Of the cybersecurity risks facing the United States today, few are greater than the potential sabotage capabilities posed by Chinese-backed hackers, which top US national security officials have described as an “era-defining threat”.
The United States says Chinese government-backed hackers — in some cases for years — have penetrated the networks of critical U.S. infrastructure, including water, energy and transportation providers. The goal, officials say, is to lay the groundwork for potentially devastating cyberattacks in the event of a future conflict between China and the United States, such as a possible Chinese invasion of Taiwan.
“China’s hackers are positioning themselves on American infrastructure in preparation to wreak havoc and cause real-world damage to American citizens and communities if or when China decides the time has come to strike,” the director told lawmakers last year. then-FBI Christopher Wray.
The US government and its allies have taken action against some of the Chinese hacker groups “Typhoon” and have released new details about the threats these groups pose.
In January 2024, the US disrupted Volt Typhoon, a group of Chinese government hackers tasked with setting the stage for devastating cyber attacks. Later in September 2024, federal authorities seized control of a botnet run by another Chinese hacking group called Flax Typhoon, which used a Beijing-based cybersecurity company to help hide the hackers’ activities. the Chinese government. Then, in December, the US government sanctioned the cyber security company for its alleged role in “multiple incidents of computer intrusions against US victims”.
Since then, another new Chinese-backed hacking group called “Salt Typhoon” has emerged on the networks of US phone and internet giants, capable of gathering intelligence on Americans – and potential targets of US surveillance – compromising telecom systems used for law enforcement wiretapping.
And, a Chinese threat actor called Silk Typhoon (formerly known as Hafnium), a hacking group that has been active since at least 2021, returned in December 2024 with a new campaign targeting the US Treasury.
Here’s what we’ve learned about Chinese hacker groups preparing for war.
Volt Typhoon
Volt Typhoon represents a new breed of Chinese-backed hacking group; no longer aimed solely at stealing sensitive US secrets, but rather preparing to disrupt the US military’s “mobilization capability,” according to the then-FBI director.
Microsoft first identified Volt Typhoon in May 2023, revealing that hackers had been targeting and compromising network equipment such as routers, firewalls and VPNs since at least mid-2021 as part of an effort to continuous and coordinated to penetrate deeply into the systems of the US critical infrastructure. The US intelligence community said that in reality, the hackers were likely to have been operating for much longer, potentially up to five years.
Volt Typhoon compromised thousands of these Internet-connected devices in the months after Microsoft’s report, exploiting vulnerabilities in devices that were considered “end-of-life” and therefore would no longer receive security updates. The group of hackers then gained further access to the IT environments of many critical infrastructure sectors, including aviation, water, energy and transport, pre-positioning themselves to trigger future disruptive cyber-attacks aimed at slowing down the response of the US government to an invasion of its main ally. Taiwan.
“This actor is not doing the quiet intelligence gathering and stealing of secrets that has been the norm in the US, they are probing critical sensitive infrastructure so they can disrupt key services if and when the warrant goes down,” said John Hultquist, the boss. analyst at security firm Mandiant.
The US government said in January 2024 that it had successfully disrupted a botnet, used by Volt Typhoon, consisting of thousands of hijacked US-based small office and home network routers that the Chinese hacker group used to conceal his malicious activity intended to target the US. critical infrastructure. The FBI said it was able to remove the malware from the hijacked routers through a court-sanctioned operation, severing the Chinese hacker group’s connection to the botnet.
As of January 2025, the US had detected more than 100 intrusions across the country and its territories linked to Typhoon Volt, according to a report by Bloomberg. A large number of these attacks have targeted Guam, a US island territory in the Pacific and a strategic location for US military operations, the report said. Typhoon Volt allegedly targeted critical infrastructure on the island, including its main power authority, the island’s largest cell provider and several US federal networks, including sensitive defense systems based on Guam. Bloomberg reported that Volt Typhoon used an entirely new type of malware to target networks in Guam that it had not deployed before, which researchers took as a sign of the region’s high importance to China-backed hackers.
