China’s cyber operations have evolved from economic espionage to strategic, politically driven campaigns that pose significant threats to Western critical infrastructure and global security. The Salt Typhoon and Volt Typhoon campaigns highlight this transformation; the former penetrated telecommunications networks in over 80 countries, accessing vast communications and geolocation data, and the latter embedded malware in U.S. critical infrastructure sectors like energy, transportation, and water systems. These campaigns exploit vulnerabilities in the U.S.’s decentralized, privately managed systems, contrasting with China’s state-controlled cyber defenses. Their global scope and sophisticated techniques underscore China’s ambition to dominate cyberspace, raising serious concerns about national security and the resilience of open societies.
Cyberspace has emerged as a critical arena for geopolitical rivalry, with state-sponsored cyber operations posing unprecedented risks to national and global security. Among major cyber actors—Russia, China, Iran, and North Korea—China has undergone a profound shift, moving from opportunistic economic espionage to strategic campaigns aimed at political and military dominance. The Salt Typhoon and Volt Typhoon campaigns, uncovered in 2023 and 2024, exemplify this evolution, targeting U.S. telecommunications and critical infrastructure with unmatched scale and sophistication. Salt Typhoon enabled mass surveillance of communications across multiple countries, while Volt Typhoon positioned China to disrupt essential services in a potential crisis, such as over Taiwan. This blog post explores the historical evolution of China’s cyber strategy, the operational details of these campaigns, their far-reaching impacts, and the structural challenges they expose in Western cybersecurity, particularly in the U.S.’s fragmented approach.
China’s cyber activities have progressed through three distinct phases, each reflecting its broader geopolitical and technological ambitions. In the first phase, from the early digital age to around 2013, China focused on economic espionage, exploiting vulnerabilities in Western corporate and government systems to steal intellectual property and sensitive data. The absence of international consequences and the economic benefits—fueling China’s rapid industrial growth—drove the development of its early cyber capabilities, which differed from Russia’s politically motivated operations.
The second phase – from 2013 to 2020 – marked a shift toward centralization and strategic objectives under President Xi Jinping’s reforms. The establishment of the Cyberspace Administration of China and streamlined intelligence and military cyber commands reflected Xi’s desire to consolidate control over previously chaotic hacking networks (for instance, the 2015 attack on the U.S. Office of Personnel Management, compromising over 20 million federal security clearance records). External pressures shaped this phase, notably the 2015 Obama-Xi agreement, driven by U.S. outrage over commercial espionage, but the agreement arguably led to a temporary reduction in such activities, requiring further centralization of China’s cyber operations. Edward Snowden’s 2013 revelations about U.S. surveillance capabilities were a turning point, however, triggering a “Sputnik moment” for China. The leaks spurred the “Made in China 2025” strategy, prioritizing technological self-reliance and reducing the emphasis on commercial hacking in favor of geopolitical objectives.
The third phase (since 2020) has seen China pivot to politically and militarily driven cyber operations, as evidenced by the Salt Typhoon and Volt Typhoon. These campaigns reflect a strategic intent to dominate cyberspace, leveraging covert operations to achieve geopolitical leverage, particularly in potential conflicts like a Taiwan crisis. Unlike earlier phases focused on data theft, these operations prioritize disruption and deterrence, marking a significant escalation in China’s cyber threat profile.
2023’s Salt Typhoon was a state-sponsored intelligence operation that penetrated telecommunications networks in over 80 countries, with a significant focus on the U.S. Described as a “Snowden-level” breach, it compromised major U.S. carriers, accessing vast communications data (including call records, private messages, and geolocation data) and exploited outdated telecommunications infrastructure and vulnerabilities in cybersecurity products using stolen credentials from unrelated hacks. By employing “living off the land” techniques—hijacking legitimate processes and programs—hackers maintained persistent access, moving laterally across networks to secure optimal spying positions without detection.
