiness of Chinese hacking groups for potential conflict. The actions taken demonstrate the ongoing efforts to understand and counter these evolving cybersecurity threats.

Volt Typhoon

Volt Typhoon signifies an evolving threat landscape, representing a new generation of hacking groups supported by China. These groups are shifting their focus beyond traditional espionage, now actively preparing to impede the U.S. military’s operational capabilities, as indicated by statements from the former FBI director.

Initially identified by Microsoft in May 2023, Volt Typhoon has been systematically targeting and compromising network infrastructure. This includes devices like routers, firewalls, and VPNs, dating back to at least mid-2021. This represents a sustained and deliberate effort to deeply penetrate U.S. critical infrastructure systems.

U.S. intelligence assessments suggest the group’s activities likely extend much further back, potentially spanning up to five years. Following Microsoft’s initial report, Volt Typhoon successfully compromised thousands of internet-connected devices.

The hackers exploited vulnerabilities present in devices that had reached their “end-of-life,” meaning they no longer received vital security updates. This allowed the group to gain further access to IT environments across crucial sectors, including aviation, water, energy, and transportation.

This pre-positioning suggests an intent to launch disruptive cyberattacks. These attacks could potentially hinder the U.S. government’s ability to respond effectively to a potential invasion of Taiwan, a key ally.

John Hultquist, chief analyst at Mandiant, explained, “Unlike typical intelligence gathering, this actor is actively probing critical infrastructure to create the capacity for disruption should they receive orders to do so.”

In January 2024, the U.S. government announced the successful disruption of a botnet utilized by Volt Typhoon. This botnet comprised thousands of compromised small office and home routers located within the U.S.

These hijacked routers were used by the Chinese hacking group to conceal their malicious activities targeting U.S. critical infrastructure. The FBI, through a court-authorized operation, removed the malware from the affected routers, effectively severing the hacking group’s connection to the botnet.

By January 2025, reports from Bloomberg indicated the discovery of over 100 intrusions across the U.S. and its territories attributed to Volt Typhoon. A significant concentration of these attacks targeted Guam.

Guam, a U.S. island territory in the Pacific, holds strategic importance for American military operations. Volt Typhoon reportedly targeted critical infrastructure on the island, including the main power authority, the largest cellular provider, and various U.S. federal networks.

These targeted networks included sensitive defense systems stationed on Guam. Bloomberg’s reporting revealed that Volt Typhoon deployed a previously unseen malware variant against networks in Guam.

This deployment of novel malware was interpreted by researchers as a clear indication of the region’s high priority for the China-backed hacking group.

Flax Typhoon

Identified initially by Microsoft in an August 2023 report, Flax Typhoon represents a hacking group with ties to China. This group reportedly functions by concealing its operations through a publicly listed cybersecurity firm located in Beijing. Their activities involve targeting vital infrastructure systems.

According to Microsoft, Flax Typhoon has been operational since the middle of 2021, focusing primarily on numerous entities within Taiwan. These include governmental bodies, educational institutions, and organizations in critical manufacturing and information technology sectors.

In September 2023, the U.S. government announced the seizure of a substantial botnet. This network comprised hundreds of thousands of compromised internet-connected devices.

Flax Typhoon leveraged this botnet to execute malicious cyber activities, effectively masking them as standard internet traffic originating from the infected consumer devices.

Prosecutors detailed that the botnet facilitated other Chinese government-affiliated hackers in infiltrating networks globally. This allowed them to steal sensitive data and jeopardize critical infrastructure.

The Department of Justice subsequently confirmed Microsoft’s assessment. They added that Flax Typhoon had also launched attacks against multiple U.S. and international corporations.

U.S. authorities have linked the operation of the botnet to Integrity Technology Group, a cybersecurity company based in Beijing.

Consequently, in January 2024, the U.S. government implemented sanctions against Integrity Tech. These sanctions were imposed due to the company’s alleged connections to Flax Typhoon.

Salt Typhoon

Recent investigations have brought to light Salt Typhoon, a newly identified cyber group believed to be supported by the Chinese government.

In October 2024, Salt Typhoon garnered attention for a unique intelligence-gathering campaign. Initial reports, published by The Wall Street Journal, detailed how this China-associated hacking group successfully infiltrated multiple U.S. telecommunications and internet service providers. These included prominent companies such as AT&T, Lumen (previously CenturyLink), and Verizon.

Further investigation by the Journal in January 2025 revealed that Salt Typhoon had also compromised Charter Communications and Windstream, both U.S.-based internet providers. Anne Neuberger, a U.S. cybersecurity official, indicated that a total of nine telecommunications companies had been affected by these intrusions.

Reports suggest that Salt Typhoon may have initially gained network access through vulnerabilities in Cisco routers. Once inside these networks, the attackers were able to obtain customer communication metadata. This included timestamps for calls and texts, IP addresses, and phone numbers associated with over one million users, with a concentration in the Washington D.C. metropolitan area.

In certain instances, the hackers were even able to intercept and record audio from phone calls made by elderly American citizens. Neuberger stated that a “significant portion” of those whose data was compromised were individuals considered “targets of interest” by the government.

The group’s access extended to systems utilized by law enforcement for legally authorized data collection. This potentially provided Salt Typhoon with access to sensitive information regarding U.S. surveillance operations, including the identities of Chinese individuals under investigation.

The timing of the breach affecting wiretap systems remains unclear, though reporting suggests it may have begun as early as 2024.

Both AT&T and Verizon communicated to TechCrunch in December 2024 that their networks had been secured following the targeting by the Salt Typhoon espionage operation. Lumen subsequently confirmed that its network was no longer compromised by the hackers.

Silk Typhoon

A hacking group supported by China, formerly operating under the name Hafnium, has resurfaced with a new designation: Silk Typhoon. This rebranding follows their implication in a security breach that occurred at the U.S. Treasury in December 2024.

The U.S. Treasury Department informed lawmakers, as reported by TechCrunch, that the China-linked actors leveraged a compromised key originating from BeyondTrust. BeyondTrust specializes in identity access technology for substantial organizations and governmental bodies.

This stolen key facilitated remote access to workstations utilized by Treasury employees. The hackers subsequently located and accessed internal documents residing on the department’s unclassified network.

The intrusion extended to the Treasury’s sanctions office, responsible for implementing economic and trade restrictions against nations and individuals. Furthermore, the Committee on Foreign Investment in the United States (CFIUS) was also breached in December.

CFIUS possesses the authority to impede Chinese investment activities within the United States.

Silk Typhoon isn't a newly formed entity; it previously garnered attention in 2021 as Hafnium. At that time, the group exploited weaknesses in Microsoft Exchange email servers.

This exploitation impacted over 60,000 organizations globally.

Microsoft, which actively monitors this state-sponsored hacking group, indicates that Silk Typhoon primarily concentrates on information gathering and data exfiltration. They are known to target entities across multiple sectors.

These sectors include healthcare organizations, legal firms, and non-governmental organizations situated in Australia, Japan, Vietnam, and the United States.

Key Targets:

• Healthcare organizations
• Law firms
• Nongovernmental organizations

Originally published on October 13, 2024, with subsequent updates.