DEEP DIVE — The “Salt Typhoon,” “Volt Typhoon” and “Silk Typhoon” cyber espionage campaigns have become symbols of China’s efforts to hack U.S. infrastructure – and increasingly, symbols of the difficulty the U.S. is having in stopping them.
In the first major cyber enforcement action of the second Trump administration, the Department of Justice announced indictments Wednesday against a dozen Chinese nationals and sanctioned a Chinese tech company over what it said was a decade-long global campaign of cyber attacks and espionage.
U.S. officials said those charged had stolen and sold data from a wide range of U.S. targets since 2013. They allegedly worked for the hacking group “Silk Typhoon,” which was tied to a recent breach of the Treasury Department. Eight of those charged were employees of the sanctioned company, Anxun Information Technology, better known as i-Soon; two others were employees of the Chinese Ministry of Public Security (MPS). The DOJ said these hackers had been contracted by i-Soon – on behalf of the Chinese government – to steal data from entities as varied as the U.S. Defense Intelligence Agency, the Departments of Commerce and Treasury, the New York State Assembly, and news organizations that were critical of China.
A senior DOJ official said the indictments described a "hacker-for-hire ecosystem which by any measure has gotten out of control."
The indictments were announced on the same day that the House Select Committee on the Chinese Communist Party held a hearing to look at the broad threat of China-backed cyber espionage — an event under the heading, "End the Typhoons: How to Deter Beijing’s Cyber Actions and Enhance America’s Lackluster Cyber Defenses."
Ending “the Typhoons” has proved to be a daunting challenge for the U.S.
Volt Typhoon has targeted infrastructure sectors including energy, communications, and transportation, and focused on what U.S. officials call “cyber operational preparation of the environment” – in which hackers aim to pre-position capabilities in key digital systems, giving them the ability to disrupt those systems in the event of a future conflict between the U.S. and China.
Salt Typhoon has taken aim at telecommunications networks, including those operated by industry giants AT&T, Verizon, and Lumen Technologies, to extract information from sensitive data repositories, including wiretapping systems used by U.S. law enforcement.
Among those who testified before the House Committee Wednesday were Rob Joyce, a Cipher Brief expert and Former Director of Cybersecurity at the National Security Agency, and Laura Galante, Former Director of the Cyber Threat Intelligence Integration Center, Office of the Director of National Intelligence. Galante spoke at the annual Cipher Brief Threat Conference in 2022.
Joyce said that as with actual storms, the U.S. requires strong defenses to weather these cyber “typhoons.”
“My belief is the dials need to be set to 11,” he told the House committee. “Now is not the time to dial back on our cybersecurity capabilities, but put our foot down so that we can generate the intelligence that enables the operations to push back.”
Excerpts from their testimony appear below.
THE CONTEXT
- Volt Typhoon is a Chinese state-sponsored cyber actor that has breached U.S. critical infrastructure networks. The group used so-called “living-off-the-land” techniques, in which hackers leveraged legitimate built-in system tools to access networks instead of malware. Microsoft and U.S. intelligence agencies first flagged Volt Typhoon in 2023.
- Rather than cyber espionage or intelligence gathering, officials say Volt Typhoon is “pre-positioning” for future disruptive actions against targets’ networks in the event of a potential U.S.-China conflict.
- Salt Typhoon is another Chinese state-sponsored hacking group that has breached at least nine U.S. telecommunications companies, including AT&T, Verizon, T-Mobile, Spectrum and Lumen Technologies. Officials announced the hack in late 2024, saying the group had targeted core network components, including Cisco routers, to access telecoms networks.
- Salt Typhoon targeted the communications of top officials, including the phones of Donald Trump, JD Vance and staff of the Kamala Harris 2024 presidential campaign, in an apparent cyber-espionage campaign to access national security information.
- The U.S. and several allied countries, including cyber and national security entities from the “Five Eyes” alliance, have issued advisories and warnings over these different Chinese hacking groups. The U.S. has also imposed sanctions on companies and individuals accused of involvement with these groups.
THE EXPERTS
Joyce: My belief is the dials need to be set to 11. Now is not the time to dial back on our cybersecurity capabilities, but to put our foot down so that we can generate the intelligence that enables the operations to push back.
I’d ask you, when have you ever seen a diplomatic expulsion for a cyber event? We do that routinely when people spy on the U.S. We do that routinely when there’s some sort of diplomatic misstep. We don’t use it in cyberspace and that shows me we don’t use all the tools of national power. We have tremendous leverage in economic and commercial space. We don’t use that to push back cyber intrusions. We need to use everything on a scale that turns the dial to 11.