The campaign’s global scope enabled Chinese intelligence to aggregate extensive datasets, creating a comprehensive intelligence picture far beyond traditional espionage, and prompting the FBI to call it one of the most consequential cyber breaches in U.S. history (particularly due to its access to systems used for court-authorized wiretapping, which could undermine law enforcement capabilities). The operation’s ability to track movements via geolocation data raised significant privacy and security concerns, prompting U.S. officials to urge elites to adopt end-to-end encrypted messaging, assuming their communications were compromised. The campaign’s persistence, undetected for up to three years, highlights the vulnerabilities in U.S. telecom infrastructure, much of which is privately owned and suffers from inconsistent cybersecurity investments driven by commercial priorities.
The responses from U.S. carriers varied: Verizon contained the incident, AT&T confirmed limited targeting of individuals of foreign intelligence interest, and T-Mobile reported preventing data exfiltration through robust defenses. The FBI notified approximately 600 companies potentially targeted due to their commercial relationships or network vulnerabilities, underscoring the broad exposure of U.S. systems.
Volt Typhoon, uncovered in 2024, was a military-led operation by the People’s Liberation Army, targeting U.S. critical infrastructure for potential sabotage. Unlike Salt Typhoon’s espionage focus, Volt Typhoon embedded “digital booby traps” in sectors including manufacturing, utilities, transportation, construction, maritime, IT, education, and government. These implants, designed to evade detection, prioritized the ability to disrupt operations during a crisis, such as a Taiwan conflict. U.S. officials, supported by Five Eyes allies, view these implants as strategic assets intended to cause widespread economic and societal harm, comparable to multiple simultaneous ransomware attacks without financial motives, such as the 2019 attack on a private company that crippled English policing forensics or the Colonial Pipeline outage.
The operation’s targets—water treatment plants, power grids, transportation systems, and other dual-use infrastructure—reflect China’s strategic intent to degrade U.S. military mobilization and civilian resilience. For example, disrupting power grids could halt hospital operations or ammunition production, while targeting seaports could delay Pacific reinforcements, all without directly attacking military targets. FBI Director Christopher Wray’s 2024 testimony emphasized the “real-world harm” potential of these capabilities, which could impose significant civilian costs and deter U.S. intervention in a crisis. The implants’ covert design, mimicking normal network activity, made them exceptionally difficult to detect, highlighting the sophistication of China’s military cyber operations.
Volt Typhoon’s strategic focus aligns with China’s doctrine of “active defense,” which emphasizes preemptive strikes to prevent enemy action. The operation’s potential to cause cascading failures—disrupting multiple sectors simultaneously—underscores its threat to public safety and economic stability. The absence of healthcare as a target further suggests a deliberate focus on sectors critical to military and civilian operations, aligning with China’s broader geopolitical objectives. The campaign’s covert nature, also undetected for years, reflects China’s shift from passive espionage to active, disruptive strategies, marking a new era in its cyber operations.
The success of Salt and Volt Typhoon stems from structural differences between China’s authoritarian cyberdefense model and the decentralized, democratic approach of most of the rest of the world. China’s Great Firewall, developed in the late 1990s for censorship, serves as a robust defense mechanism, screening malicious code and protecting critical systems like water treatment plants, power grids, and telecommunications networks. This integrated monitoring, backed by direct state control, allows China to pursue offensive operations with reduced fear of retaliation, as its infrastructure operates with multiple layers of protection.
In contrast, the U.S. critical infrastructure is managed by thousands of private entities with varying cybersecurity capabilities and threat awareness (small utility companies, for example, may rely on outdated systems with default passwords, making them easy targets for sophisticated actors). Legal constraints, such as the U.S. Constitution’s Fourth Amendment ban on warrantless monitoring, limit government oversight, unlike China’s real-time surveillance capabilities. This patchwork cybersecurity, coupled with an absence of blanket government oversight, hinders comprehensive defense. The Biden administration’s 2021 mandates for pipelines, rail, and water utilities improved basic protections, for instance, but legal challenges paused water utility mandates, leaving the sector exposed. The reliance on private companies, driven by commercial bottom lines, contrasts sharply with China’s state-controlled model, creating an asymmetry that China exploits to maintain persistent access and evade detection.
