Meet the Chinese ‘Typhoon’ hackers preparing for war



Of the cybersecurity risks facing the United States today, few loom larger than the potential sabotage capabilities posed by China-backed hackers, which top U.S. officials have described as an “epoch-defining threat.”

In recent months, U.S. intelligence officials said Chinese government-backed hackers have been burrowing deep into the networks of U.S. critical infrastructure, including water, energy and transportation providers. The goal, officials say, is to lay the groundwork for potentially destructive cyberattacks in the event of a future conflict between China and the U.S., such as over a possible Chinese invasion of Taiwan.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” FBI Director Christopher Wray told lawmakers earlier this year.

The U.S. government and its allies have since taken action against the “Typhoon” family of the Chinese hacking groups, and published new details about the threats they pose.

In January, the U.S. disrupted dubbed “Volt Typhoon,” a group of China government hackers tasked with setting the stage for destructive cyberattacks. Later in September, the feds hijacked a botnet run by another Chinese hacking group called “Flax Typhoon,” which masquerades as a private company in Beijing and whose role was to help conceal the activities of China’s government hackers. Since then, a new China-backed hacking group called “Salt Typhoon” emerged, capable of gathering intelligence on Americans — and potential targets of U.S. surveillance — by compromising the wiretap systems of U.S. phone and internet providers.

Here’s what we know so far about the Chinese hacking groups gearing up for war. 

Volt Typhoon

Volt Typhoon represents a new breed of China-backed hacking groups; no longer just aimed at stealing sensitive U.S. secrets, but rather preparing to disrupt the U.S. military’s “ability to mobilize,” according to the FBI’s director.

Microsoft first identified Volt Typhoon in May 2023, finding that the hackers had targeted and compromised network equipment, such as routers, firewalls, and VPNs, since mid-2021 as part of an ongoing and concerted effort to infiltrate deeper into U.S. critical infrastructure. In reality, it’s likely the hackers were operating for much longer; potentially for as long as five years.

Volt Typhoon compromised thousands of internet-connected devices in the months following Microsoft’s report, exploiting vulnerabilities in internet-connected devices that were considered “end-of-life” and as such would no longer receive security updates. As such, the hacking group subsequently managed to compromise the IT environments of multiple critical infrastructure sectors, including aviation, water, energy, and transportation, pre-positioning itself for activating future would-be disruptive cyberattacks.

“This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the U.S. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down,” said John Hultquist, chief analyst at security firm Mandiant.

The U.S. government said in January that it had successfully disrupted a botnet, used by Volt Typhoon, consisting of thousands of hijacked U.S.-based small office and home network routers, which the Chinese hacking group used to hide its malicious activity aimed at targeting U.S. critical infrastructure. The FBI said it was able to remove the malware from the hijacked routers, severing the Chinese hacking group’s connection to the botnet.

Flax Typhoon

Flax Typhoon, first outed in an August 2023 report from Microsoft, is another China-backed hacking group that officials say has operated under the guise of a publicly traded cybersecurity company based in Beijing. The company, Integrity Technology Group, has publicly acknowledged its connections to China’s government, according to U.S. officials. 

In September, the U.S. government said it had taken control of another botnet, used by Flax Typhoon, which leveraged a custom variant of the infamous Mirai malware, made up of hundreds of thousands of internet-connected devices.

U.S. officials said at the time that the Flax Typhoon-controlled botnet was used to “conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices.” Prosecutors said the botnet run by Flax Typhoon allowed other China government-backed hackers to “hack into networks in the U.S. and around the world to steal information and hold our infrastructure at risk.” 

According to Microsoft’s profile of the government-backed group, Flax Typhoon has been active since mid-2021, predominantly targeting “government agencies and education, critical manufacturing, and information technology organizations in Taiwan.” The Department of Justice said it corroborated Microsoft’s findings and that Flax Typhoon also “attacked multiple U.S. and foreign corporations.”

Salt Typhoon

The latest — and potentially most ominous — group in China’s government-backed cyber army uncovered in recent months is Salt Typhoon.

Salt Typhoon hit headlines in October for a much more sophisticated operation. As first reported by the Wall Street Journal, the China-linked hacking group is believed to have compromised the wiretap systems of several U.S. telecom and internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon.

According to one report, Salt Typhoon may have gained access to these organizations using compromised Cisco routers. The U.S. government is said to be in the early stages of its investigation.

While the scale of the internet provider compromises remains unknown, the Journal, citing national security sources, said the breach could be “potentially catastrophic.” By hacking into systems that law enforcement agencies use for court-authorized collection of customer data, the Salt Typhoon potentially gained access to data and systems that house much of the U.S. government’s requests — including the potential identities of Chinese targets of U.S. surveillance. 

It’s not yet known when the breach occurred, but WSJ reports that the hackers may have held access to the internet providers’ wiretap systems “for months or longer.”




Source