The call logs of senior U.S. government officials. The wiretap systems used by law enforcement to monitor criminal suspects. The communications networks of nearly every major American telecom carrier. All of it, quietly, methodically — compromised.
This wasn’t a theoretical threat or a near-miss. By the time Salt Typhoon became public knowledge in late 2024, Chinese state-sponsored hackers had spent years embedded inside the networks of AT&T, Verizon, T-Mobile, and dozens of other U.S. telecommunications providers. What they accessed, and what they may still be accessing, represents one of the most significant intelligence breaches in American history.
And Salt Typhoon was just one campaign.
The Typhoon Naming Convention: China’s Cyber Army Has a Structure
Before diving into specifics, it’s worth understanding how the cybersecurity community tracks and names these threats. Microsoft’s naming convention for Chinese state-sponsored threat actors uses the “Typhoon” designation, each group representing distinct operational teams with specific missions and targets.
Volt Typhoon — Pre-positioning attacks on critical infrastructure (power grids, water systems, transportation)
Salt Typhoon — Intelligence collection via telecommunications network infiltration
Flax Typhoon — Exploitation of Internet of Things devices for botnet infrastructure
Silk Typhoon — IT service providers and supply chain compromise
These aren’t random hacker groups. They’re highly organized, state-funded, and operate with clearly defined intelligence objectives that align directly with the strategic goals of the People’s Liberation Army (PLA) and Ministry of State Security (MSS).
Salt Typhoon: When They Owned the Phone Lines
The revelation that broke in October 2024 was stunning in its scope. Salt Typhoon had successfully penetrated the backbone of American telecommunications — not just stealing data, but gaining access to the very systems designed to help U.S. law enforcement conduct legal wiretapping.
What They Accessed
The Cybersecurity and Infrastructure Security Agency (CISA) and FBI confirmed that Salt Typhoon operators:
- Accessed call records and metadata for millions of Americans
- Obtained the actual content of calls and texts for a smaller, targeted group of high-value individuals — primarily government officials, political figures, and security personnel
- Compromised the CALEA (Communications Assistance for Law Enforcement Act) infrastructure — the legally-mandated systems that allow courts to order wiretaps on suspects
That last point deserves special emphasis. By infiltrating CALEA systems, Salt Typhoon didn’t just steal communications — they potentially gained visibility into who U.S. law enforcement was monitoring. That’s an intelligence goldmine: knowing which of your own operatives are under surveillance, which operations have been detected, and which channels remain secure.
The Confirmed Victims
Carriers confirmed to have been compromised include:
- AT&T
- Verizon
- T-Mobile
- Lumen Technologies (formerly CenturyLink)
- Charter Communications
The campaign also extended beyond U.S. borders, with telecoms in dozens of countries across Europe, Asia, and the Middle East affected. The breadth suggests a coordinated, multi-year operation rather than an opportunistic intrusion.
The Political Targeting
Among the most alarming disclosures: Salt Typhoon successfully intercepted communications associated with the 2024 presidential campaign. Officials confirmed that calls and texts from the phones of senior campaign staff for both major party candidates were accessed, along with communications from Trump family members and Harris campaign associates.
The Senate Intelligence Committee received classified briefings characterizing the breach as an “unprecedented attack on U.S. telecommunications infrastructure.” Senator Mark Warner, the committee’s chairman, called it “the worst telecom hack in our nation’s history.”
Volt Typhoon: The Sleeper Agents in the Power Grid
While Salt Typhoon was collecting intelligence, Volt Typhoon was playing a longer game — one with far more dangerous implications.
Where Salt Typhoon wanted information, Volt Typhoon wanted control. Or more precisely, Volt Typhoon wanted the capability to seize control when the moment came.
What Volt Typhoon Was Actually Doing
The joint advisory issued by CISA, NSA, and FBI in February 2024 described Volt Typhoon’s activities in chilling terms. These weren’t hackers trying to steal intellectual property or financial data. They were pre-positioning:
- Operational Technology (OT) networks controlling electrical grid infrastructure
- Water treatment and distribution systems
- Natural gas pipelines and LNG terminals
- Port authority and maritime logistics systems
- Transportation and rail infrastructure
The hackers used “living off the land” techniques — relying on legitimate system administration tools rather than custom malware — specifically to evade detection. They established persistent access, then went dormant. They weren’t stealing data. They were waiting.
The Military Connection
CISA’s assessment was explicit: Volt Typhoon’s activities could not be explained by standard espionage or cybercrime motives. The specific targets and the nature of pre-positioning access aligned with a single strategic scenario — the capability to disrupt U.S. critical infrastructure in the event of a military conflict, particularly a conflict over Taiwan.