Such exploitation of outdated infrastructure underscores a long-standing issue in the U.S. telecommunications sector. Policy debates have focused on banning Chinese-manufactured equipment – such as through a $3 billion replacement program – but this exploited vulnerabilities in Western-manufactured systems, indicating a broader issue of infrastructure obsolescence. The difficulty of detecting “living off the land” techniques, used in both campaigns, further complicates defense efforts, as intruders blend seamlessly with normal network activity.
The Salt and Volt Typhoon campaigns pose profound national security risks with far-reaching implications for the U.S. and global stability. Salt Typhoon’s access to telecommunications enables surveillance of U.S. officials and citizens, potentially compromising sensitive operations, personal data, and law enforcement capabilities. Its global reach, affecting over 80 countries, amplifies its strategic impact, allowing China to build comprehensive intelligence profiles that enhance its geopolitical leverage, and the breach of wiretapping systems raises particular concerns, as it could provide China with insights into U.S. investigative processes, undermining national security operations.
Volt Typhoon’s implants threaten cascading disruptions to critical infrastructure, undermining U.S. military readiness and civilian life. By targeting dual-use systems like power grids and water utilities, China could disrupt hospital operations, ammunition production, or military mobilization without directly attacking military targets, maintaining plausible deniability. This aligns with Chinese military theorists’ concept of “strategic deterrence,” using cyber operations to impose costs while avoiding overt escalation. In a Taiwan crisis, for example, the ability to delay U.S. military deployments by disrupting rail networks or triggering power outages could alter U.S. decision-making by increasing domestic political costs, deterring intervention.
The global scope of these campaigns, particularly Salt Typhoon’s reach across multiple continents, underscores China’s ambition to dominate cyberspace as part of its broader competition with the U.S. for technological and geopolitical supremacy. The campaigns’ covert nature, alongside their years of undetection, highlights the difficulty of attributing and responding to state-sponsored cyber operations. China’s consistent denials of involvement – citing a lack of “conclusive and reliable evidence” – complicate diplomatic efforts. The failure of the 2015 Obama-Xi agreement to curb China’s cyber activities, followed by breaches like the 2023 Microsoft cloud services hack, illustrates the limitations of traditional diplomacy in addressing cyber threats.
The campaigns also expose broader vulnerabilities in Western cybersecurity. The U.S.’s decentralized approach, reliant on private-sector cooperation, struggles to match China’s integrated, state-controlled model. The exploitation of outdated infrastructure and the difficulty of detecting sophisticated intrusion techniques highlight the technical and policy challenges facing Western nations where privacy laws are in force and commercial entities can dictate their own means of cybersecurity. The global nature of these threats suggests that China’s cyber strategy could reshape international norms, challenging the security of open, digitized societies. The campaigns’ potential to disrupt civilian infrastructure while maintaining plausible deniability underscores the need for a deeper understanding of the evolving cyber threat landscape.
The above campaigns mark a significant evolution in China’s cyber strategy, from economic espionage to politically driven operations that threaten Western critical infrastructure. Salt Typhoon’s infiltration of telecommunications networks and Volt Typhoon’s sabotage preparations in U.S. sectors like energy and transportation reveal China’s intent to dominate cyberspace, exploiting vulnerabilities in the U.S.’s fragmented cybersecurity framework. These campaigns, leveraging sophisticated techniques and plausible deniability, pose significant risks to national security, from compromised communications to potential disruptions of military and civilian operations. The structural advantages of China’s authoritarian cyberdefense model, contrasted with the U.S.’s decentralized approach, underscore the challenges of securing privately owned systems against a state-backed actor with vast resources. As China’s cyber capabilities grow more sophisticated and disruptive, Western nations must confront the reality of a new threat landscape, where digital vulnerabilities could reshape geopolitical outcomes and challenge the resilience of open societies.