Imagine if you will that we found the Chinese intelligence service prepositioning Semtex explosives in our ports and on our pipelines. We wouldn’t tolerate that, right? We would respond. I don’t see us responding with the force and the vigor, with all elements of the government's capabilities, like they have prepositioned explosives on our infrastructure — and that in effect is what they have done. There are real consequences each time we catch them doing this.”
I also want to raise my grave concerns that the aggressive threats to cut U.S. government probationary employees will have a devastating impact on the cybersecurity and our national security. At my former agency [the NSA], remarkable technical talent was recruited into developmental programs that provided intensive, unique training and hands-on experience to cultivate vital skills. Eliminating probationary employees will destroy a pipeline of top talent essential for hunting and eradicating PRC threats. Even if the positions are not eliminated, the pervasive uncertainty and doubt in the current environment is forcing them to seek secure opportunities outside national security. We need this talent to win in competition and conflict.
The intersection of technology, defense, space and intelligence is critical to future U.S. national security. Join The Cipher Brief on June 5th and 6th in Austin, Texas for the NatSecEDGE conference. Find out how to get an invitation to this invite-only event at natsecedge.com
There’s been a common theme throughout this that we need aggressive actions to counter and deter, and it’s very clear to me that unilaterally exiting the cyber battlefield would be a bad decision. I don’t know if we have or haven’t in that case, but I would hope we do not because things like the defend-forward strategy keep not only the nation-state activity on their heels, as we address their infrastructure, but it also undercuts their botnets and capabilities that are used by the criminals. If we stop defending forward, we’re going to see an increase in cyber criminal ransomware activity as well.
We are entering a new era with AI that will introduce new vulnerabilities. The most important thing is that we’ve got to have the connection to both industry and academia that’s looking at the new classes of vulnerabilities that are introduced by AI. AI is going to make everyone faster — the attackers, and the defenders. It’s going to make everyone more capable, but it’s also going to bring new classes of vulnerabilities that we don’t appreciate yet. And so that research and understanding, the adversarial testing of these systems so that we break them before the Chinese or the Russians get to break them, is going to be vital.
Finally, assuming our adversaries continue to come at us and our defenses improve, we must plan to be resilient. We must ensure cyber attacks have limited impact, quick recovery, and minimal disruption. There are mitigations that must be made to reduce our exposure even when the hacks are successful.
Galante: China and Russia have been key cyber adversaries and cyber powers for over a decade at this point. Our ability to counter these adversaries in cyberspace is critical.
We need to counter China’s cyber aggression on a variety of fronts — that includes diplomatic. There’s no one silver bullet in how we’re able to deter China. To date, a broad swath of efforts have put some level of friction into the gears of how some of the Chinese operators work. That has been able to shift their motives. It’s also shifted some of their targeting, but the point that we’re at here in 2025 is that we have pre-positioned access by the PLA, the Chinese military, across critical infrastructure, and we also have a massive cyber espionage operation against the telecoms. Being able to use the full set of tools in state tradecraft to message to China and to hold consequences against China, that this is unacceptable and it’s unacceptable against America, is critical.
Creativity and how we’re able to link these cyber operations to other punitive measures that we take against China is a key way to make that message stick.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
I’d like to shed some light on the people behind these breaches. This is a group of contractors who work for China’s Ministry of State Security [MSS], similar to the CIA in the U.S. terms. In January, the Department of Treasury sanctioned Sichuan Network Technology Company Limited, citing their direct involvement in the exploitation of these U.S. telecommunication internet service provider companies. The MSS has maintained strong ties with multiple computer network exploitation companies. The Ministry of State Security, among other functions, handles the Chinese counterintelligence espionage and political security functions. The MSS, like other state Chinese cyber operators, rely on a network of companies that perform research and development tasks that serve as the basis for compromising vulnerabilities in network configuration and security products that are used in the us. These companies frequently change names. They alter their corporate structures. They take other steps to avoid scrutiny and detection.
We need to continue to stay on the offensive against the companies that enable the PRC China-state cyber operations. We have to have a faster response to be able to identify them and identify the key people who are building the tools that are used to exploit U.S. networks. The level of granularity that we have on how the intelligence service in China tasks out and buys tools that are used against American networks specifically and explicitly is incredibly important to stop. This will take a large effort. This is not a small group of companies. It’s an ecosystem; it’s a well-known group of people who started in the late 1990s under what was then called the Green Army. These are long-time, highly-expert professionals in cybersecurity and IT whose tools are being used to go after the U.S. We have to deter that activity going towards U.S. networks.
There are a number of allies in East Asia and South Asia who are interested in working with us and have a common interest in detecting Chinese activity on their networks. India and the Philippines especially have the tools but need additional capabilities to be able to find this activity. They look at the U.S. as a partner and a provider for the types of intelligence sharing that will be key for these countries to be able to find that activity, and also share it with their private sectors.
Ken Hughes contributed reporting.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
