Chinese state-sponsored hacking operations targeting U.S. critical infrastructure have reached unprecedented levels, according to current and former officials. Recent incidents reveal a strategic shift from espionage to prepositioning malware for potential sabotage during geopolitical crises, particularly involving Taiwan1.
Key Incidents and Tactics
The Volt Typhoon campaign, active since 2023, compromised energy, water, and transportation systems in Guam and mainland U.S. using “living off the land” (LotL) techniques. This group, linked to China’s PLA, avoids traditional malware by leveraging legitimate tools like PowerShell and network administration software2. A 2024 breach of nine U.S. telecom providers (Salt Typhoon) enabled surveillance of government officials, including devices used by political campaigns. The Treasury Department hack in December 2024 targeted OFAC systems, likely in retaliation for sanctions on Chinese firms supporting Russia3.
| Group | Affiliation | Primary Targets |
|---|---|---|
| APT 41 | MSS | COVID-19 relief funds ($10M theft) |
| Volt Typhoon | PLA | U.S. energy/water systems |
| STORM-0558 | MSS | Microsoft Exchange breaches |
Operational Evolution
China has integrated AI tools like DeepSeek to automate malware deployment, enabling synchronized attacks across multiple sectors. The 2017 National Intelligence Law legally compels Chinese firms to assist state security operations, while the 2023 Counter-Espionage Law expanded the definition of “national security” to include economic data collection4. New tactics include undersea cable sabotage by vessels like Shunxin 39 and recruitment of civilian hackers through competitions such as Tianfu Cup.
U.S. Countermeasures
The U.S. has implemented several defensive measures:
- TikTok Divestment Law (2024): Requires ByteDance to sell TikTok or face a ban
- Executive Order 14117: Restricts bulk data transfers to China
- CFIUS Expansion: Scrutinizes Chinese acquisitions of U.S. data firms
DHS has deployed AI-driven threat hunting in critical infrastructure, while CISA mandates Zero-Trust Architecture to limit lateral movement in compromised networks5.
Technical Relevance
The LotL techniques used by Volt Typhoon pose detection challenges for traditional security tools. Network defenders should:
- Monitor for anomalous use of built-in administrative tools
- Implement strict application allowlisting
- Conduct regular threat hunting for dormant credentials
CISA’s AA24-038A advisory provides specific detection rules for these activities, including Sigma rules for SIEM platforms6.
Conclusion
China’s cyber operations now threaten foundational systems including GPS, financial markets, and military logistics. The U.S. response has shifted from reactive bans to systemic resilience measures, though allied coordination remains critical. Recent undersea cable attacks demonstrate the growing hybrid warfare risks in cyber conflicts.
References
- “Element of Surprise: Space and Cyber Warfare in U.S.-China Rivalry,” USIP, June 2025.
- “IntelBrief: China’s Cyber Prepositioning in U.S. Infrastructure,” Soufan Center, January 2025.
- “CISA Advisory AA24-038A: Chinese State-Sponsored Cyber Activity,” CISA, February 2024.
- “China’s Cyber Maze: Adaptive Defense Strategies,” Australian Institute of International Affairs, March 2025.
- “Managing Risks of China’s Access to U.S. Data,” Carnegie Endowment, January 2025.
- “2025 CrowdStrike Global Threat Report,” CrowdStrike, April 2025.
