Code Red: A Guide to Understanding China's Sophisticated Typhoon Cyber Campaigns

ISSUE BRIEF

Code Red

A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns

McCrary Institute for Cyber and Critical Infrastructure Security

Auburn University

Task Force on the People’s Republic of China

Co-Chairs

Frank J. Cilluffo

Director, McCrary Institute for Cyber and Critical Infrastructure Security

Commissioner, Cyberspace Solarium Commission

Hon. William Evanina

CEO, The Evanina Group, LLC

Former Director, National Counterintelligence Center

Brad Medairy

Executive Vice President, National Cyber Platform Lead, Booz Allen Hamilton

RADM (Ret.) Mark Montgomery

Senior Director, Center on Cyber and Technology Innovation

Executive Director and Vice

Commissioner, Cyberspace Solarium Commission

Task Force Director

Kyle Klein

Dave Bowdich

Cheri Caddy

Michael Daniel

Victoria Dillon

Mike D’Ambrosio

Ernest Ferraresso

Lauren Goldman

Matt Hayden

Andrew Howell

John Katko

Steve Kelly

Robert Kolasky

Chris Porter

Nicholas Sellers

Kiran Sridhar

Kiersten Todt

Bryan Ware Members

Executive Summary

The coordinated “typhoon” campaigns, led by actors like Volt Typhoon, reflect a new phase of state-sponsored cyber warfare that demands a comprehensive U.S. and allied response integrating cybersecurity, intelligence, diplomacy, and legal reform.

Code Red:

A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns

Executive Summary

“By embedding deeply into critical infrastructure, exploiting global telecommunications, and rapidly weaponizing new vulnerabilities, China is building an arsenal of access and disruption options it could activate during a crisis.”

”

In recent years, the United States and its allies have faced an unprecedented surge in sophisticated cyber operations linked to the People’s Republic of China (PRC). These state-sponsored cyber incursions mark a decisive shift in Beijing’s cyber strategy beyond traditional espionage and data theft toward embedding disruptive capabilities within U.S. critical infrastructure. The intent and impact behind this activity, collectively referred to as the “typhoons” by Microsoft1, is deeply troubling. This evolution signals China’s preparation for potential future conflict and a persistent escalation in the cyber domain against the United States, in which cyber operations could be used to degrade logistics, delay deployments, or pressure U.S. decision-makers through attacks on civilian lifeline systems. Taken together, the typhoons represent a combination of disruption, operational preparation of the battlefield, espionage, and criminal behavior.

This capability exhibits a real and present danger for Americans’ daily lives, the U.S. economy, and our own ability to project military force. Whether, when, and to what extent the PRC may choose to unleash these capabilities is not known, although the potential for a 2027 invasion of Taiwan is a key indicator of potential timing that is often cited by U.S. officials. Government, industry, and the public should remain concerned that the PRC is able to exploit our information and operational systems to such a degree that daily functioning of critical sectors could one day be taken down at a time of the Chinese government’s choosing.

China’s cyber evolution builds on a decade of persistent operations, including the 2014 U.S. indictment of People’s Liberation Army (PLA) hackers and the 2015 Office of Personnel Management breach. The typhoons represent a new phase of long-term, covert access to infrastructure systems that could be exploited at Beijing’s will. The PRC’s strategy blends espionage, coercion, and gray zone warfare, leveraging cyberspace as a tool to weaken U.S. resilience without open conflict.

Among these actors, Volt Typhoon poses the most immediate operational threat. Detected in 2023, it infiltrated U.S. critical infrastructure using stealthy, credential-based methods to maintain

1 While Microsoft’s taxonomy of “typhoons” is generally considered the most widely adopted, other firms have offered alternative naming regimes for various cyber actors. Volt Typhoon, for instance, is also sometimes referred to as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, or Insidious Taurus.

Code Red:

A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns

access to energy, water, and telecommunications networks. Its goal is not espionage but disruption, positioning China to disable or manipulate systems vital to national defense. Flax Typhoon similarly exploited Internet of Things (IoT) devices, focusing on espionage and data collection, while Salt Typhoon targeted U.S. telecommunications providers, compromising data for over one million Americans, including senior government officials and political figures. This breach revealed an alarming ability to access sensitive communications and law enforcement surveillance systems. Linen, Violet, Silk, and Nylon Typhoons further demonstrate China’s agility, exploiting zero-day vulnerabilities in widely used enterprise software and expanding into political, defense, and diplomatic domains.

These campaigns expose systemic risks across all sectors Energy and water infrastructure face the gravest consequences, where disruptions could cascade into military, hospital, and data center outages. Telecommunications and transportation networks are equally vulnerable, while healthcare institutions present emerging targets for coercive leverage. The typhoon actors are not isolated operations. They are coordinated components of a comprehensive PRC strategy to prepare for conflict while eroding U.S. strategic confidence.

