The United States is facing an "epoch-defining threat" from China-backed hackers, who have been infiltrating the networks of US critical infrastructure providers, including water, energy, and transportation companies, according to senior US national security officials. The goal of these hackers is to lay the groundwork for potentially destructive cyberattacks in the event of a future conflict between China and the United States, such as a possible Chinese invasion of Taiwan.

Then-outgoing FBI Director Christopher Wray warned lawmakers last year that "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike." The US government and its allies have since taken action against some of the "Typhoon" family of Chinese hacking groups, publishing new details about the threats posed by these groups.

In January 2024, the US disrupted "Volt Typhoon," a group of Chinese government hackers tasked with setting the stage for destructive cyberattacks. Later in September 2024, federal authorities took control of a botnet run by another Chinese hacking group called "Flax Typhoon," which used a Beijing-based cybersecurity company to help conceal the activities of China's government hackers. Then in December 2025, the US government sanctioned the cybersecurity company for its alleged role in "multiple computer intrusion incidents against US victims."

Since the emergence of Volt Typhoon, another new China-backed hacking group called "Salt Typhoon" appeared in the networks of US phone and internet giants, capable of gathering intelligence on Americans – and potential targets of US surveillance – by compromising telecom systems used for law enforcement wiretaps. According to reports, Salt Typhoon compromised several US telecom and internet providers, including AT&T, Lumen, and Verizon, gaining access to customer call and text message metadata, including date and time stamps of customer communications, source and destination IP addresses, and phone numbers from over a million users.

Volt Typhoon, which was first identified by Microsoft in May 2023, represents a new breed of China-backed hacking groups; no longer just aimed at stealing sensitive US secrets, but rather preparing to disrupt the US military's "ability to mobilize," according to the then-FBI director. The hackers had targeted and compromised network equipment, such as routers, firewalls, and VPNs, since at least mid-2021 as part of an ongoing and concerted effort to infiltrate deep into the systems of US critical infrastructure.

The US intelligence community said that in reality, it's likely the hackers were operating for much longer, potentially for as long as five years. Volt Typhoon compromised thousands of these internet-connected devices in the months following Microsoft's report, exploiting vulnerabilities in devices that were considered "end-of-life" and therefore would no longer receive security updates. The hacking group subsequently gained further access to the IT environments of multiple critical infrastructure sectors, including aviation, water, energy, and transportation, pre-positioning for activating future disruptive cyberattacks aimed at slowing the US government's response to an invasion of its key ally, Taiwan.

John Hultquist, chief analyst at security firm Mandiant, noted that "this actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the US. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down." The US government said in January 2024 that it had successfully disrupted a botnet, used by Volt Typhoon, consisting of thousands of hijacked US-based small office and home network routers, which the Chinese hacking group used to hide its malicious activity aimed at targeting US critical infrastructure.

By January 2025, the US had discovered more than 100 intrusions across the country and its territories linked to Volt Typhoon, according to reporting by Bloomberg. A large number of these attacks have targeted Guam, a US island territory in the Pacific and a strategic location for American military operations, the report said. Volt Typhoon allegedly targeted critical infrastructure on the island, including its main power authority, the island's largest cell provider, and several US federal networks, including sensitive defense systems, based on Guam.

Flax Typhoon, first outed by Microsoft several months later in an August 2023 report, is another China-backed hacking group, which officials say has operated under the guise of a publicly traded cybersecurity company based in Beijing to carry out hacks against critical infrastructure in recent years. Microsoft said Flax Typhoon — also active since mid-2021 — predominantly targeted dozens of "government agencies and education, critical manufacturing, and information technology organizations in Taiwan."

The US government said it had taken control of another botnet, which was made up of hundreds of thousands of hijacked internet-connected devices, and used by Flax Typhoon to "conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices." Prosecutors said the botnet allowed other China government-backed hackers to "hack into networks in the US and around the world to steal information and hold our infrastructure at risk."

The Department of Justice later corroborated Microsoft's findings, adding that Flax Typhoon also "attacked multiple US and foreign corporations." US officials said that the botnet used by Flax Typhoon was operated and controlled by the Beijing-based cybersecurity company, Integrity Technology Group. In January 2024, the US government imposed sanctions on Integrity Tech over its alleged links to Flax Typhoon.

The latest revelations about China-backed hacking groups highlight the growing threat of cyber warfare to US national security and critical infrastructure. As the US government and its allies continue to take action against these groups, it remains to be seen how effective these efforts will be in preventing future destructive cyberattacks.