In recent months, U.S. intelligence officials have reported that government-backed hackers from China have penetrated American infrastructure networks, targeting water, energy, and transportation providers. According to TechCrunch, the intention behind these incursions appears to be preparation for potentially destructive cyberattacks should a conflict arise between the U.S. and China.
FBI Director Christopher Wray informed lawmakers that Chinese hackers have embedded themselves within American infrastructure, ready to cause chaos and inflict real harm on citizens and communities when China deems it the right moment to strike.
The primary suspects identified by the U.S. government and its allies are the hacking groups known as “Typhoon.” The U.S. government has recently released new details concerning the threats posed by these groups.
Volt Typhoon
“Volt Typhoon” represents a new breed of state-sponsored hacking group from China. Their objectives have evolved beyond merely stealing sensitive U.S. secrets to actively preparing to disrupt the U.S. military’s mobilization capabilities, according to the FBI Director.
Microsoft first identified “Volt Typhoon” in May 2023, discovering that the hackers had been targeting and disrupting network equipment, such as routers, firewalls, and VPNs, since mid-2021 as part of a coordinated effort to infiltrate U.S. infrastructure more deeply. In fact, these hackers might have been operating for even longer, potentially up to five years, as noted by TechCrunch.
Moreover, “Volt Typhoon” has been responsible for breaching thousands of internet-connected devices in the months following Microsoft’s report, exploiting vulnerabilities in devices deemed “unsupported,” which no longer receive security updates.
Consequently, the hacking group has infiltrated the IT environments of several critical sectors, including aviation, water, energy, and transportation, setting the stage for potential future cyberattacks.
John Hultquist, a senior analyst at Mandiant, told TechCrunch, “This actor is not quietly gathering intelligence and stealing secrets as has commonly occurred in the U.S. They are probing sensitive infrastructure to disrupt essential services.”
In January, the U.S. government announced that it had successfully dismantled a botnet utilized by “Volt Typhoon,” comprising thousands of compromised routers in the U.S., which the hackers had used to mask their malicious activities targeting the infrastructure.
Flax Typhoon
“Flax Typhoon” was first unveiled in a Microsoft report in August 2023 and is another state-sponsored hacking group that officials claim operates under the guise of a publicly traded cybersecurity firm based in Beijing.
In September, the U.S. government stated it had taken control of another botnet used by “Flax Typhoon,” which exploited the Mirai malware, composed of hundreds of thousands of internet-connected devices, to carry out cyber activities disguised as routine internet traffic from the infected devices.
According to Microsoft’s dossier on the government-backed group, “Flax Typhoon” has been active since mid-2021, primarily targeting government agencies, education, critical industries, and IT organizations in Taiwan. The Justice Department has confirmed Microsoft’s findings, stating that “Flax Typhoon” has attacked several U.S. and foreign companies.
Salt Typhoon
The latest and potentially most concerning group within the “Typhoon” family backed by the Chinese government is “Salt Typhoon.”
This group gained notoriety in October due to an operation described by The Wall Street Journal as one of the most complex. The report noted that the Chinese-linked hackers managed to breach call monitoring systems of several telecommunications and internet service providers in the U.S., including well-known companies “AT&T” and “Lumen.”
“Salt Typhoon” achieved access to these organizations using compromised Cisco routers, and the U.S. government is reportedly in the early stages of investigating the breach.
While the extent of the breach among internet service providers remains unclear, the newspaper cited national security sources indicating that the implications could be catastrophic.
By infiltrating the systems used by law enforcement agencies to collect customer data under court orders, “Salt Typhoon” could gain access to data and systems containing numerous government requests in the U.S., including potential identities of Chinese surveillance targets.
It is not yet known when the breach occurred, but The Wall Street Journal indicates that the hackers may have retained access to the monitoring systems of internet providers for several months or longer.
