Of the cybersecurity risks facing the United States today, few loom larger than the potential sabotage capabilities posed by China-backed hackers, which senior U.S. national security officials have described as an “epoch-defining threat.”
The U.S. says Chinese government-backed hackers have — in some cases for years — been burrowing deep into the networks of U.S. critical infrastructure, including water, energy, and transportation providers. The goal, officials say, is to lay the groundwork for potentially destructive cyberattacks in the event of a future conflict between China and the United States, such as over a possible Chinese invasion of Taiwan.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” then-outgoing FBI Director Christopher Wray told lawmakers last year.
The U.S. government and its allies have since taken action against some of the “Typhoon” family of Chinese hacking groups, and published new details about the threats posed by these groups.
In January 2024, the U.S. disrupted “Volt Typhoon,” a group of Chinese government hackers tasked with setting the stage for destructive cyberattacks. Later in September 2024, federal authorities took control of a botnet run by another Chinese hacking group called “Flax Typhoon,” which used a Beijing-based cybersecurity company to help conceal the activities of China’s government hackers. Then in December 2025, the U.S. government sanctioned the cybersecurity company for its alleged role in “multiple computer intrusion incidents against U.S. victims.”
Since the emergence of Volt Typhoon, another new China-backed hacking group called “Salt Typhoon” appeared in the networks of U.S. phone and internet giants, capable of gathering intelligence on Americans — and potential targets of U.S. surveillance — by compromising telecom systems used for law enforcement wiretaps.
Here’s what we have learned about the Chinese hacking groups gearing up for war.
Volt Typhoon represents a new breed of China-backed hacking groups; no longer just aimed at stealing sensitive U.S. secrets, but rather preparing to disrupt the U.S. military’s “ability to mobilize,” according to the then-FBI director.
Microsoft first identified Volt Typhoon in May 2023, finding that the hackers had targeted and compromised network equipment, such as routers, firewalls, and VPNs, since at least mid-2021 as part of an ongoing and concerted effort to infiltrate deep into the systems of U.S. critical infrastructure. The U.S. intelligence community said that in reality, it’s likely the hackers were operating for much longer, potentially for as long as five years.
Volt Typhoon compromised thousands of these internet-connected devices in the months following Microsoft’s report, exploiting vulnerabilities in devices that were considered “end-of-life” and therefore would no longer receive security updates. The hacking group subsequently gained further access to the IT environments of multiple critical infrastructure sectors, including aviation, water, energy, and transportation, pre-positioning for activating future disruptive cyberattacks aimed at slowing the U.S. government’s response to an invasion of its key ally, Taiwan.
“This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the U.S. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down,” said John Hultquist, chief analyst at security firm Mandiant.
The U.S. government said in January 2024 that it had successfully disrupted a botnet, used by Volt Typhoon, consisting of thousands of hijacked U.S.-based small office and home network routers, which the Chinese hacking group used to hide its malicious activity aimed at targeting U.S. critical infrastructure. The FBI said it was able to remove the malware from hijacked routers by way of a court-sanctioned operation, severing the Chinese hacking group’s connection to the botnet.
By January 2025, the U.S. had discovered more than 100 intrusions across the country and its territories linked to Volt Typhoon, according to reporting by Bloomberg. A large number of these attacks have targeted Guam, a U.S. island territory in the Pacific and a strategic location for American military operations, the report said. Volt Typhoon allegedly targeted critical infrastructure on the island, including its main power authority, the island’s largest cell provider, and several U.S. federal networks, including sensitive defense systems, based on Guam. Bloomberg reported that Volt Typhoon used an entirely new kind of malware to target networks in Guam that it hadn’t ever deployed before, which researchers took as a sign of the high importance that the region has to the China-backed hackers.
Flax Typhoon, first outed by Microsoft several months later in an August 2023 report, is another China-backed hacking group, which officials say has operated under the guise of a publicly traded cybersecurity company based in Beijing to carry out hacks against critical infrastructure in recent years. Microsoft said Flax Typhoon — also active since mid-2021 — predominantly targeted dozens of “government agencies and education, critical manufacturing, and information technology organizations in Taiwan.”
Then in September 2023, the U.S. government said it had taken control of another botnet, which was made up of hundreds of thousands of hijacked internet-connected devices, and used by Flax Typhoon to “conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices.” Prosecutors said the botnet allowed other China government-backed hackers to “hack into networks in the U.S. and around the world to steal information and hold our infrastructure at risk.”
The Department of Justice later corroborated Microsoft’s findings, adding that Flax Typhoon also “attacked multiple U.S. and foreign corporations.”
U.S. officials said that the botnet used by Flax Typhoon was operated and controlled by the Beijing-based cybersecurity company, Integrity Technology Group. In January 2024, the U.S. government imposed sanctions on Integrity Tech over its alleged links to Flax Typhoon.
The latest — and potentially most ominous — group in China’s government-backed cyber army uncovered in recent months is Salt Typhoon.
Salt Typhoon hit headlines in October 2024 for a different kind of information-gathering operation. As first reported by The Wall Street Journal, the China-linked hacking group compromised several U.S. telecom and internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon. The Journal reported later in January 2025 that Salt Typhoon also breached the U.S.-based internet providers Charter Communications and Windstream. U.S. cyber official Anne Neuberger said the federal government had identified an unnamed ninth hacked telco.
According to one report, Salt Typhoon may have gained access to these telcos using compromised Cisco routers. Once inside the telco’s networks, the attackers were able to access customer call and text message metadata, including date and time stamps of customer communications, source and destination IP addresses, and phone numbers from over a million users; most of which were individuals located in the Washington D.C. area. In some cases the hackers were capable of capturing phone audio from senior Americans. Neuberger said that a “large number” of those who had data accessed were “government targets of interest.”
By hacking into systems that law enforcement agencies use for court-authorized collection of customer data, Salt Typhoon also potentially gained access to data and systems that house much of the U.S. government’s data requests, including the potential identities of Chinese targets of U.S. surveillance.
It’s not yet known when the breach of the wiretap systems occurred, but may date back to early 2024, according to the Journal’s reporting.
AT&T and Verizon told TechCrunch in December 2024 that their networks were secure after being targeted by the Salt Typhoon espionage group. Lumen confirmed soon after that its network was free from the hackers.
FIrst published October 13, 2024 and updated.
