Few cybersecurity risks facing the United States today loom as large as the potential sabotage by Chinese-backed hackers, which senior U.S. national security officials have dubbed the “defining threat of our time.” It is expressed as.
The United States said hackers backed by the Chinese government had penetrated deep into networks of critical U.S. infrastructure, including water, energy and transportation systems, in some cases for years. Officials say the goal is to lay the groundwork for a potentially devastating cyberattack in the event of a future conflict between China and the United States, including over a possible Chinese invasion of Taiwan. .
“Chinese hackers are preparing to wreak havoc on U.S. infrastructure and cause real-world damage if China decides the time is right for an attack,” retired FBI Director Christopher Wray told Congress last year. He spoke to the following people.
The US government and its allies have since taken action against some members of the Chinese Typhoon family of hackers and released new details about the threat posed by these groups.
In January 2024, the United States thwarted Bolt Typhoon, a Chinese government hacker group tasked with setting the stage for a devastating cyberattack. In late September 2024, federal authorities took control of a botnet run by another Chinese hacker group known as Flax Typhoon. The group used a Beijing-based cybersecurity firm to cover up the activities of Chinese government hackers. And in December, the U.S. government sanctioned the cybersecurity firm for its alleged involvement in “multiple computer intrusions against U.S. victims.”
Since then, another new group of Chinese-backed hackers known as “Salt Typhoons” has emerged on the networks of U.S. phone and Internet giants, gaining access to communications systems used for law enforcement eavesdropping. Information about Americans and potential targets of U.S. surveillance can now be collected.
And a Chinese threat actor called Silk Typhoon (formerly known as Hafnium), a hacker group that has been active since at least 2021, has announced plans for 2024 with a new campaign targeting the U.S. Treasury Department. I'm back in December.
Here's what we learned about the Chinese hacker group preparing for war.
bolt typhoon
Bolt Typhoon represents a new breed of Chinese-backed hacker group. According to the FBI director at the time, the goal is no longer just to steal U.S. secrets, but rather to disrupt the “mobilization capabilities” of the U.S. military.
Microsoft first identified Bolt Typhoon in May 2023, and hackers have been hacking routers, firewalls, VPNs, and other network equipment since at least mid-2021 as part of an ongoing and concerted effort to penetrate deep into systems. We discovered that they had been targeted and compromised. US critical infrastructure. U.S. intelligence agencies said the hackers may have actually been active for much longer, in some cases as long as five years.
Volt Typhoon compromised thousands of these internet-connected devices in the months following Microsoft's report, exploiting vulnerabilities in devices that were considered “end of life” and would no longer receive security updates. I did. The hacker group then gained further access to the IT environments of multiple critical infrastructure sectors, including aviation, water, energy, and transportation, as well as future plans aimed at delaying the U.S. government's response to an invasion of a key ally. Advance preparations were made to launch a destructive cyber attack. Taiwan.
“These attackers did not collect secret information or steal secrets, which is common in the United States. They probed sensitive critical infrastructure so that they could disrupt key services if ordered to do so. ,” said Commissioner John Hultquist. Analyst at security company Mandiant.
In January 2024, the US government announced that it had successfully destroyed the botnet used by Bolt Typhoon. The botnet is made up of thousands of hijacked US-based small office and home network routers, and Chinese hackers are using the botnet to hide malicious activity targeting the US. was using. critical infrastructure. The FBI announced that a court-approved operation was able to remove malware from hijacked routers and disrupt the connection between a group of Chinese hackers and a botnet.
By January 2025, the United States had discovered more than 100 intrusions across the United States and its territories related to Bolt Typhoon, according to a report by Bloomberg. According to the report, many of these attacks targeted Guam, a U.S. island chain in the Pacific Ocean and a strategic hub for U.S. military operations. Bolt Typhoon is said to have targeted the island's critical infrastructure, including the main power authority, the island's largest cell phone company, and several U.S. federal networks, including classified defense systems based on Guam. Bloomberg reported that Bolt Typhoon used an entirely new type of malware to target Guam's networks that it had never deployed before, but researchers believe this may be a threat to Chinese-backed hackers. This was seen as a sign that this area is extremely important.
flax typhoon
Flax Typhoon, which was first exposed by Microsoft several months later in an August 2023 report, is also a Chinese-backed hacker group that officials say is a Beijing-based publicly traded cyberattack group. It is said that the company had recently been hacking into critical infrastructure under the guise of a security company. year. Microsoft said Flax Typhoon, which has also been active since mid-2021, primarily targets dozens of “government, education, critical manufacturing, and IT-related organizations in Taiwan.”
