Meet the Chinese 'Typhoon' Hackers Preparing for War
Of the cybersecurity risks facing the United States today, few loom larger than the sabotage capabilities posed by China-backed hackers, which top U.S. officials have described as an “epoch-defining threat.”
In recent months, U.S. intelligence officials reported that Chinese government hackers have burrowed deep into the networks of U.S. critical infrastructure, including water, energy, and transportation. The goal, officials say, is to prepare for potentially destructive cyberattacks if a conflict arises between China and the U.S., such as a possible Chinese invasion of Taiwan.
“China’s hackers are positioning on American infrastructure to cause real-world harm to American citizens and communities, if or when China decides to strike,” FBI Director Christopher Wray told lawmakers earlier this year.
The U.S. government and its allies have since taken action against the “Typhoon” family of Chinese hacking groups, and they have published new details about the threats they pose.
In January, the U.S. disrupted “Volt Typhoon,” a group of Chinese government hackers tasked with preparing for destructive cyberattacks. Later in September, the feds seized a botnet run by another Chinese hacking group called “Flax Typhoon.” This group masquerades as a private company in Beijing, helping to conceal the activities of China’s government hackers. Since then, a new China-backed hacking group called “Salt Typhoon” emerged, capable of gathering intelligence on Americans by compromising the wiretap systems of U.S. phone and internet providers.
Here’s what we know about the Chinese hacking groups gearing up for war.
Volt Typhoon
Volt Typhoon represents a new breed of China-backed hackers. They no longer just aim to steal U.S. secrets but prepare to disrupt the U.S. military’s ability to mobilize, according to the FBI director.
Microsoft first identified Volt Typhoon in May 2023. The hackers targeted network equipment, such as routers, firewalls, and VPNs, since mid-2021 as part of an ongoing effort to infiltrate deeper into U.S. critical infrastructure. In reality, they likely operated for much longer, potentially for as long as five years.
Volt Typhoon compromised thousands of internet-connected devices in the months following Microsoft’s report. They exploited vulnerabilities in devices considered “end-of-life,” which no longer received security updates. As such, the hacking group managed to compromise IT environments in critical infrastructure sectors, including aviation, water, energy, and transportation, pre-positioning itself for future disruptive cyberattacks.
“This actor is not quietly collecting intelligence and secrets, as has been the norm in the U.S. They are probing sensitive infrastructure to disrupt major services when the order comes down,” said John Hultquist, chief analyst at Mandiant.
The U.S. government said in January that it had disrupted a botnet used by Volt Typhoon. This botnet consisted of hijacked U.S.-based routers that the Chinese hackers used to hide their malicious activity targeting U.S. infrastructure. The FBI removed the malware from these routers, severing the hacking group’s connection to the botnet.
Flax Typhoon
Flax Typhoon, first identified in an August 2023 Microsoft report, is another China-backed group. Officials say it has operated under the guise of a publicly traded cybersecurity company based in Beijing. The company, Integrity Technology Group, has acknowledged its connections to China’s government, according to U.S. officials.
In September, the U.S. government said it had taken control of another botnet used by Flax Typhoon. This botnet leveraged a custom variant of the infamous Mirai malware, composed of hundreds of thousands of internet-connected devices.
U.S. officials said the Flax Typhoon-controlled botnet was used to conduct malicious cyber activities disguised as routine internet traffic from infected consumer devices. Prosecutors noted that this botnet allowed other China-backed hackers to breach networks in the U.S. and worldwide, stealing information and putting our infrastructure at risk.
According to Microsoft’s profile, Flax Typhoon has been active since mid-2021. They predominantly targeted government agencies, critical manufacturing, and IT organizations in Taiwan. The Department of Justice corroborated Microsoft’s findings, stating that Flax Typhoon also attacked multiple U.S. and foreign corporations.
Salt Typhoon
The latest and potentially most ominous group in China’s cyber army is Salt Typhoon.
Salt Typhoon hit headlines in October for a much more sophisticated operation. As first reported by The Wall Street Journal, this hacking group is believed to have compromised the wiretap systems of several U.S. telecom and internet providers, including AT&T, Lumen, and Verizon.
According to one report, Salt Typhoon may have accessed these organizations using compromised Cisco routers. The U.S. government is in the early stages of its investigation.
While the scale of the compromises remains unknown, the Journal, citing national security sources, said the breach could be “potentially catastrophic.” By hacking into systems used for court-authorized data collection, Salt Typhoon potentially accessed data that houses much of the U.S. government’s requests, including identities of Chinese targets of U.S. surveillance.