The typhoon of linen
Flax Typhoon, first outed by Microsoft a few months later in an August 2023 report, is another Chinese-backed hacking group that officials say has operated under the guise of a publicly traded cybersecurity company based in Beijing to carry out hacks against critical infrastructure recently. years. Microsoft said Flax Typhoon – also active as of mid-2021 – primarily targeted dozens of “government agencies and educational, critical manufacturing and information technology organizations in Taiwan”.
Then, in September 2023, the US government said it had taken control of another botnet, which consisted of hundreds of thousands of hijacked devices connected to the Internet, and used by Flax Typhoon to “conduct malicious cyber activities in disguise as routine Internet traffic from infected consumer devices.” Prosecutors said the botnet allowed other hackers backed by the Chinese government to “hack into networks in the US and around the world to steal information and put our infrastructure at risk.”
The Justice Department later confirmed Microsoft’s findings, adding that Flax Typhoon also “attacked numerous US and foreign corporations.”
US officials said the botnet used by Flax Typhoon was operated and controlled by Beijing-based cybersecurity company Integrity Technology Group. In January 2024, the US government imposed sanctions on Integrity Tech for its alleged ties to Flax Typhoon.
The salt typhoon
The latest — and potentially most sinister — group in China’s government-backed cyber army revealed in recent months is Salt Typhoon.
Salt Typhoon hit the headlines in October 2024 for a different kind of intelligence gathering operation. As first reported by The Wall Street Journal, the China-linked hacker group compromised several US telecom and internet providers, including AT&T, Lumen (formerly CenturyLink) and Verizon. The paper later reported in January 2025 that Salt Typhoon also breached US-based internet providers Charter Communications and Windstream. US cyber official Anne Neuberger said the federal government had identified a ninth unnamed telecom hacked.
According to a report, Salt Typhoon may have gained access to these remotes using compromised Cisco routers. Once inside telecom networks, attackers were able to access customer call and text message metadata, including date and time stamps of customer communications, source and destination IP addresses, and phone numbers from over one million users ; most of whom were individuals located in the Washington DC area. In some cases, hackers were able to intercept phone audio from elderly Americans. Neuberger said a “large number” of those who had access to the data were “targets of government interest”.
By hacking the systems that law enforcement agencies use for court-authorized collection of customer data, Salt Typhoon also potentially gained access to data and systems that house many of the US government’s data requests, including potential identities of Chinese targets of US surveillance.
It is not yet known when the breach of the surveillance systems occurred, but it could date back to early 2024, according to the Journal report.
AT&T and Verizon told TechCrunch in December 2024 that their networks were secure after being targeted by the Salt Typhoon spying group. Lumen confirmed shortly after that its network was free of hackers.
Silk Typhoon
The Chinese-backed hacking group formerly known as Hafnium quietly re-emerged as the newly named Silk Typhoon after being linked to a December 2024 hack of the US Treasury.
In a letter to lawmakers seen by TechCrunch, the US Treasury said in late December 2024 that China-backed hackers used a key stolen from BeyondTrust — a company that provides identity access technology to large organizations and government departments — to gain remote access to several Treasury employee workstations, including internal documents on the department’s unclassified network.
During the hack, the state-sponsored hacker group also compromised the Treasury’s sanctions office, which imposes economic and trade sanctions against countries and individuals; and also breached the Treasury Committee on Foreign Investment, or CFIUS, in December, an office that has the power to block Chinese investment in the United States.
Silk Typhoon is not a new threat group, having previously made headlines in 2021 as Hafnium – as it was then known – for exploiting vulnerabilities in self-hosted Microsoft Exchange email servers that compromised more than 60,000 organizations.
According to Microsoft, which tracks the group of government-backed hackers, Silk Typhoon typically focuses on discovery and data theft and is known to target healthcare organizations, law firms and non-governmental organizations in Australia, Japan, Vietnam and the United States. United. .
First published on October 13, 2024 and updated.
