Among the cybersecurity threats facing the United States today; A threat that senior U.S. national security officials have described as “age-defining” is a prospect that is little greater than the potential destructive capabilities of China-backed hackers.
Chinese government-backed hackers steal water, The U.S. says it has sunk deep into critical U.S. infrastructure networks, including energy and transportation providers, for years. The goal, officials said, is to lay the groundwork for potentially devastating cyber attacks once the conflict between China and the United States ends. A possible Chinese invasion of Taiwan..
“Chinese hackers decide whether or not to attack in preparation for causing real harm to the American people and communities,” then-outgoing FBI Director Christopher Wray told lawmakers last year.
Later, the US government and its allies took action against some of the “Typhoon” family of Chinese hacking groups and released detailed information about the group's threats.
In January 2024, America disturbs “Volt Typhoon”; A group of Chinese government hackers has set the stage for destructive cyber attacks. After September 2024, Federal authorities took control of the botnet. It is run by another Chinese hacking group called “Flax Typhoon,” which used a Beijing-based cyber security company to hide the activities of China's government hackers. Then in December The U.S. government has sanctioned a cybersecurity firm accused of being involved in several computer intrusion incidents against American victims.
Since then, Another new China-backed hacking group dubbed “Salt Typhoon” has emerged by compromising telecom systems used for law enforcement wiretapping into the networks of American phone and Internet giants, which could gather intelligence on Americans and potential targets of U.S. intelligence.
In addition, A Chinese threat actor known as Silk Typhoon (formerly known as Hafnium), a hacking group that has been active since at least 2021, returned in December 2024 with a new campaign targeting the US Treasury.
Here's what we've learned about Chinese hacker groups preparing for war.
Volt typhoon
Volt Typhoon represents a new breed of Chinese-backed hacker groups. The FBI director at the time said that they were no longer just aiming to steal sensitive U.S. secrets, but were preparing to disrupt the U.S. military's “ability to mobilize.”
Volt Typhoon was first identified by Microsoft. In May 2023, Routers, routers, etc., starting at least in mid-2021 as part of an effort by hackers to penetrate deep into US critical infrastructure systems. Network equipment such as firewalls and VPNs were found to be targeted and compromised. In fact, the hackers may have been operating for a long time, the US intelligence community said. Maybe up to five years..
Months after Microsoft's report, Volt Typhoon compromised thousands of these Internet-connected devices, exploiting vulnerabilities in devices designated as “end-of-life” and no longer receiving security updates. Later, the hacker group attacked aviation, water Gained additional access to the IT environment of several critical infrastructure sectors, including energy and transportation, and prepositioning it to activate future disruptive cyberattacks aimed at slowing its key ally invasion; Taiwan.
“This actor is not doing the quiet intelligence gathering and stealing of secrets that has been typical in the U.S. They are investigating critical critical infrastructure so if the order goes down, when will it disrupt key services,” said Chief John Hultquist. analyst at security firm Mandiant.
Hi In January 2024, the US government said. It was successfully disrupted. botnet.The Chinese hacking group often disguises its malicious activity as it aims to target US critical infrastructure, including the hijacking of thousands of US-based small office and home network routers used by Volt Typhoon. The FBI says it was able to remove malware from the hijacked routers under court sanctions and cut ties to the Chinese hacking group's botnet.
January 2025 The US has detected more than 100 intrusions. The entire country and its territories are associated with Volt Typhoon, Bloomberg reports. Many of the attacks targeted Guam, a U.S. territory in the Pacific that is a strategic location for U.S. military operations, the report said. Volt Typhoon is its main power authority; It allegedly targeted critical infrastructure on the island, including the island's largest cell supply and US federal networks, including critical defense systems based on Guam. Volt Typhoon used an entirely new type of malware to target networks in Guam that had never been used before, Bloomberg reported. The researchers considered the region to be a very important sign for China-backed hackers.
Flax typhoon
Flax Typhoon, which was released by Microsoft after several months August 2023 reportA Chinese-backed hacking group operating under the guise of a Beijing-based publicly traded cybersecurity firm has been known to hack critical infrastructure in recent years. Flax Typhoon has been active since mid-2021, Microsoft says — government agencies and education in Taiwan. Dozens of critical manufacturing and information technology organizations were targeted.
Then in September 2023; The US government is said to be in control of another botnet.Composed of thousands of proprietary Internet-connected devices; Used by Flax Typhoon. “To carry out malicious cyber activity masquerading as normal internet traffic from infected consumer devices.” The botnet allowed other Chinese government-backed hackers to hack into networks in the United States and around the world to steal information and compromise our infrastructure, prosecutors said.
The Justice Department later confirmed Microsoft's findings, adding that Flax Typhoon “attacked numerous U.S. and foreign corporations.”
U.S. officials said the botnet used in Flax Typhoon was operated by Beijing-based cybersecurity firm Integrity Technology Group. In January 2024, The US government imposed sanctions. Integrity Tech on its alleged links to the Flax Typhoon
Salt typhoon
The latest—and possibly the most nefarious—of China's government-backed cyber armies to be exposed in recent months is Salt Typhoon.
Salt Typhoon hit the headlines in October 2024 for a different data-gathering operation. As First reported by the Wall Street Journal.China-linked hacker group AT&T; Several US telecom and internet service providers have been compromised, including Lumen (formerly CenturyLink) and Verizon. Journal Reported in January 2025. Typhoon Salt also breached US-based Internet service providers Charter Communications and Windstream. Anne Neuberger, the US cyber official, said the federal government had identified a ninth hacker, who did not want to be named.
according to A reportSalt Typhoon may have gained access to these telcos using compromised Cisco routers. Attackers were able to gain access to the telecom's networks. Customer call and text message metadatadate and time stamps of customer communications; source and destination IP addresses and phone numbers from over a million users; Most are individuals in the Washington, DC area. In some cases there were hackers. Capable of capturing phone calls from senior Americans.. Neuberger said “many” of those accessing the data are “targets of government interest”.
Hacking systems Law enforcement agencies use it to collect customer data with court authorization.Salt Typhoon potentially accessed the data and systems that housed many of the US government's data requests. including potential evidence of Chinese targets of US surveillance;
It is not known when the breach of the wiretap systems occurred, but it could have occurred as early as 2024, according to the journal.
AT&T and Verizon told TechCrunch in December 2024. Said to have secured their networks after being targeted by the Salt Typhoon spy team. Lumen It was soon confirmed. Its network was immune to hackers.
Silk typhoon
The Chinese-backed hacking group formerly known as Hafnium has quietly resurfaced under a brand new name after linking up with Silk Typhoon. December 2024 hack at the US Treasury.
in the A letter to lawmakers seen by TechCrunchChina-backed hackers used a key stolen from BeyondTrust, a company that provides identity-access technology to large organizations and government departments, the US Treasury said in late December 2024. Documents on the department's unclassified network.
It is also a government-sponsored hacking group during the hacking. Treasury's sanctioning office was compromised.Economic and trade sanctions are imposed on countries and individuals. That's it was violated. The Committee on Foreign Investment in the United States (CFIUS) is an office that has the authority to block Chinese investments in the United States.
Silk Typhoon in 2021 is not a new threat group, formerly known as Hafnium. Exploitation of vulnerabilities in self-hosted Microsoft Exchange email servers. More than 60,000 organizations were affected.
according to MicrosoftThe verse A government-backed hacker groupSilk Typhoon typically focuses on reconnaissance and data theft, and Australia; Japan Vietnam and healthcare organizations in the United States; It is known for targeting law firms and non-governmental organizations.
First published and updated on October 13, 2024.