It’s unclear when the breach occurred, but WSJ reports that the hackers may have held access to the internet providers’ wiretap systems for months or longer.
In recent months, U.S. intelligence officials reported that Chinese government hackers have burrowed deep into the networks of U.S. critical infrastructure, including water, energy, and transportation. The goal, officials say, is to prepare for potentially destructive cyberattacks if a conflict arises between China and the U.S., such as a possible Chinese invasion of Taiwan.
“China’s hackers are positioning on American infrastructure to cause real-world harm to American citizens and communities, if or when China decides to strike,” FBI Director Christopher Wray told lawmakers earlier this year.
The U.S. government and its allies have since taken action against the “Typhoon” family of Chinese hacking groups, and they have published new details about the threats they pose.
In January, the U.S. disrupted “Volt Typhoon,” a group of Chinese government hackers tasked with preparing for destructive cyberattacks. Later in September, the feds seized a botnet run by another Chinese hacking group called “Flax Typhoon.” This group masquerades as a private company in Beijing, helping to conceal the activities of China’s government hackers. Since then, a new China-backed hacking group called “Salt Typhoon” emerged, capable of gathering intelligence on Americans by compromising the wiretap systems of U.S. phone and internet providers.
Here’s what we know about the Chinese hacking groups gearing up for war.
Volt Typhoon
Volt Typhoon represents a new breed of China-backed hackers. They no longer just aim to steal U.S. secrets but prepare to disrupt the U.S. military’s ability to mobilize, according to the FBI director.
Microsoft first identified Volt Typhoon in May 2023. The hackers targeted network equipment, such as routers, firewalls, and VPNs, since mid-2021 as part of an ongoing effort to infiltrate deeper into U.S. critical infrastructure. In reality, they likely operated for much longer, potentially for as long as five years.
Volt Typhoon compromised thousands of internet-connected devices in the months following Microsoft’s report. They exploited vulnerabilities in devices considered “end-of-life,” which no longer received security updates. As such, the hacking group managed to compromise IT environments in critical infrastructure sectors, including aviation, water, energy, and transportation, pre-positioning itself for future disruptive cyberattacks.
“This actor is not quietly collecting intelligence and secrets, as has been the norm in the U.S. They are probing sensitive infrastructure to disrupt major services when the order comes down,” said John Hultquist, chief analyst at Mandiant.
The U.S. government said in January that it had disrupted a botnet used by Volt Typhoon. This botnet consisted of hijacked U.S.-based routers that the Chinese hackers used to hide their malicious activity targeting U.S. infrastructure. The FBI removed the malware from these routers, severing the hacking group’s connection to the botnet.
Flax Typhoon
Flax Typhoon, first identified in an August 2023 Microsoft report, is another China-backed group. Officials say it has operated under the guise of a publicly traded cybersecurity company based in Beijing. The company, Integrity Technology Group, has acknowledged its connections to China’s government, according to U.S. officials.
In September, the U.S. government said it had taken control of another botnet used by Flax Typhoon. This botnet leveraged a custom variant of the infamous Mirai malware, composed of hundreds of thousands of internet-connected devices.
U.S. officials said the Flax Typhoon-controlled botnet was used to conduct malicious cyber activities disguised as routine internet traffic from infected consumer devices. Prosecutors noted that this botnet allowed other China-backed hackers to breach networks in the U.S. and worldwide, stealing information and putting our infrastructure at risk.
According to Microsoft’s profile, Flax Typhoon has been active since mid-2021. They predominantly targeted government agencies, critical manufacturing, and IT organizations in Taiwan. The Department of Justice corroborated Microsoft’s findings, stating that Flax Typhoon also attacked multiple U.S. and foreign corporations.
Salt Typhoon
The latest and potentially most ominous group in China’s cyber army is Salt Typhoon.
Salt Typhoon hit headlines in October for a much more sophisticated operation. As first reported by The Wall Street Journal, this hacking group is believed to have compromised the wiretap systems of several U.S. telecom and internet providers, including AT&T, Lumen, and Verizon.
According to one report, Salt Typhoon may have accessed these organizations using compromised Cisco routers. The U.S. government is in the early stages of its investigation.
While the scale of the compromises remains unknown, the Journal, citing national security sources, said the breach could be “potentially catastrophic.” By hacking into systems used for court-authorized data collection, Salt Typhoon potentially accessed data that houses much of the U.S. government’s requests, including identities of Chinese targets of U.S. surveillance.
It’s unclear when the breach occurred, but WSJ reports that the hackers may have held access to the internet providers’ wiretap systems for months or longer.