Of the cybersecurity risks facing the United States today, few are greater than the potential sabotage capabilities posed by China-backed hackers, who senior US national security officials have described as an “era-defining threat.”
The U.S. says Chinese government-backed hackers — in some cases for years — have burrowed deep into the networks of critical U.S. infrastructure, including water, energy and transportation providers. The goal, officials say, is to lay the groundwork for potentially devastating cyberattacks in the event of a future conflict between China and the United States, such as a possible Chinese invasion of Taiwan;.
“China’s hackers are placing themselves in American infrastructure preparing to wreak havoc and cause real harm to American citizens and communities if or when China decides it’s time to strike,” then-outgoing FBI Director Christopher Wray told lawmakers.
The US government and its allies have since taken action against some of the Chinese “Typhoon” family of hacking groups and released new details about the threats posed by these groups.
In January 2024, the US disrupted ‘Volt Typhoon’, a group of Chinese government hackers tasked with setting the stage for devastating cyber attacks. Later, in September 2024, federal authorities seized control of a botnet run by another Chinese hacker group called “Flax Typhoon,” which used a Beijing-based cybersecurity firm to help hide its government hacking activities China. Then, in December, the US government sanctioned the cybersecurity company for its alleged role in “multiple computer intrusion incidents against US victims.”
Since then, another new Chinese-backed hacking group called “Salt Typhoon” has emerged on the networks of US phone and internet giants, capable of gathering information about Americans – and potential US surveillance targets – by compromising telecommunications systems used for enforcement wiretapping. of the law.
And, a Chinese threat actor called Silk Typhoon (formerly known as Hafnium), a hacker group active since at least 2021, returned in December 2024 with a new campaign targeting the US Treasury.
Here’s what we learned about Chinese hacker groups preparing for war.
Volt Typhoon
Volt Typhoon represents a new breed of Chinese-backed hacking groups. it no longer aims simply to steal sensitive US secrets, but rather to prepare to disrupt the US military’s “mobilization capability,” according to the then-FBI director.
Microsoft first spotted Volt Typhoon in May 2023, finding that hackers had targeted and compromised network equipment such as routers, firewalls and VPNs since at least mid-2021 as part of an ongoing and coordinated effort to penetrate deep into US critical infrastructure systems. The US intelligence community said that in reality, it is possible that the hackers were operating for much longer, possibly as long as five years.
Volt Typhoon compromised thousands of these Internet-connected devices in the months following Microsoft’s report, exploiting vulnerabilities in devices that were considered “end-of-life” and therefore would no longer receive security updates. The hacking group subsequently gained further access to the IT environments of several critical infrastructure sectors, including aviation, water, energy and transportation, intending to enable future disruptive cyberattacks aimed at slowing down the US government’s response to an intrusion into her main ally. Taiwan.
“This actor does not do the quiet intelligence-gathering and secret-stealing that has been the norm in the US. They probe sensitive critical infrastructure so they can disrupt major services if and when the order collapses,” said John Hultquist, chief. analyst at security firm Mandiant.
THE The US government said in January 2024 that it had successfully disrupted a botnet, used by Volt Typhoon, consisting of thousands of compromised small office and home network routers in the US, which the Chinese hacking group used to hide its malicious activity aimed at targeting US critical infrastructure . The FBI said it was able to remove the malware from compromised routers through a court-approved operation by severing the Chinese hacker group’s connection to the botnet.
By January 2025, the US had discovered more than 100 intrusions across the country and its territories linked to Typhoon Volt, Bloomberg reports. A large number of these attacks have targeted Guam, a US island territory in the Pacific and a strategic location for US military operations, the report said. Volt Typhoon reportedly targeted critical infrastructure on the island, including the main power authority, the island’s largest mobile phone provider, and several US federal networks, including sensitive defense systems, based on Guam. Bloomberg reported that Volt Typhoon used an entirely new type of malware to target networks in Guam that it had never deployed before, which researchers saw as a sign of the region’s importance to China-backed hackers.