The U.S. and allies have responded through indictments, sanctions, and public attribution, but these measures remain insufficient. Existing legal frameworks, such as the Computer Fraud and Abuse Act, are poorly suited to counter state-directed cyber campaigns. International norms remain weak, and Beijing’s use of third-party contractors obscures attribution and accountability. To counter these threats, the U.S. must strengthen deterrence by hardening infrastructure through zero-trust architectures and real-time anomaly detection, while also enhancing international coordination and updating legal authorities for persistent, state-sponsored cyber conflict

The typhoon actors mark a key moment in China’s offensive cyber strategy and capabilities, transitioning from mere theft to potential disruption at scale. Defending against this evolving threat demands a whole-of-government and allied approach that integrates cybersecurity, intelligence, diplomacy, and resilience. The challenge is no longer just technical, it is strategic, requiring the United States to adapt its policies, laws, and partnerships to confront the realities of 21st-century cyber warfare.

”

“The U.S. and allies have responded through indictments, sanctions, and public attribution, but these measures remain insufficient. Existing legal frameworks...are poorly suited to counter statedirected cyber campaigns. International norms remain weak...”

Introduction & Overview of China’s Cyber Evolution 02

Introduction

In recent years, the United States, along with allied nations and the private sector, has been increasingly confronted with a brutal new reality in cyberspace, emanating from the People’s Republic of China (PRC). The Chinese state-linked cyber actors, labeled by Microsoft as “typhoons,” represent a shift in the intent and posture of Chinese cyber activity and have presented a sobering picture of just how advanced the PRC’s cyber attacks can be. Indeed, the PRC is seeking to move beyond just traditional espionage and is preparing the battlefield for future conflict with the United States. The typhoon cyber incursions have infiltrated across several key sectors of U.S. critical infrastructure, including telecommunications, water and wastewater, government, and energy, among others.2

Overview of China’s Cyber Evolution

China’s current cyber activities are building on a decade-plus of persistent and state-linked malign activity. As early as 2014, the U.S. Department of Justice indicted five officers of China’s People’s Liberation Army (PLA) Unit 61398 for cyber-enabled theft of trade secrets, an unprecedented step that marked the first time military hackers were charged in a U.S. court.3 The 2015 breach of the Office of Personnel Management (OPM), widely attributed to Chinese operators, compromised sensitive security clearance information for over 20 million Americans.4 These early operations reflected a focus on long-term espionage and data theft. The typhoon campaigns, however, represent a more aggressive evolution by moving from exfiltrating information to embedding latent disruption capabilities within critical infrastructure. This transition underscores the PRC’s willingness to blend traditional espionage with potentially coercive leverage in anticipation of potential future conflict.5

This means the PRC seeks not just to exploit the United States in the cyber domain for intelligence collection purposes, but to underpin a strategy of so-called gray zone warfare, in which digital action may be used alongside armed conflict to render domestic critical infrastructure degraded

2 This paper will also refer to the actors as “campaigns” to underscore their nature of persistent cyber activity targeting U.S. and allied critical infrastructure.

3 “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” May 19, 2014, Press Release, Office of Public Affairs, U.S. Department of Justice, accessed August 28, 2025, < https://www.justice.gov/archives/ opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>.

4 “The OPM Hack Explained: Bad Security Practices Meet China’s Captain America,” February 12, 2020, Josh Fruhlinger, CSO Online, accessed August 28, 2025, < https://www.csoonline.com/article/566509/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america. html>.

5 “A New Framework for Understanding China’s Gray Zone Tactics,” 2022, The Rand Corporation, accessed August 28, 2025, < https://www.rand. org/content/dam/rand/pubs/research_briefs/RBA500/RBA594-1/RAND_RBA594-1.pdf>.

McCrary Institute for Cyber and Critical Infrastructure Security, Auburn University Task Force on the People’s Republic of China

or inoperative. The PRC is also leveraging artificial intelligence to massively scale its cyber attack capabilities, while using its deft ability to exploit edge devices to inhibit U.S. situational awareness.6 Hence, the typhoons and their activity should not be viewed in isolation, as, together, they represent an integrated PRC strategy. By embedding deeply into critical infrastructure, exploiting global telecommunications, and rapidly weaponizing new vulnerabilities, China is building an arsenal of access and disruption options it could activate during a crisis.

If tensions over Taiwan or another geopolitical flash point escalate, the PRC wants the ability to delay U.S. deployments, degrade logistics, or pressure American leaders by threatening civilian lifeline services. The typhoons provide the technical means to realize this strategy, giving Beijing options and tools at the expense of the United States and our allies.