Then, in September 2023, the US government announced that it had taken control of another botnet. The botnet is comprised of hundreds of thousands of hijacked internet-connected devices that Flax Typhoon claims are “used to carry out malicious cyber activity disguised as routine internet traffic from the United States.” infected consumer devices. Prosecutors said the botnet enabled other Chinese government-backed hackers to “infiltrate networks in the United States and around the world to steal information and compromise our nation's infrastructure.” .
The Justice Department later corroborated Microsoft's findings, adding that Flax Typhoon also “attacked multiple U.S. and foreign companies.”
U.S. officials said the botnet used by Flax Typhoon was run and controlled by Integrity Technology Group, a Beijing-based cybersecurity firm. In January 2024, the U.S. government imposed sanctions on Integrity Tech over its alleged ties to Flux Typhoon.
salt typhoon
The latest, and perhaps creepiest, group of Chinese government-backed cyber forces discovered in recent months is Salt Typhoon.
Salt Typhoon made headlines in October 2024 as a different kind of intelligence-gathering operation. As first reported by the Wall Street Journal, a group of Chinese-linked hackers has compromised multiple U.S. telecommunications and internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon. The magazine reported in late January 2025 that Salt Typhoon also infiltrated US-based internet providers Charter Communications and Windstream. U.S. cyber official Ann Neuberger said the federal government has identified a ninth anonymous telecommunications company that was hacked.
According to one report, Salt Typhoon may have used compromised Cisco routers to access these carriers. Once inside a carrier's network, attackers could access metadata on customer calls and text messages, including date and time stamps on customer communications, source and destination IP addresses, and phone numbers for more than 1 million users. It's done. Most were individuals living in the Washington, D.C., area. In some cases, hackers were able to capture telephone audio from elderly Americans. Neuberger said the “large number” of people whose data was accessed were “of interest to the government.”
By hacking into systems used by law enforcement to collect court-authorized customer data, Salt Typhoon fulfilled many of the U.S. government's data requests, including potential Chinese identities for U.S. surveillance. There was also the possibility of accessing stored data and systems.
It is not yet known when the eavesdropping system was breached, but it could be as far back as early 2024, the magazine reported.
AT&T and Verizon told TechCrunch in December 2024 that their networks were secure after being targeted by the Salt Typhoon spy group. Lumen immediately confirmed that the hacker had not penetrated its network.
silk typhoon
The Chinese-backed hacker group formerly known as Hafnium has quietly resurfaced under the new name Silk Typhoon after being linked to the December 2024 hack of the US Treasury Department.
In a letter to lawmakers obtained by TechCrunch, the U.S. Treasury Department said that in late December 2024, Chinese-backed hackers stole keys from BeyondTrust, a company that provides identity access technology to large organizations and government departments. He said he used it to remotely access certain information. Ministry of Finance staff workstation. Contains internal documents on the department's unclassified network.
During this hack, the state-sponsored hacker group also infiltrated the Treasury Department's Office of Sanctions, which imposes economic and trade sanctions against countries and individuals. In December, it also violated the Treasury Department's Committee on Foreign Investment (CFIUS), which has the authority to block Chinese investment in the United States.
Silk Typhoon is not a new threat group; it made headlines in 2021 as Hafnium (as it was then called) for exploiting a vulnerability in self-hosted Microsoft Exchange email servers that compromised over 60,000 organizations. Ta.
Microsoft, which tracks government-backed hacking groups, said Silk Typhoon typically focuses on reconnaissance and data theft, targeting medical institutions, law firms and non-governmental organizations in Australia, Japan, Vietnam and the United States. known for targeting. .
First published and updated on October 13, 2024.