Of the cybersecurity dangers going through the US immediately, few loom bigger than the potential sabotage capabilities posed by China-backed hackers, which senior U.S. nationwide safety officers have described as an “epoch-defining menace.”
The U.S. says Chinese language government-backed hackers have — in some circumstances for years — been burrowing deep into the networks of U.S. crucial infrastructure, together with water, power, and transportation suppliers. The purpose, officers say, is to put the groundwork for doubtlessly damaging cyberattacks within the occasion of a future battle between China and the US, comparable to over a doable Chinese language invasion of Taiwan.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and trigger real-world hurt to Americans and communities, if or when China decides the time has come to strike,” then-outgoing FBI Director Christopher Wray instructed lawmakers final yr.
The U.S. authorities and its allies have since taken motion towards among the “Storm” household of Chinese language hacking teams, and revealed new particulars concerning the threats posed by these teams.
In January 2024, the U.S. disrupted “Volt Storm,” a bunch of Chinese language authorities hackers tasked with setting the stage for damaging cyberattacks. Later in September 2024, federal authorities took management of a botnet run by one other Chinese language hacking group known as “Flax Storm,” which used a Beijing-based cybersecurity firm to assist conceal the actions of China’s authorities hackers. Then in December 2025, the U.S. authorities sanctioned the cybersecurity firm for its alleged position in “a number of laptop intrusion incidents towards U.S. victims.”
For the reason that emergence of Volt Storm, one other new China-backed hacking group known as “Salt Storm” appeared within the networks of U.S. telephone and web giants, able to gathering intelligence on People — and potential targets of U.S. surveillance — by compromising telecom methods used for legislation enforcement wiretaps.
Right here’s what we now have discovered concerning the Chinese language hacking teams gearing up for battle.
Volt Storm
Volt Storm represents a brand new breed of China-backed hacking teams; not simply geared toward stealing delicate U.S. secrets and techniques, however quite getting ready to disrupt the U.S. navy’s “capability to mobilize,” based on the then-FBI director.
Microsoft first recognized Volt Storm in Might 2023, discovering that the hackers had focused and compromised community tools, comparable to routers, firewalls, and VPNs, since no less than mid-2021 as a part of an ongoing and concerted effort to infiltrate deep into the methods of U.S. crucial infrastructure. The U.S. intelligence neighborhood stated that in actuality, it’s probably the hackers had been working for for much longer, doubtlessly for so long as 5 years.
Volt Storm compromised hundreds of those internet-connected units within the months following Microsoft’s report, exploiting vulnerabilities in units that had been thought of “end-of-life” and due to this fact would not obtain safety updates. The hacking group subsequently gained additional entry to the IT environments of a number of crucial infrastructure sectors, together with aviation, water, power, and transportation, pre-positioning for activating future disruptive cyberattacks geared toward slowing the U.S. authorities’s response to an invasion of its key ally, Taiwan.
“This actor is just not doing the quiet intelligence assortment and theft of secrets and techniques that has been the norm within the U.S. They’re probing delicate crucial infrastructure to allow them to disrupt main companies if, and when, the order comes down,” stated John Hultquist, chief analyst at safety agency Mandiant.
The U.S. authorities stated in January 2024 that it had efficiently disrupted a botnet, utilized by Volt Storm, consisting of hundreds of hijacked U.S.-based small workplace and residential community routers, which the Chinese language hacking group used to cover its malicious exercise geared toward focusing on U.S. crucial infrastructure. The FBI stated it was capable of take away the malware from hijacked routers by means of a court-sanctioned operation, severing the Chinese language hacking group’s connection to the botnet.
By January 2025, the U.S. had found greater than 100 intrusions throughout the nation and its territories linked to Volt Storm, based on reporting by Bloomberg. Numerous these assaults have focused Guam, a U.S. island territory within the Pacific and a strategic location for American navy operations, the report stated. Volt Storm allegedly focused crucial infrastructure on the island, together with its important energy authority, the island’s largest cell supplier, and a number of other U.S. federal networks, together with delicate protection methods, primarily based on Guam. Bloomberg reported that Volt Storm used a wholly new form of malware to focus on networks in Guam that it hadn’t ever deployed earlier than, which researchers took as an indication of the excessive significance that the area has to the China-backed hackers.
Flax Storm
Flax Storm, first outed by Microsoft a number of months later in an August 2023 report, is one other China-backed hacking group, which officers say has operated underneath the guise of a publicly traded cybersecurity firm primarily based in Beijing to hold out hacks towards crucial infrastructure in recent times. Microsoft stated Flax Storm — additionally lively since mid-2021 — predominantly focused dozens of “authorities companies and schooling, crucial manufacturing, and knowledge expertise organizations in Taiwan.”
Then in September 2023, the U.S. authorities stated it had taken management of one other botnet, which was made up of tons of of hundreds of hijacked internet-connected units, and utilized by Flax Storm to “conduct malicious cyber exercise disguised as routine web site visitors from the contaminated client units.” Prosecutors stated the botnet allowed different China government-backed hackers to “hack into networks within the U.S. and all over the world to steal data and maintain our infrastructure in danger.”
The Division of Justice later corroborated Microsoft’s findings, including that Flax Storm additionally “attacked a number of U.S. and overseas firms.”
U.S. officers stated that the botnet utilized by Flax Storm was operated and managed by the Beijing-based cybersecurity firm, Integrity Expertise Group. In January 2024, the U.S. authorities imposed sanctions on Integrity Tech over its alleged hyperlinks to Flax Storm.
Salt Storm
The most recent — and doubtlessly most ominous — group in China’s government-backed cyber military uncovered in latest months is Salt Storm.
Salt Storm hit headlines in October 2024 for a distinct form of information-gathering operation. As first reported by The Wall Avenue Journal, the China-linked hacking group compromised a number of U.S. telecom and web suppliers, together with AT&T, Lumen (previously CenturyLink), and Verizon. The Journal reported later in January 2025 that Salt Storm additionally breached the U.S.-based web suppliers Constitution Communications and Windstream. U.S. cyber official Anne Neuberger stated the federal authorities had recognized an unnamed ninth hacked telco.
In response to one report, Salt Storm could have gained entry to those telcos utilizing compromised Cisco routers. As soon as contained in the telco’s networks, the attackers had been capable of entry buyer name and textual content message metadata, together with date and time stamps of buyer communications, supply and vacation spot IP addresses, and telephone numbers from over one million customers; most of which had been people situated within the Washington D.C. space. In some circumstances the hackers had been able to capturing telephone audio from senior People. Neuberger stated {that a} “giant quantity” of those that had knowledge accessed had been “authorities targets of curiosity.”
By hacking into methods that legislation enforcement companies use for court-authorized assortment of buyer knowledge, Salt Storm additionally doubtlessly gained entry to knowledge and methods that home a lot of the U.S. authorities’s knowledge requests, together with the potential identities of Chinese language targets of U.S. surveillance.
It’s not but recognized when the breach of the wiretap methods occurred, however could date again to early 2024, based on the Journal’s reporting.
AT&T and Verizon instructed TechCrunch in December 2024 that their networks had been safe after being focused by the Salt Storm espionage group. Lumen confirmed quickly after that its community was free from the hackers.
FIrst revealed October 13, 2024 and up to date.