Imagine the scenario: China moves on Taiwan, the U.S. begins mobilizing a military response, and suddenly — the power goes out in major cities. Water pressure fails. Natural gas supplies become unreliable. Ports experience mysterious disruptions that slow the movement of military equipment and supplies.
The FBI’s director Christopher Wray testified before Congress that Volt Typhoon was “almost certainly” designed to cause “real-world harm to American citizens and communities.”
The Scale Problem
A 2024 investigation revealed Volt Typhoon had penetrated infrastructure networks across all 50 states and multiple U.S. territories. The access wasn’t superficial — forensic analysis showed persistent footholds maintained for months or years in some cases, with attackers carefully cleaning logs to avoid detection.
Some of the infiltrated systems controlled infrastructure serving populations of over one million people.
Flax Typhoon and the Botnet Problem
In September 2024, the Justice Department and FBI announced the takedown of a massive botnet controlled by Flax Typhoon — another Chinese state-sponsored group operating through a front company called Integrity Technology Group.
The botnet comprised more than 260,000 compromised devices across the United States, Taiwan, Europe, Africa, and Southeast Asia. The infected devices included:
- Home and small business routers
- IP security cameras
- Network-attached storage devices
- Smart TVs and streaming devices
The operational purpose of this botnet was to provide anonymous infrastructure for other Chinese cyber operations. By routing attacks through compromised American devices, Chinese hackers could make their traffic appear to originate domestically, evading geographic-based security controls.
The court filings revealed that Integrity Technology Group received direction directly from Chinese government officials, confirming state control over what had been presented as a legitimate technology company.
The Telecom Infrastructure: A Systemic Vulnerability
A common thread running through all of these campaigns is the focus on telecommunications infrastructure — not just as an eavesdropping target, but as foundational attack surface.
Why Telecom?
Modern telecommunications infrastructure is simultaneously:
- A communications intelligence goldmine — essentially all sensitive communications eventually traverse major telecom networks
- A gateway to other systems — telecom infrastructure connects to banking, healthcare, government, and military networks
- Difficult to defend — legacy equipment, complex vendor ecosystems, and regulatory constraints create persistent security gaps
- A choke point for crisis response — disrupting telecom during a military crisis could severely hamper command and control
CISA’s post-breach guidance noted that Chinese hackers had exploited vulnerabilities in network edge devices — routers, firewalls, and VPN appliances from vendors including Cisco, Fortinet, and Citrix. These devices, designed to secure network perimeters, had become the preferred entry point.
The CALEA Design Flaw
Multiple security researchers have argued for years that CALEA’s mandate for built-in wiretap capabilities creates a fundamental security vulnerability. You cannot build a “secure backdoor” — any access mechanism designed for law enforcement can potentially be exploited by adversaries.
Salt Typhoon proved this argument correct in the most dramatic way possible.
The U.S. Response: Playing Catch-Up
CISA’s Emergency Actions
Following the Salt Typhoon disclosures, CISA issued Emergency Directive 24-02 requiring federal civilian agencies to:
- Audit remote access configurations within 72 hours
- Implement phishing-resistant multi-factor authentication
- Disable unnecessary network edge device management interfaces
- Implement enhanced monitoring for lateral movement
CISA also published specific guidance recommending that individuals with high threat profiles — government officials, campaign staff, executives — shift to end-to-end encrypted communications for all sensitive conversations. Signal was specifically recommended.
Congressional Response
The revelations triggered bipartisan alarm. Multiple congressional investigations were launched, hearings were held with telecom executives, and legislation was proposed to strengthen cybersecurity requirements for telecommunications carriers.
The Senate Intelligence Committee called the breach “a Sputnik moment” for U.S. cybersecurity, arguing it demonstrated fundamental strategic vulnerabilities that required immediate, sustained attention.
Diplomatic Escalation
The State Department formally summoned Chinese Ambassador Xie Feng to deliver a diplomatic protest. China, following standard practice, denied any government involvement and characterized the allegations as “groundless accusations.”
The Treasury Department imposed sanctions on Sichuan Silence Information Technology, the private company linked to Volt Typhoon operations, along with one of its executives. More sanctions targeting entities connected to Salt Typhoon were reported as under consideration.
What China Is Actually After
Understanding these attacks requires understanding Chinese strategic objectives. This isn’t random criminality — it’s a sophisticated, long-term intelligence campaign aligned with China’s national goals.
