Full Report
Dubbed Volt, Flax and Salt Typhoon, U.S. intelligence says these China-backed hackers are laying the groundwork for future conflict. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Threat Actor: VOLT TYPHOON & SALT TYPHOON (China-Backed)
## Attribution & Identity
These groups are identified as Chinese government-backed hackers. They belong to the broader "Typhoon" family of Chinese hacking groups. Salt Typhoon utilized a Beijing-based cybersecurity company to help conceal its activities, leading to U.S. sanctions against that company in December 2025.
## Activity Summary
The activity centers on preparatory measures for potential destructive cyberattacks against U.S. critical infrastructure in the event of a future conflict (e.g., over Taiwan).
* **Volt Typhoon:** Active since at least mid-2021 (potentially up to five years), this group has been burrowing deep into U.S. critical infrastructure networks. In January 2024, the U.S. disrupted a botnet used by Volt Typhoon, which consisted of thousands of hijacked U.S.-based small office/home office routers used for hiding malicious activity. By January 2025, over 100 intrusions linked to Volt Typhoon were discovered across the US and its territories, with a significant focus on Guam.
* **Salt Typhoon:** This group appeared later, targeting U.S. phone and internet giants (including Charter Communications, Windstream, AT&T, Verizon, and Lumen). Their primary focus during recent activity (reported late 2024) was intelligence gathering via telecom systems, including access to wiretap data.
## Tactics, Techniques & Procedures
- **Living Off the Land (LOTL) Techniques:** Mentioned specifically in relation to Volt Typhoon's initial identification by Microsoft.
- **Network Equipment Compromise:** Volt Typhoon targeted and compromised network equipment such as routers, firewalls, and VPNs.
- **Exploiting EOL Vulnerabilities:** Volt Typhoon gained access by exploiting vulnerabilities in "end-of-life" devices that no longer receive security updates.
- **Botnet Utilization:** Volt Typhoon used a botnet comprised of hijacked SOHO routers to conceal malicious activity.
- **Targeting Wiretap Systems:** Salt Typhoon accessed telecom systems that law enforcement uses for court-authorized data collection, potentially exposing identities of Chinese targets of U.S. surveillance.
- **Data Exfiltration:** Salt Typhoon was capable of gathering customer call/text message metadata (date/time stamps, source/destination IP addresses, phone numbers) and potentially capturing phone audio from senior Americans.
## Targeting
- **Sectors:** Critical Infrastructure (Energy, Water, Transportation, Aviation), Telecommunications (Phone and Internet Giants).
- **Geography:** United States and U.S. territories, with a large number of Volt Typhoon attacks specifically targeting **Guam**, a strategic location for U.S. military operations. Victims included the main power authority and largest cell provider on Guam.
- **Victims:** Thousands of internet-connected devices, AT&T, Verizon, Lumen, Charter Communications, Windstream. Also targeted individuals via access to telecom data, including senior Americans and individuals near Washington D.C.
## Tools & Infrastructure
- **Malware Families used:** A **botnet** consisting of thousands of hijacked U.S.-based small office/home network routers was used by Volt Typhoon.
- **Infrastructure (C2, domains, IPs):** The article implies command and control structure utilized compromised network equipment (routers, firewalls, VPNs). Salt Typhoon may have gained initial access via compromised **Cisco routers**.
## Implications
This activity represents an "epoch-defining threat," shifting from traditional espionage to pre-positioning for **destructive cyberattacks** aimed at causing real-world harm and disrupting the U.S. military's ability to mobilize during a major conflict. Salt Typhoon specifically demonstrates an advanced intent to compromise sensitive U.S. law enforcement/intelligence enablers (wiretap systems).
## Mitigations
- Patching and securing network equipment, including routers, firewalls, and VPNs.
- Organizations must assume compromise by state-sponsored actors and focus on defense-in-depth, especially within critical infrastructure.
- Proactive identification and removal of threat actor presence within the network layers used by Volt Typhoon (deep infiltration of IT environments).
- In the telecommunications sector, securing systems used for law enforcement data collection is paramount to prevent intelligence exposure.