China-backed hackers, described as an “epoch-defining threat” by U.S. officials, have been increasingly targeting U.S. critical infrastructure. These cyberattacks aim to lay the groundwork for potentially devastating sabotage in the event of future conflicts, such as over Taiwan. U.S. intelligence has identified several hacker groups under the “Typhoon” umbrella, each with specific capabilities designed to disrupt essential services, including water, energy, and transportation networks.

The most prominent of these groups is **Volt Typhoon**, a hacking collective first identified by Microsoft in 2023. Unlike traditional cyber espionage groups, Volt Typhoon focuses on disrupting U.S. military and civilian infrastructure rather than stealing secrets. The group has been active since at least 2021, targeting routers, firewalls, and VPNs across several critical industries. By compromising “end-of-life” devices—older equipment no longer receiving security updates—Volt Typhoon infiltrated thousands of systems. Their actions could be a prelude to future cyberattacks that would cripple essential services during a conflict.

In January 2024, the U.S. government successfully disrupted a botnet used by Volt Typhoon, consisting of hijacked small office and home routers. The FBI severed the group’s connection to this network, reducing their ability to launch coordinated attacks on U.S. infrastructure. However, experts warn that Volt Typhoon is still active and represents a significant threat to national security.

Another dangerous player is **Flax Typhoon**, a China-backed group masquerading as a Beijing-based cybersecurity firm, Integrity Technology Group. Flax Typhoon has been operating since 2021 and focuses on government agencies, manufacturing, and education sectors. The group uses a botnet powered by the notorious Mirai malware to disguise malicious activity as normal internet traffic. In 2023, the U.S. took control of Flax Typhoon’s botnet, disrupting their operations. However, the group remains a key threat due to its ability to infiltrate networks and steal critical information, especially from Taiwan and U.S.-based organizations.

The latest threat uncovered is **Salt Typhoon**, a group that has potentially accessed the wiretap systems of major U.S. telecom providers like AT&T and Verizon. This breach could be catastrophic, as it would allow Salt Typhoon to gather sensitive data, including information about U.S. surveillance operations and targets. The group reportedly gained access through compromised Cisco routers, and investigations are ongoing. Salt Typhoon’s breach may have persisted for months, allowing them access to vast amounts of data used by law enforcement and government agencies.

Collectively, these “Typhoon” groups are more than just cybercriminals; they represent China’s cyber warfare capability, positioning themselves to cause real-world harm to the U.S. in the event of a future conflict. As the U.S. government continues to uncover and disrupt their operations, the threat of cyber sabotage remains a pressing national security concern.