The United States is facing an "epoch-defining threat" from China-backed hackers, who have been infiltrating the networks of US critical infrastructure providers, including water, energy, and transportation companies, according to senior US national security officials. The goal of these hackers is to lay the groundwork for potentially destructive cyberattacks in the event of a future conflict between China and the United States, such as a possible Chinese invasion of Taiwan.

Then-outgoing FBI Director Christopher Wray warned lawmakers last year that "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike." Since then, the US government and its allies have taken action against some of the "Typhoon" family of Chinese hacking groups, publishing new details about the threats posed by these groups.

In January 2024, the US disrupted "Volt Typhoon," a group of Chinese government hackers tasked with setting the stage for destructive cyberattacks. Later in September 2024, federal authorities took control of a botnet run by another Chinese hacking group called "Flax Typhoon," which used a Beijing-based cybersecurity company to help conceal the activities of China's government hackers. Then in December, the US government sanctioned the cybersecurity company for its alleged role in "multiple computer intrusion incidents against US victims."

Another new China-backed hacking group called "Salt Typhoon" appeared in the networks of US phone and internet giants, capable of gathering intelligence on Americans – and potential targets of US surveillance – by compromising telecom systems used for law enforcement wiretaps. Additionally, a Chinese threat actor called Silk Typhoon (previously known as Hafnium), a hacking group that has been active since at least 2021, returned in December 2024 with a new campaign targeting the US Treasury.

Volt Typhoon represents a new breed of China-backed hacking groups; no longer just aimed at stealing sensitive US secrets, but rather preparing to disrupt the US military's "ability to mobilize," according to the then-FBI director. Microsoft first identified Volt Typhoon in May 2023, finding that the hackers had targeted and compromised network equipment, such as routers, firewalls, and VPNs, since at least mid-2021 as part of an ongoing and concerted effort to infiltrate deep into the systems of US critical infrastructure.

The U.S. intelligence community said that in reality, it's likely the hackers were operating for much longer, potentially for as long as five years. Volt Typhoon compromised thousands of these internet-connected devices in the months following Microsoft's report, exploiting vulnerabilities in devices that were considered "end-of-life" and therefore would no longer receive security updates. The hacking group subsequently gained further access to the IT environments of multiple critical infrastructure sectors, including aviation, water, energy, and transportation, pre-positioning for activating future disruptive cyberattacks aimed at slowing the U.S. government's response to an invasion of its key ally, Taiwan.

Flax Typhoon, first outed by Microsoft several months later in an August 2023 report, is another China-backed hacking group, which officials say has operated under the guise of a publicly traded cybersecurity company based in Beijing to carry out hacks against critical infrastructure in recent years. Microsoft said Flax Typhoon — also active since mid-2021 — predominantly targeted dozens of "government agencies and education, critical manufacturing, and information technology organizations in Taiwan."

Salt Typhoon hit headlines in October 2024 for a different kind of information-gathering operation. As first reported by The Wall Street Journal, the China-linked hacking group compromised several U.S. telecom and internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon. The Journal reported later in January 2025 that Salt Typhoon also breached the U.S.-based internet providers Charter Communications and Windstream. U.S. cyber official Anne Neuberger said the federal government had identified an unnamed ninth hacked telco.

According to one report, Salt Typhoon may have gained access to these telcos using compromised Cisco routers. Once inside the telco's networks, the attackers were able to access customer call and text message metadata, including date and time stamps of customer communications, source and destination IP addresses, and phone numbers from over a million users; most of which were individuals located in the Washington D.C. area. In some cases, the hackers were capable of capturing phone audio from senior Americans. Neuberger said that a "large number" of those who had data accessed were "government targets of interest."

By hacking into systems that law enforcement agencies use for court-authorized collection of customer data, Salt Typhoon also potentially gained access to data and systems that house much of the U.S. government's data requests, including the potential identities of Chinese targets of U.S. surveillance. It's not yet known when the breach of the wiretap systems occurred, but may date back to early 2024, according to the Journal's reporting.

AT&T and Verizon told TechCrunch in December 2024 that their networks were secure after being targeted by the Salt Typhoon espionage group. Lumen confirmed soon after that its network was free from the hackers.

Silk Typhoon, previously known as Hafnium, quietly appeared again as the newly named Silk Typhoon after being linked to a December 2024 hack at the U.S. Treasury. In a letter to lawmakers seen by TechCrunch, the U.S. Treasury said in late December 2024 that the China-backed hackers used a key stolen from BeyondTrust — a company that provides identity access tech to large organizations and government departments — to gain remote access to certain Treasury employee workstations, including internal documents on the department's unclassified network.

During the hack, the state-sponsored hacking group also compromised the Treasury's sanctions office, which imposes economic and trade sanctions against countries and individuals; and also breached the Treasury's Committee on Foreign Investment, or CFIUS, in December, an office that has the power to block Chinese investment in the United States.

Silk Typhoon is not a new threat group, previously making headlines in 2021 as Hafnium — as it was then known — for exploiting vulnerabilities in self-hosted Microsoft Exchange email servers that compromised more than 60,000 organizations. According to Microsoft, which tracks the government-backed hacking group, Silk Typhoon typically focuses on reconnaissance and data theft, and is known for targeting healthcare organizations, law firms, and non-governmental organizations in Australia, Japan, Vietnam, and the United States.

The recent revelations about China-backed hacking groups pose significant concerns about the potential for devastating cyberattacks on US critical infrastructure, and highlight the need for increased vigilance and cooperation between government agencies and private sector companies to combat these threats.