For operators of critical systems, the lesson is unmistakable. Defenders must assume that adversaries from the PRC already maintain access to their systems and urgent attention must be focused on rooting them out. By detecting subtle anomalies in legitimate administrative activity, defenders can understand latent threats already in their systems. The technical remedies are already known: greater investment in zero-trust architectures, rigorous patching of edge devices, and closer coordination with government agencies to share the latest threat information. It is important for defenders to understand that the PRC’s typhoon actors aim not merely to target individual systems but to inflict maximum harm on our society by crippling key parts of America’s critical infrastructure. The PRC’s cyber strategy is designed to undermine confidence, impose costs, and weaken the resolve of the American people in the event of conflict.

“If tensions over Taiwan or another geopolitical flash point escalate, the PRC wants the ability to delay U.S. deployments, degrade logistics, or pressure American leaders by threatening civilian lifeline services. The Typhoons provide the technical means to realize this strategy.”

”

6 Ribeiro, Anna, “Booz Allen Warns China’s AI-driven, Supply Chain Cyber Strategy Fuels PRC Dominance,” October 6, 2025, Industrial Cyber, accessed October 21, 2025, < https://industrialcyber.co/reports/booz-allen-warns-chinas-ai-driven-supply-chain-cyber-strategy-fuels-prc-dominance/>.

Microsoft exposed Volt Typhoon, a China-linked cyber campaign targeting U.S. infrastructure to enable potential disruption during future conflict rather than espionage or financial gain.

A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns

Volt Typhoon

In May 2023, Microsoft publicly announced it had discovered malicious cyber threat activity, designated Volt Typhoon, persistently targeting U.S. critical infrastructure. These PRC state-linked actors are believed to have begun targeting U.S. entities in 2021.7 Contributing to a broader pattern by the PRC, multiple security agencies have assessed the intent of Volt Typhoon is to infiltrate U.S. information systems and networks to disrupt the operations of critical infrastructure in the case of major future conflict between the U.S. and China.8 This underscores the evolving nature of Chinese state-sponsored cyber activity directed against the United States and other Western nations, demonstrating a desire to pose an operational threat to key sectors in the case of future conflict.9

Volt Typhoon primarily uses hands-on-keyboard and living-off-the-land methods to find, leverage, and exfiltrate data on compromised systems. These actors use a combination of valid credentials and proxy-generated new credentials to maintain persistent access to networks. The U.S. government and its allies have assessed that the intent of Volt Typhoon is to enable movement to and disruption of Operational Technology (OT) systems in both the continental and non-continental United States, including Guam.10 Volt Typhoon exploits unmitigated and zero-day vulnerabilities in public-facing networked devices like firewalls and routers before seeking administrator credentials. To diminish the likelihood of detection, Volt Typhoon is known to observe user behaviors before gaining access, including typical working hours. Volt Typhoon actors have manipulated and disrupted industrial control systems at energy and water facilities, as well as obtained access to surveillance video footage, and have also been able to adjust heating and cooling ventilation controls within server facilities.11

The presumed intent of the PRC-linked Volt Typhoon actors is to provide disruptive capabilities for Beijing in the case of future conflict with the United States. Volt Typhoon actors are not focused on gaining traditional espionage information or financial value. Rather, they are positioning to hold critical infrastructure at risk, offering the PRC options to potentially disrupt America’s ability to project power and deploy forces at a time of Beijing’s choosing. These capabilities could span military installations, key supply chains, U.S.-Asia communications channels, and more. In January 2024, the Federal Bureau of Investigation (FBI) announced it had removed Volt Typhoon malware from hundreds of devices, although understanding the full extent of Volt Typhoon penetration remains an ongoing effort. The United States and the United Kingdom have levied sanctions on China-based actors believed to be involved in the breaches.12

7 “Volt Typhoon Targets U.S. Critical Infrastructure with Living-Off-the-Land Techniques,” May 24, 2023, Microsoft Threat Intelligence, accessed January 9, 2025, < https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-theland-techniques/>.

8 “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” February 7, 2024, Cybersecurity and Infrastructure Security Agency, accessed January 9, 2025, < https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a>.

9 Ribiero, Anna, “U.S. Continues Investigation into Chinese Cyber Espionage Campaign, as Volt Typhoon Reemerges,” November, 15, 2024, Industrial Cyber, accessed October 5, 2025, < https://industrialcyber.co/cisa/us-continues-investigation-into-chinese-cyber-espionage-campaign-as-volt-typhoon-resurfaces/>.

10 Ibid.

11 Ibid.

12 Forno, Richard, “What is Volt Typhoon? A Cybersecurity Expert Explains the Chinese Hackers Targeting U.S. Critical Infrastructure,” April 1, 2024, UMBC Magazine, accessed January 15, 2025, < https://umbc.edu/stories/what-is-volt-typhoon-a-cybersecurity-expert-explains-the-chinese-hackers-targeting-us-critical-infrastructure/>.

VOLT Typhoon

WHAT IS IT?

