Understanding Chinese Cyber Threat Actors Training for Military Conflict

One of the major cybersecurity risks facing the United States is the potential sabotage capabilities posed by China-backed hackers, which senior U.S. national security officials have referred to as an “epoch-defining threat.”

Chinese government-backed hackers have reportedly been infiltrating U.S. critical infrastructure networks, including water, energy, and transportation providers, for years. The objective is to prepare for potential destructive cyberattacks in the event of a future conflict between China and the United States, such as a Chinese invasion of Taiwan.

According to then-FBI Director Christopher Wray, China’s hackers are positioning themselves on American infrastructure to cause harm to American citizens and communities when China decides to strike.

The U.S. government and its allies have taken action against some Chinese hacking groups, including disrupting the activities of the “Typhoon” family of Chinese hackers and publishing new details about the threats they pose.

In January 2024, the U.S. disrupted the activities of “Volt Typhoon,” a group of Chinese government hackers preparing for destructive cyberattacks. Subsequently, in September 2024, federal authorities seized control of a botnet operated by another Chinese hacking group known as “Flax Typhoon.” This group used a Beijing-based cybersecurity company to conceal the actions of China’s government hackers. In December of the same year, the U.S. government sanctioned the cybersecurity company for its alleged involvement in multiple computer intrusion incidents against U.S. targets.

A new China-backed hacking group called “Salt Typhoon” has also emerged, infiltrating the networks of major U.S. phone and internet companies to gather intelligence on Americans and potential targets of U.S. surveillance.

Additionally, a Chinese threat actor known as Silk Typhoon (previously Hafnium) has returned with a new campaign targeting the U.S. Treasury as of December 2024.

This article explores the activities of Chinese hacking groups preparing for potential conflict with the United States.

Volt Typhoon

Volt Typhoon represents a new type of China-backed hacking group, focused on disrupting the U.S. military’s ability to mobilize rather than just stealing sensitive information, according to the former FBI director.

Microsoft first identified Volt Typhoon in May 2023, revealing that the hackers had been targeting and compromising network equipment like routers, firewalls, and VPNs since mid-2021. They aimed to infiltrate deep into U.S. critical infrastructure systems. The U.S. intelligence community suspects that the hackers may have been active for up to five years.

Volt Typhoon exploited vulnerabilities in end-of-life devices, which no longer receive security updates, to compromise thousands of internet-connected devices. They gained access to multiple critical infrastructure sectors such as aviation, water, energy, and transportation, preparing for disruptive cyberattacks to hinder the U.S. government’s response to a potential conflict involving Taiwan.

John Hultquist, chief analyst at Mandiant, stated that Volt Typhoon is not engaged in silent intelligence collection but is probing critical infrastructure to disrupt major services upon command.

In January 2024, the U.S. successfully disrupted a botnet used by Volt Typhoon, consisting of hijacked U.S.-based home network routers. The FBI removed the malware from these routers through a court-approved operation, cutting off the Chinese group’s access to the botnet.

By January 2025, more than 100 intrusions linked to Volt Typhoon had been discovered across the U.S. and its territories, with a particular focus on targeting Guam. The hackers targeted critical infrastructure on the island, including power facilities, the main cell provider, and U.S. federal networks, especially defense systems based on Guam. Bloomberg reported that Volt Typhoon used new malware in Guam, indicating the region’s significance to the hackers.

Flax Typhoon

Salt Typhoon: China’s Latest Government-Backed Cyber Threat

Flax Typhoon, initially revealed by Microsoft in an August 2023 report, is a hacking group supported by China and has been operating under the guise of a publicly traded cybersecurity company based in Beijing. This group has been targeting critical infrastructure, including government agencies and education, manufacturing, and information technology organizations in Taiwan since mid-2021.

In September 2023, the U.S. government disclosed that it had seized control of a botnet used by Flax Typhoon, consisting of hundreds of thousands of compromised internet-connected devices. This botnet was utilized for malicious cyber activities that posed a risk to global infrastructure. The Department of Justice confirmed Microsoft’s findings, stating that Flax Typhoon had also targeted U.S. and foreign corporations.

The botnet operated by Flax Typhoon was linked to Integrity Technology Group, a cybersecurity company based in Beijing. In response, the U.S. government imposed sanctions on Integrity Tech in January 2024 due to its alleged connections to Flax Typhoon.

Silk Typhoon Emerges as a Threat to U.S. Treasury

Silk Typhoon, previously known as Hafnium, resurfaced following a hack at the U.S. Treasury in December 2024. The group utilized a stolen key from BeyondTrust to gain remote access to Treasury employee workstations, accessing internal documents on the department’s network. They also compromised the Treasury’s sanctions office and the Committee on Foreign Investment in the United States (CFIUS), which oversees Chinese investments in the U.S.

Silk Typhoon, known for its exploits in self-hosted Microsoft Exchange servers, now focuses on reconnaissance and data theft. This group targets healthcare organizations, law firms, and NGOs in several countries, including Australia, Japan, Vietnam, and the United States. The threat posed by Silk Typhoon underscores the ongoing challenges faced by governments and organizations in safeguarding their digital infrastructure.