Meet the Chinese “Typhoon” hackers preparing for war

Few of the cybersecurity risks facing the United States today are greater than the potential subversive capabilities of China-backed hackers, which top US national security officials have described as an “era-defining threat.”

The U.S. says hackers backed by the Chinese government have been working — in some cases for years — deep into the networks of critical U.S. infrastructure, including water, energy and transportation providers. The goal, officials said, is to lay the groundwork for potentially devastating cyberattacks in the event of a future conflict between China and the United States. China’s possible invasion of Taiwan.

“Chinese hackers are positioning themselves in American infrastructure to prepare to wreak havoc and cause real-world harm to American citizens and communities if or when China decides it’s time to strike,” then-FBI Director Christopher Wray told lawmakers last year.

The US government and its allies have since taken action against some of the Typhoon family of Chinese hacking groups and released new details about the threats posed by the groups.

In January 2024 USA has stopped “Typhoon Volt”. a group of Chinese government hackers are tasked with laying the groundwork for devastating cyberattacks. Later in September 2024 federal authorities seized control of the botnet The Chinese government is controlled by another Chinese hacking group called Flax Typhoon, which uses a Beijing-based cyber security company to hide its hacker activities. Later in December 2025, the US government sanctioned the cybersecurity company for its alleged role in “multiple computer intrusion incidents against US victims”.

Following the emergence of Typhoon Volt, another new Chinese-backed hacker group, Salt Typhoon, has appeared on the networks of US telephone and Internet giants. wiretapping by law enforcement agencies.

Here’s what we learned about Chinese hacker groups preparing for war.

Typhoon Volt

Volt Typhoon represents a new breed of Chinese-backed hacker groups; According to the FBI director at the time, it was no longer just about stealing sensitive US secrets, but about disrupting the US military’s “mobilization capability.”

Microsoft first defined the Volt Typhoon In May 2023, it revealed that hackers have been targeting and stealing network equipment such as routers, firewalls, and VPNs since at least mid-2021 as part of an ongoing and concerted effort to deeply penetrate US critical infrastructure systems. The US intelligence community said that the hackers had actually been active for much longer. potentially for five years.

Volt Typhoon has stolen thousands of Internet-connected devices in the months since Microsoft’s report, exploiting vulnerabilities in devices considered “end-of-life” and therefore no longer receiving security updates. The group of hackers subsequently gained additional access to the IT environments of many critical infrastructure sectors, including aviation, water, energy and transportation, pre-positioning to enable future disruptive cyber attacks aimed at slowing down the US government’s response to the invasion of its key ally, Taiwan.

John Hultquist said, “This actor is not engaged in the covert intelligence gathering and theft that is commonplace in the United States. They are probing sensitive critical infrastructure so that they can disrupt essential services if and when the order goes down.” Analyst at security firm Mandiant.

The The US government said in January 2024 successfully broke a botnetVolt was used by Typhoon, consisting of thousands of stolen small office and home network routers in the US, which a Chinese hacking group used to hide its malicious activity aimed at targeting US critical infrastructure. The FBI said a Chinese hacking group was able to remove malware from stolen routers in a court-sanctioned operation that cut ties to the botnet.

Until January 2025 The US had detected more than 100 intrusions According to Bloomberg, the entire country and its territories are affected by Typhoon Volt. Many of these attacks targeted Guam, a US island territory in the Pacific and a strategic location for American military operations, the report said. Typhoon Volt allegedly targeted critical infrastructure on the island, including its main power utility, the island’s largest mobile carrier and several US federal networks, including sensitive defense systems located on Guam. Bloomberg reported that Volt Typhoon used an entirely new type of malware to target networks in Guam, which was seen by researchers as a sign of the region’s high importance to Chinese-backed hackers.

Linen Typhoon

Canvas Typhoon was first released by Microsoft a few months later August 2023 reportis another Chinese-backed hacker group that officials say has operated under the guise of a publicly traded Beijing-based cybersecurity firm in recent years to carry out hacking attacks against critical infrastructure. Microsoft said Flax Typhoon, which has been active since mid-2021, mainly targeted “dozens of government agencies and educational, critical manufacturing and information technology organizations in Taiwan.”

Then in September 2023 The US government said it has taken control of another botnetconsisting of hundreds of thousands of stolen Internet-connected devices and Used by Flax Typhoon “conducting malicious cyber activity disguised as normal Internet traffic from infected consumer devices.” Prosecutors said the botnet allowed other hackers backed by the Chinese government to “intrude into networks in the United States and around the world to steal information and put our infrastructure at risk.”

The Justice Department later confirmed Microsoft’s findings, adding that Typhoon Ketan also “attacked numerous US and foreign corporations.”

U.S. officials said the botnet used by Flax Typhoon was controlled and operated by Beijing-based cybersecurity firm Integrity Technology Group. In January 2024 The US government imposed sanctions Due to his involvement with Flax Typhoon at Integrity Tech.

Salt Typhoon

The latest and potentially most unfortunate group to be discovered in recent months in China’s government-backed cyber army is Salt Typhoon.

Typhoon Salt made headlines in October 2024 for a different data collection operation. as It was first reported by The Wall Street JournalA hacker group linked to China has taken over several US telecom and internet providers, including AT&T, Lumen (formerly CenturyLink) and Verizon. Magazine In January 2025, it was reported later Salt Typhoon also disrupted US-based internet providers Charter Communications and Windstream. U.S. cyber official Anne Neuberger said the federal government has identified an unnamed ninth hacked telecom company.

according to a reportSalt Typhoon may have gained access to these telcos using compromised Cisco routers. After accessing the telecom’s networks, attackers were able to gain access customer call and text message metadataincluding date and time stamps of customer communications, source and destination IP addresses, and phone numbers of over one million users; most of whom were based in Washington. In some cases, there have been hackers can pick up phone calls from elderly Americans. Neuberger said a “large number” of those who obtained the information were “targets of government interest.”

By tampering with systems used by law enforcement agencies to collect customer information with court authorizationSalt Typhoon also gained access to data and systems that potentially contained most of the US government’s data requests, including the potential identities of Chinese targets under US surveillance.

It is not yet known when the listening systems were breached, but it could be as early as 2024, according to the magazine’s report.

AT&T and Verizon told TechCrunch in December 2024 After being targeted by the Salt Typhoon espionage group, their networks were safe. Lumen soon confirmed said that his network is free from hackers.

First published and updated on October 13, 2024.