Among the growing list of cybersecurity risks confronting the United States, few are more alarming than the potential for sabotage by China-backed hackers. U.S. intelligence and cybersecurity experts have increasingly described these cybercriminals as an “epoch-defining threat,” capable of paralyzing critical infrastructure during a time of crisis.
In recent months, U.S. intelligence has revealed that Chinese government-sponsored hackers have been infiltrating the networks of key U.S. infrastructure sectors — including water, energy, and transportation systems. Their mission? To lay the groundwork for destructive cyberattacks in the event of a conflict between China and the U.S., particularly over contentious issues like Taiwan.
“China’s hackers are positioning themselves within American infrastructure, preparing to cause real-world harm to U.S. citizens and communities,” FBI Director Christopher Wray warned lawmakers earlier this year. “If or when China decides the time has come to strike, they are ready.”
In response to these growing threats, the U.S. government and its allies have taken bold steps to combat a family of Chinese cyber actors collectively referred to as the “Typhoon” groups. Recent actions, including cyber-disruptions and botnet takeovers, have shed light on the evolving strategies of these cyberwarfare groups. In particular, three groups—Volt Typhoon, Flax Typhoon, and the newly identified Salt Typhoon—have gained notoriety for their bold tactics, further highlighting the dangers they pose to U.S. national security.
Here’s a closer look at what we know about these groups that are preparing for cyberwar.
Volt Typhoon: Cyber Sabotage in the Making
Volt Typhoon represents a new breed of China-backed cybercriminals — hackers who are not merely focused on espionage or stealing sensitive information but are actively preparing to cripple U.S. military operations. According to the FBI, Volt Typhoon’s mission is to “disrupt the U.S. military’s ability to mobilize,” potentially creating chaos in the event of a large-scale conflict.
Microsoft first identified Volt Typhoon in May 2023, revealing that the group had been targeting and compromising network equipment such as routers, firewalls, and VPNs since mid-2021. However, U.S. intelligence suspects their operations may have begun years earlier, going as far back as 2018.
What sets Volt Typhoon apart from other hacking groups is their targeted exploitation of “end-of-life” devices — internet-connected hardware that no longer receives security updates. By attacking these outdated systems, they’ve successfully infiltrated multiple sectors, including aviation, energy, water, and transportation. This gives them a strategic foothold in the U.S. critical infrastructure, ready to activate cyberattacks at a moment’s notice.
“This group isn’t simply gathering intelligence or stealing secrets. They are methodically probing critical infrastructure, preparing to disable or disrupt major services if given the go-ahead,” said John Hultquist, chief analyst at Mandiant, a cybersecurity firm.
In a significant victory, the U.S. government disrupted a botnet used by Volt Typhoon in January. This botnet consisted of thousands of hijacked routers in homes and small offices across the U.S., which the hackers leveraged to mask their malicious activities. The FBI announced it had successfully removed the malware from these devices, cutting off Volt Typhoon’s access to its powerful network of compromised hardware.
Flax Typhoon: A Cybercrime Disguised as Business
Flax Typhoon, another China-backed hacking group, was first exposed by Microsoft in August 2023. Unlike Volt Typhoon, this group has taken the unusual step of masquerading as a legitimate company—a publicly traded cybersecurity firm in Beijing called Integrity Technology Group. While the company openly acknowledges its ties to the Chinese government, U.S. officials believe it serves as a cover for a massive cyber operation targeting the U.S. and its allies.
In September, U.S. authorities seized control of a botnet operated by Flax Typhoon. This botnet, comprised of hundreds of thousands of infected devices, utilized a customized version of the notorious Mirai malware to conduct covert cyber activities. The group disguised its malicious traffic as routine internet activity from everyday consumer devices, making detection challenging.
“Flax Typhoon’s botnet allowed Chinese state-sponsored hackers to breach networks around the globe, stealing sensitive information and leaving U.S. infrastructure vulnerable to further attacks,” U.S. prosecutors said.
Microsoft’s research shows that Flax Typhoon has been active since mid-2021, mainly targeting critical sectors in Taiwan, such as government agencies, education, manufacturing, and information technology. However, the group has also launched attacks against corporations in the U.S. and other foreign nations. These efforts aim to bolster China’s capabilities while keeping adversaries on the defensive.
Salt Typhoon: Infiltrating the Heart of U.S. Telecommunications
Salt Typhoon is the latest and potentially most dangerous hacking group in China’s growing cyber army. First uncovered in October 2023, Salt Typhoon’s operations are significantly more sophisticated than its predecessors. The group has successfully breached the wiretap systems of multiple U.S. telecom and internet providers, including AT&T, Verizon, and Lumen (formerly CenturyLink). These systems are crucial for law enforcement agencies to gather court-ordered intelligence on suspected criminals and terrorists, making the breach particularly alarming.
As reported by The Wall Street Journal, Salt Typhoon may have gained access through compromised Cisco routers, giving them unprecedented reach into sensitive U.S. networks. The extent of the breach is still under investigation, but early reports suggest the hackers may have been lurking in these systems “for months, if not longer.”
The implications are enormous. Salt Typhoon may have compromised U.S. law enforcement’s ability to track and monitor individuals under surveillance, potentially gaining access to the identities of Chinese nationals or other individuals being monitored by U.S. authorities. If true, this breach could allow China to stay a step ahead of U.S. intelligence while keeping its own spies hidden in plain sight.
National security experts have labeled this breach “potentially catastrophic,” given the sensitive nature of wiretap systems and the wealth of information they contain. The U.S. government is still in the early stages of its investigation, but Salt Typhoon’s audacity and reach are clear signs that China’s cyber warfare capabilities are growing more dangerous with each passing day.
The Growing Threat of Chinese Cyber Sabotage
The increasing sophistication of these China-backed hacking groups—each bearing the “Typhoon” moniker—shows that China’s cyber warfare strategy is evolving from espionage to active preparation for cyber sabotage. These groups aren’t merely collecting intelligence; they are positioning themselves to paralyze U.S. infrastructure and disrupt critical services in the event of a conflict.
While the U.S. government has successfully dismantled parts of these botnets and exposed the operations of these cybercriminals, the battle is far from over. With China ramping up its cyber activities and preparing for potential conflicts, especially over Taiwan, the risk of large-scale cyberattacks on U.S. infrastructure has never been more real.
As the cybersecurity landscape continues to evolve, these Typhoon hackers serve as a stark reminder of the ever-present threat posed by state-sponsored cyberattacks. The U.S. must remain vigilant, proactive, and prepared for what could be a new kind of warfare—fought not with bombs and bullets, but with lines of malicious code, strategically placed to cripple entire nations.
