Of the cybersecurity dangers going through the US right now, few loom bigger than the potential sabotage capabilities posed by China-backed hackers, which senior U.S. nationwide safety officers have described as an “epoch-defining risk.”
The U.S. says Chinese language government-backed hackers have — in some instances for years — been burrowing deep into the networks of U.S. crucial infrastructure, together with water, vitality, and transportation suppliers. The purpose, officers say, is to put the groundwork for probably damaging cyberattacks within the occasion of a future battle between China and the US, comparable to over a potential Chinese language invasion of Taiwan.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and trigger real-world hurt to Americans and communities, if or when China decides the time has come to strike,” then-outgoing FBI Director Christopher Wray instructed lawmakers final yr.
The U.S. authorities and its allies have since taken motion towards a few of the “Hurricane” household of Chinese language hacking teams, and printed new particulars concerning the threats posed by these teams.
In January 2024, the U.S. disrupted “Volt Hurricane,” a gaggle of Chinese language authorities hackers tasked with setting the stage for damaging cyberattacks. Later in September 2024, federal authorities took management of a botnet run by one other Chinese language hacking group known as “Flax Hurricane,” which used a Beijing-based cybersecurity firm to assist conceal the actions of China’s authorities hackers. Then in December 2025, the U.S. authorities sanctioned the cybersecurity firm for its alleged position in “a number of pc intrusion incidents towards U.S. victims.”
For the reason that emergence of Volt Hurricane, one other new China-backed hacking group known as “Salt Hurricane” appeared within the networks of U.S. telephone and web giants, able to gathering intelligence on People — and potential targets of U.S. surveillance — by compromising telecom programs used for regulation enforcement wiretaps.
Right here’s what we now have realized concerning the Chinese language hacking teams gearing up for warfare.
Volt Hurricane
Volt Hurricane represents a brand new breed of China-backed hacking teams; now not simply geared toward stealing delicate U.S. secrets and techniques, however fairly getting ready to disrupt the U.S. navy’s “potential to mobilize,” in response to the then-FBI director.
Microsoft first recognized Volt Hurricane in Could 2023, discovering that the hackers had focused and compromised community gear, comparable to routers, firewalls, and VPNs, since no less than mid-2021 as a part of an ongoing and concerted effort to infiltrate deep into the programs of U.S. crucial infrastructure. The U.S. intelligence neighborhood mentioned that in actuality, it’s seemingly the hackers had been working for for much longer, probably for so long as 5 years.
Volt Hurricane compromised 1000’s of those internet-connected gadgets within the months following Microsoft’s report, exploiting vulnerabilities in gadgets that had been thought-about “end-of-life” and due to this fact would now not obtain safety updates. The hacking group subsequently gained additional entry to the IT environments of a number of crucial infrastructure sectors, together with aviation, water, vitality, and transportation, pre-positioning for activating future disruptive cyberattacks geared toward slowing the U.S. authorities’s response to an invasion of its key ally, Taiwan.
“This actor just isn’t doing the quiet intelligence assortment and theft of secrets and techniques that has been the norm within the U.S. They’re probing delicate crucial infrastructure to allow them to disrupt main providers if, and when, the order comes down,” mentioned John Hultquist, chief analyst at safety agency Mandiant.
The U.S. authorities mentioned in January 2024 that it had efficiently disrupted a botnet, utilized by Volt Hurricane, consisting of 1000’s of hijacked U.S.-based small workplace and residential community routers, which the Chinese language hacking group used to cover its malicious exercise geared toward focusing on U.S. crucial infrastructure. The FBI mentioned it was capable of take away the malware from hijacked routers by the use of a court-sanctioned operation, severing the Chinese language hacking group’s connection to the botnet.
By January 2025, the U.S. had found greater than 100 intrusions throughout the nation and its territories linked to Volt Hurricane, in response to reporting by Bloomberg. A lot of these assaults have focused Guam, a U.S. island territory within the Pacific and a strategic location for American navy operations, the report mentioned. Volt Hurricane allegedly focused crucial infrastructure on the island, together with its foremost energy authority, the island’s largest cell supplier, and several other U.S. federal networks, together with delicate protection programs, based mostly on Guam. Bloomberg reported that Volt Hurricane used a wholly new form of malware to focus on networks in Guam that it hadn’t ever deployed earlier than, which researchers took as an indication of the excessive significance that the area has to the China-backed hackers.
Flax Hurricane
Flax Hurricane, first outed by Microsoft a number of months later in an August 2023 report, is one other China-backed hacking group, which officers say has operated below the guise of a publicly traded cybersecurity firm based mostly in Beijing to hold out hacks towards crucial infrastructure lately. Microsoft mentioned Flax Hurricane — additionally lively since mid-2021 — predominantly focused dozens of “authorities companies and training, crucial manufacturing, and knowledge expertise organizations in Taiwan.”
Then in September 2023, the U.S. authorities mentioned it had taken management of one other botnet, which was made up of a whole lot of 1000’s of hijacked internet-connected gadgets, and utilized by Flax Hurricane to “conduct malicious cyber exercise disguised as routine web visitors from the contaminated client gadgets.” Prosecutors mentioned the botnet allowed different China government-backed hackers to “hack into networks within the U.S. and all over the world to steal info and maintain our infrastructure in danger.”
The Division of Justice later corroborated Microsoft’s findings, including that Flax Hurricane additionally “attacked a number of U.S. and overseas firms.”
U.S. officers mentioned that the botnet utilized by Flax Hurricane was operated and managed by the Beijing-based cybersecurity firm, Integrity Know-how Group. In January 2024, the U.S. authorities imposed sanctions on Integrity Tech over its alleged hyperlinks to Flax Hurricane.
Salt Hurricane
The most recent — and probably most ominous — group in China’s government-backed cyber military uncovered in current months is Salt Hurricane.
Salt Hurricane hit headlines in October 2024 for a unique form of information-gathering operation. As first reported by The Wall Road Journal, the China-linked hacking group compromised a number of U.S. telecom and web suppliers, together with AT&T, Lumen (previously CenturyLink), and Verizon. The Journal reported later in January 2025 that Salt Hurricane additionally breached the U.S.-based web suppliers Constitution Communications and Windstream. U.S. cyber official Anne Neuberger mentioned the federal authorities had recognized an unnamed ninth hacked telco.
In line with one report, Salt Hurricane could have gained entry to those telcos utilizing compromised Cisco routers. As soon as contained in the telco’s networks, the attackers had been capable of entry buyer name and textual content message metadata, together with date and time stamps of buyer communications, supply and vacation spot IP addresses, and telephone numbers from over 1,000,000 customers; most of which had been people situated within the Washington D.C. space. In some instances the hackers had been able to capturing telephone audio from senior People. Neuberger mentioned {that a} “massive quantity” of those that had information accessed had been “authorities targets of curiosity.”
By hacking into programs that regulation enforcement companies use for court-authorized assortment of buyer information, Salt Hurricane additionally probably gained entry to information and programs that home a lot of the U.S. authorities’s information requests, together with the potential identities of Chinese language targets of U.S. surveillance.
It’s not but identified when the breach of the wiretap programs occurred, however could date again to early 2024, in response to the Journal’s reporting.
AT&T and Verizon instructed TechCrunch in December 2024 that their networks had been safe after being focused by the Salt Hurricane espionage group. Lumen confirmed quickly after that its community was free from the hackers.
FIrst printed October 13, 2024 and up to date.