Flax hurricane
Flax Typhoon, which was first released by Microsoft several months later August 2023 reportis another Chinese-backed hacking group that officials say has operated under the guise of a publicly traded Beijing-based cybersecurity firm to conduct hacks against critical infrastructure in recent years. Microsoft said Flax Typhoon – also active since mid-2021 – primarily targeted dozens of “government and education, critical manufacturing and information technology organizations in Taiwan”.
Then, in September 2023, the US government said it had taken control of another botnet, which consisted of hundreds of thousands of Internet-connected devices that had been hacked and used by Flax Typhoon to “conduct malicious online activity disguised as normal Internet traffic from the infected consumer devices.” Prosecutors said the botnet allowed other hackers backed by China’s government to “breach networks in the US and around the world to steal information and keep our infrastructure at risk.”
The Justice Department later confirmed Microsoft’s findings, adding that Flax Typhoon “also attacked many US and foreign companies.”
US officials said the botnet used by Flax Typhoon was managed and controlled by Beijing-based cybersecurity firm Integrity Technology Group. In January 2024, the US government sanctioned Integrity Tech for its alleged ties to Flax Typhoon.
Salt Typhoon
The latest – and potentially most ominous – group in China’s government-backed cyber army to be exposed in recent months is Salt Typhoon.
Salt Typhoon made headlines in October 2024 for a different kind of intelligence gathering operation. As first reported by the Wall Street Journalthe China-linked hacking group breached several US telecommunications and internet providers, including AT&T, Lumen (formerly CenturyLink) and Verizon. The Newspaper later reported in January 2025 that Salt Typhoon also breached US-based internet providers Charter Communications and Windstream. US cyber official Anne Neuberger said the federal government had identified an unnamed ninth phone company that had been hacked.
According to a referenceSalt Typhoon may have accessed these communications using compromised Cisco routers. Once inside the telco’s networks, the attackers were able to access customer call and text message metadata, including date and time stamps of customer communications, source and destination IP addresses, and phone numbers from more than one million users. most of which were people located in the Washington DC area. In some cases the hackers were capable of recording telephone audio from elderly Americans. Neuberger said a “large number” of those who accessed data were “government targets of interest”.
By hacking systems used by law enforcement agencies to collect court-authorized customer data, Salt Typhoon also potentially gained access to data and systems that host many of the US government’s data requests, including potential identities of Chinese US surveillance targets.
It is not yet known when the breach of the eavesdropping systems occurred, but it may date back to early 2024, according to the Journal report.
AT&T and Verizon told TechCrunch in December 2024 that their networks were secure after being targeted by the Salt Typhoon spying group. Lumen confirmed soon after that its network was free of the hackers.
Silk Typhoon
The Chinese-backed hacking group formerly known as Hafnium has quietly re-emerged as the newly named Silk Typhoon after being linked to a December 2024 hack of the US Treasury Department.
In a letter to lawmakers seen by TechCrunch, the U.S. Treasury Department said in late December 2024 that China-backed hackers used a key stolen from BeyondTrust — a company that provides identity access technology to large organizations and governments departments – to gain remote access to certain Workstations of employees of the Ministry of Finance, where they found internal documents on the department’s unclassified network.
During the hack, the state hacking group also breached the Treasury Department’s sanctions office, which imposes economic and trade sanctions against countries and individuals. It also breached the Treasury Department’s Committee on Foreign Investment in the United States (CFIUS) in December, an agency empowered to block Chinese investment in the United States.
Silk Typhoon is not a new threat group, previously making headlines in 2021 as Hafnium – as it was then known – for exploiting vulnerabilities in self-hosted Microsoft Exchange email servers that breached more than 60,000 organizations.
According to Microsoftwhich monitors the government-backed hacking group, Silk Typhoon typically focuses on identification and data theft and has been known to target healthcare organizations, law firms and non-governmental organizations in Australia, Japan, Vietnam and the United States.
First published on October 13, 2024 and updated.
