The Federal Bureau of Investigation has issued a warning that a confirmed Chinese state-sponsored hacking campaign has expanded significantly, now reaching critical infrastructure in over 80 countries1. This development, reported by The Washington Post, confirms that Chinese hackers obtained deep access to major communication carriers within the United States and other nations2. The scale of this operation, part of a broader strategy known as Salt Typhoon, is believed to have impacted as many as 80 telecommunications and internet providers globally, a number significantly higher than previously understood3.
This campaign represents a strategic effort to pre-position within essential services networks worldwide, potentially including providers in major allied nations. The objective extends beyond traditional espionage, aiming to gain the capability to physically disrupt critical infrastructure during potential geopolitical crises. FBI Director Christopher Wray has characterized the People’s Republic of China’s targeting as “both broad and unrelenting,” aimed at every sector that makes society function, including water treatment, energy grids, and transportation systems4.
Technical Analysis of Major Campaigns
The Salt Typhoon campaign represents a sophisticated espionage operation targeting global telecommunications companies to access call records and the content of texts and phone calls. By December 2024, nine U.S. telecom firms were confirmed compromised, including major providers such as Verizon, AT&T, Lumen, and T-Mobile5. The campaign granted Beijing access to private communications of an unknown number of Americans, with a particular focus on targets in the Washington-Virginia area, including government officials and political figures6.
Parallel to Salt Typhoon, the Volt Typhoon campaign has maintained persistent access to critical infrastructure networks using living-off-the-land techniques to blend with normal network activity. This approach avoids traditional malware deployment, instead leveraging legitimate system tools for pre-operational reconnaissance and network exploitation7. The FBI, with international partners, conducted court-authorized operations to remove malicious implants from hundreds of infected routers in the U.S., effectively severing China’s connection to these compromised devices8.
Historical Context and Strategic Objectives
This behavior follows historical patterns of Chinese cyber operations against critical infrastructure. As early as 2011, CCP-sponsored actors targeted 23 U.S. pipeline operators, demonstrating long-standing interest in industrial control systems9. In one documented case, when an energy company established a honeypot, hackers ignored financial data and within minutes exfiltrated documents related to control and monitoring systems, indicating clear malicious intent beyond economic espionage.
The strategic objective appears focused on gaining positioning within critical networks to enable physical disruption during times of conflict or geopolitical tension. Director Wray has stated that the goal is to “physically wreak havoc on our critical infrastructure at a time of its choosing” to “induce panic and break America’s will to resist,” particularly in a potential crisis over Taiwan10. The scale of this threat is immense, with Wray noting that China’s cyber operatives outnumber FBI cyber personnel by at least 50 to 1.
Defensive Recommendations and Mitigation Strategies
In response to these campaigns, the FBI has issued specific guidance for organizations and individuals. For sensitive communications, the Bureau recommends using encrypted messaging applications such as Signal or WhatsApp instead of traditional SMS text messaging11. Organizations should implement multi-factor authentication that does not rely on SMS-based verification codes, which could be intercepted through compromised telecommunications infrastructure.
The White House, through Deputy National Security Advisor Anne Neuberger, has indicated that the administration is pushing for mandatory cybersecurity regulations in the telecom sector, acknowledging that “voluntary cyber security practices are inadequate” against state-sponsored threats12. This represents a significant policy shift toward regulatory requirements for critical infrastructure protection.
Organizations should prioritize developing and testing incident response plans, fortifying network defenses, and establishing clear communication channels with law enforcement before incidents occur. Supply chain security vetting is particularly important, requiring rigorous assessment of vendor security practices and awareness of who builds the hardware and software granted network access.
Operational Response and Resource Challenges
The U.S. response strategy emphasizes collaborative “joint, sequenced operations” involving multiple agencies including the FBI, U.S. Cyber Command, the CIA, foreign law enforcement, and private sector partners13. This approach involves sharing targeting information, co-authoring cybersecurity advisories with CISA, and conducting coordinated technical and law enforcement actions to disrupt threats proactively.
Resource constraints present significant challenges to effective response. The President’s Fiscal Year 2024 Budget Request included an additional $63 million for the FBI to hire more agents and enhance cyber response capabilities14. Director Wray has warned that budget cuts would hinder the FBI’s ability to combat CCP threats “before they can do significant harm,” emphasizing that investment is needed to prepare for challenges anticipated by 2027.
The Chinese government has consistently denied responsibility for all alleged hacking campaigns, maintaining its official position of non-involvement in cyber operations against other nations. However, the technical evidence and intelligence assessments from multiple allied nations consistently attribute these campaigns to state-sponsored actors operating with at least tacit approval from Chinese leadership.
The expansion of these campaigns to 80 countries represents a global security concern that requires international cooperation and coordinated defensive measures. Organizations operating critical infrastructure must assume they are targeted and implement appropriate security controls, monitoring capabilities, and incident response plans to detect and mitigate these advanced threats.
