Among the cybersecurity risks the United States faces today, few are even greater than the potential destructive capabilities of China-backed hackers, which US national security officials have described as an “era-defining threat.”
The U.S. says Chinese government-backed hackers have been penetrating — in some cases for years — deep into U.S. critical infrastructure networks, including water, energy and transportation providers. The goal, officials say, is to lay the groundwork for potentially devastating cyberattacks in the event of a future conflict between China and the United States, e.g Possible Chinese invasion of Taiwan.
“China's hackers are positioning America's infrastructure to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides it's time to strike,” then-outgoing FBI Director Christopher Way told lawmakers last year.
The US government and its allies have since taken action against some of the “Typhoon” family of Chinese hacking groups and released new details about the threat posed by these groups.
In January 2024, the US “Volt Typhoon” disrupts The Chinese government has tasked a group of hackers with setting the stage for a devastating cyber attack. Later in September 2024, Federal authorities have taken control of a botnet Operated by another Chinese hacking group called “Flax Typhoon”, which used a Beijing-based cyber security firm to help hide the activities of Chinese government hackers. Then in December 2025, the US government sanctioned the cybersecurity company for its alleged role in “multiple computer intrusion incidents against US victims”.
Since the rise of Typhoon Volt, another new China-backed hacking group called “Salt Typhoon” has appeared on the networks of US phone and internet giants, capable of gathering intelligence on Americans – and potential targets of US surveillance – by compromising telecom systems used for it. Law enforcement wiretaps.
Here's what we've learned about how Chinese hacking groups are preparing for war.
Volt Typhoon
Volt Typhoon represents a new breed of China-backed hacking group; According to the FBI's then-director, the goal is not only to steal sensitive U.S. secrets, but also to disrupt the U.S. military's “ability to mobilize.”
Microsoft first identified the Volt Typhoon As of May 2023, hackers have targeted and compromised network equipment such as routers, firewalls, and VPNs since at least mid-2021 as part of an ongoing and coordinated effort to penetrate deep into US critical infrastructure systems. The US intelligence community said that in reality, the hackers had likely been at work for a long time. For as long as five years possible.
Volt Typhoon compromised thousands of these Internet-connected devices in the months following Microsoft's report, exploiting vulnerabilities in devices that were considered “end of life” and therefore would no longer receive security updates. The hacking group subsequently gained further access to the IT environments of several critical infrastructure sectors, including aviation, water, energy and transportation, prepositioning itself to enable future disruptive cyberattacks aimed at slowing the US government's response to attacks on its key ally, Taiwan.
“These actors aren't doing the quiet intelligence gathering and privacy theft that has been the norm in the U.S. They're probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down,” said John Hultquist, analyst at major security firm Mandiant. .
D The US government said in January 2024 That it has successfully disrupted a botnetThe Volt, used by Typhoon, consisted of thousands of hijacked US-based small office and home network routers, which the Chinese hacking group used to hide its malicious activities targeting US critical infrastructure. The FBI said it was able to remove malware from hijacked routers through a court-sanctioned operation, severing the Chinese hacking group's connection to the botnet.
By January 2025, The United States has discovered more than 100 intrusions According to a Bloomberg report, typhoons across the country and its territories are associated with Typhoon Volt. According to reports, the large number of attacks targeted Guam, a US island territory in the Pacific Ocean and a strategic location for American military operations. Typhoon Volt reportedly targeted critical infrastructure on the island, including its main power authority with sensitive defense systems based on Guam, the island's largest cell provider and several US federal networks. Bloomberg reported that Volt Typhoon used an entirely new type of malware to target networks in Guam that it had never deployed before, which researchers took as a sign of the region's high importance to China-backed hackers.
Flax Typhoon
Flax Typhoon, first discontinued by Microsoft several months later An August 2023 reportAnother China-backed hacking group, which officials say has operated under the guise of a publicly traded cybersecurity company based in Beijing to hack against critical infrastructure in recent years. Microsoft said Flax Typhoon – also active since mid-2021 – mainly targets dozens of “government agencies and education, critical manufacturing and information technology companies” in Taiwan.
Then in September 2023, the The US government says it has taken control of another botnetwhich was made up of thousands of hijacked internet-connected devices, and Used by Flax Typhoon “Conducting Malicious Cyber Activity Disguised as Routine Internet Traffic from Infected Consumer Devices.” Prosecutors said the botnet allowed other Chinese government-backed hackers to “hack into networks in the United States and around the world to steal information and put our infrastructure at risk.”
The Department of Defense later backed up Microsoft's findings, adding that Typhoon Flax “attacked multiple U.S. and foreign corporations.”
US officials said the botnet used by Flax Typhoon was operated and controlled by Integrity Technology Group, a Beijing-based cyber security firm. In January 2024, the The US government imposed sanctions Flax on Integrity Tech regarding its alleged link to Typhoon.
Salt typhoon
Salt Typhoon is the latest — and potentially most sinister — group in China's government-backed cyber army in recent months.
The Salt Typhoon made headlines in October 2024 for a different type of data collection operation. as The Wall Street Journal first reportedThe China-linked hacking group compromised several US telecom and internet providers, including AT&T, Lumen (formerly CenturyLink) and Verizon. Journal It was reported later in January 2025 Typhoon Salt also disrupted US-based Internet providers Charter Communications and Windstream. US cyber official Anne Neuberger said the federal government had identified an unnamed ninth hacked telco.
According to a reportSalt Typhoon can gain access to these telcos using compromised Cisco routers. Once inside the telco's networks, attackers were able to gain access Customer call and text message metadataincluding date and time stamps of customer communications, source and destination IP addresses, and phone numbers of more than one million users; Most of whom are located in the Washington DC area. In some cases there were hackers Capable of capturing senior Americans' phone audio. Neuberger said a “large number” of those whose data was accessed were “government targets of interest”.
By hacking the system which is used by law enforcement agencies for court-authorized collection of customer dataSalt Typhoon potentially gained access to data and systems that housed many of the US government's data requests, including potential identification of Chinese targets of US surveillance.
It is not yet known when the breach of the wiretap system occurred, but it could be as early as 2024, according to the Journal's report.
AT&T and Verizon told TechCrunch in December 2024 Their network was safe after being targeted by the Salt Typhoon spy group. Lumen Confirmed soon That its network was free from hackers.
First published on October 13, 2024 and updated.