Short-term intelligence collection
Salt Typhoon’s telecom infiltration serves immediate intelligence needs: monitoring U.S. government decision-making, tracking intelligence community personnel, and identifying surveillance targets that might reveal sources and methods.
Mapping the battlefield
Volt Typhoon’s infrastructure mapping is exactly what military planners need: detailed knowledge of which systems control what infrastructure, where the vulnerabilities are, and how to cause maximum disruption with minimum effort.
Deterrence through capability
Perhaps most sophisticated is the strategic deterrence value. By demonstrating the ability to reach into U.S. critical infrastructure, China signals to U.S. decision-makers that any military conflict carries catastrophic domestic risks. If American policymakers know that war with China means lights going out in American cities, that’s a powerful deterrent.
The Defenders’ Dilemma
The organizations tasked with protecting U.S. infrastructure face structural disadvantages that go beyond technical capabilities.
The speed imbalance
Attackers need to find one vulnerability. Defenders need to find all of them. A dedicated, well-funded adversary with years and patience will eventually find a way in. The question is whether defenders detect and eject them before significant damage is done.
The complexity problem
Modern telecommunications and utility infrastructure is extraordinarily complex — a patchwork of legacy systems, vendor software, and proprietary hardware accumulated over decades. Many critical systems run software that hasn’t been patched in years because the systems can’t be taken offline for updates.
The staffing shortage
The cybersecurity talent shortage is real and acute. The organizations operating critical infrastructure often struggle to compete with private sector salaries for qualified security professionals, leaving gaps that sophisticated adversaries can exploit.
The regulatory gap
Cybersecurity requirements for critical infrastructure have historically been inconsistent, voluntary, or weakly enforced. While this is changing, the pace of regulatory improvement has not kept up with the pace of threat evolution.
What Individuals and Organizations Can Do
Given the scale and sophistication of these campaigns, individual action might seem futile. But there are meaningful steps that individuals and organizations can take.
For individuals (especially high-risk targets):
- Use end-to-end encrypted messaging (Signal, not iMessage or SMS) for sensitive communications
- Understand that regular phone calls are potentially accessible to sophisticated adversaries
- Apply security updates to all devices promptly, especially network equipment
- Be aware that metadata (who you called, when, how long) is often as valuable as content
For organizations:
- Audit internet-facing devices and reduce attack surface aggressively
- Implement network segmentation — especially around operational technology systems
- Deploy phishing-resistant MFA (FIDO2/hardware keys, not SMS or email OTP)
- Establish baseline network behavior monitoring to detect anomalous lateral movement
- Conduct tabletop exercises assuming adversary pre-positioning in your environment
For critical infrastructure operators:
- Treat “network defense hygiene” as an existential priority, not a compliance checkbox
- Engage with CISA’s free vulnerability scanning and risk assessment programs
- Assume you’re already compromised and hunt accordingly
- Segment operational technology (OT) networks rigorously from IT networks
The Long Game
What makes these Chinese cyber operations so challenging is their patience. Salt Typhoon didn’t rush. Volt Typhoon didn’t trigger alarms. These were years-long campaigns of quiet persistence, methodically expanding access while deliberately avoiding any action that might cause defenders to notice.
The cyber domain has become a battlefield where the most dangerous operations are the ones you can’t see — where the weapon is access itself, and the attack is holding that access in reserve until the strategically optimal moment.
The good news, if there is any, is that awareness has improved dramatically. The disclosures of Salt Typhoon and Volt Typhoon represent successful detection — not perfect protection, but at least visibility. CISA has meaningfully increased both its detection capabilities and its information sharing with the private sector.
The bad news is that detection, years after the fact, is not the same as prevention. And in the meantime, the questions remain: What else is already inside networks we haven’t found yet? What capabilities are being held in reserve?
The silent war isn’t coming. It’s already here.
Further Reading
If you want to go deeper on these topics, the primary source documents are worth reading:
- CISA Advisory: Volt Typhoon (Feb 2024)
- CISA Advisory: Salt Typhoon (Dec 2024)
- FBI/CISA Joint Statement on PRC Telecom Targeting
- NSA/CISA/FBI Advisory: PRC-Sponsored Cyber Actors (Mar 2024)
Cybersecurity is no longer just a technology problem — it’s a national security problem that requires national-scale solutions. The sophistication of campaigns like Salt Typhoon and Volt Typhoon demands sustained attention, investment, and coordination across government, industry, and individuals.
Tags: #Cybersecurity #NationalSecurity #CriticalInfrastructure #SaltTyphoon #VoltTyphoon #China #Espionage #APT #CISA #Telecom #CyberWarfare