PRC entities broke into non-military systems across our nation’s critical infrastructure. At this point, they’re not disrupting activity but have pre-positioned themselves so that they could take hostage our water, electric or other critical systems at a moment’s notice. Many compromised facilities are near military bases which could enable the PRC to disrupt U.S. military forces deployment in the event of a conflict.

WHAT HAS THE U.S. GOVERNMENT DONE?

While there was action by the government including increased information sharing with the private sector, cybersecurity advisories showing some of the methods of entry and sanctions on Chinese individuals, many cyber experts say this should have spurred more action, arguing that the PRC crossed a red line by attacking civilian systems.

WHICH INDUSTRIES ARE IMPACTED?

Telecommunications, manufacturing, water, electric, transportation, construction, maritime, government, information technology, education

DISCLOSED / 2023

The PRC-linked group Flax Typhoon infected hundreds of thousands of IoT devices in the United States to conduct large-scale espionage across military, telecommunications, and government networks.

Code Red:

A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns

Flax Typhoon

Another Advanced Persistent Threat (APT) is the PRC-linked Flax Typhoon group, which infected thousands of devices across the globe, about half of which existed within the United States with many others in Taiwan, according to the FBI.13 While Flax Typhoon utilizes similar living-off-theland techniques as Volt Typhoon, its primary targets were Internet of Things (IoT) devices within the military, telecommunications, higher education, government, and Information Technology sectors. Flax Typhoon is linked to Integrity Technology Group, a Chinese intelligence tech contractor.

A key differentiator between Flax and Volt Typhoons is that Flax Typhoon actors represent a more traditional espionage effort by the PRC, collecting data from millions of devices.14 The FBI used court-approved authorities to expel Flax Typhoon from more than 200,000 devices in a September 2024 law enforcement operation.15 The U.S. Treasury Department imposed sanctions against Integrity Technology Group in January 2025.16 Flax Typhoon’s focus on infiltrating IoT devices remains a source of major concern for the U.S. government, particularly as more critical infrastructure becomes modernized and an increasing number of devices are linked to the Internet.

Some assessments suggest that Flax Typhoon’s operations are evolving in both sophistication and scale, as the PRC becomes increasingly capable and aggressive in the cyber domain. Flax has been observed adopting modular command-and-control frameworks that allow quick adaptation to network disruptions or take downs. This flexibility indicates a level of professionalization uncommon among state-linked threat actors just a few years ago. This evolution reflects increased resource allocation from PRC intelligence services, underscoring Beijing’s growing reliance on digital access points for global surveillance and data collection.

Furthermore, digital forensics teams have identified new strains of malware attributed to Flax Typhoon that are specifically engineered to persist within rarely monitored IoT environments, such as industrial sensors, security cameras, and smart energy systems. By embedding themselves in devices that often lack robust endpoint protection, the group can maintain long-term visibility into sensitive networks with minimal risk of detection. These developments highlight a pivot toward persistence over disruption, enabling the PRC to quietly harvest intelligence while maintaining potential access for future operations.

Policy experts warn that the implications extend far beyond network security. As sectors like energy, healthcare, and transportation continue digitizing their operations, the potential for supply-chain exploitation through compromised IoT hardware grows.

13 Sabin, Sam, “Chinese Hacking ‘Typhoons’ Threaten U.S. Infrastructure,” September 20, 2024, Axios, accessed January 15, 2025 < https://www. axios.com/2024/09/20/china-critical-infrastructure-cyberattacks>.

14 Ibid.

15 Press Release, “Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers,” September 18, 2024, Federal Bureau of Investigation, accessed January 15, 2025, < https://www.justice.gov/opa/pr/court-authorized-operation-disrupts-worldwide-botnet-used-peoples-republic-china-state>.

16 Press Release, “Treasury Sanctions Technology Company for Support to Malicious Cyber Group,” January 3, 2025, U.S. Department of the Treasury, accessed January 15, 2025, < https://home.treasury.gov/news/press-releases/jy2769>.

FLAX Typhoon

WHAT IS IT?

PRC actors specifically targeted Internet of Things (IoT) devices, the vulnerable endpoints of our increasingly digitized systems. They focused on gaining and maintaining longterm, persistent access in organizations that could help them collect intelligence and enhance their espionage efforts. Their initial focus was on Taiwan, although they have also targeted entities in North America, Africa, and Europe.

WHAT HAS THE U.S. GOVERNMENT DONE?

Conducted botnet disruptions, distributed cybersecurity advisories showing some of the methods of entry, increased information sharing with the private sector and international partners, and issued financial sanctions on Chinese individuals. Still, many cyber experts believe more needs to be done to deter these activities in the future.

WHICH INDUSTRIES ARE IMPACTED?

Government, manufacturing, information technology (IT), telecommunications, education and media

DISCLOSED / 2023

The PRC-linked group Salt Typhoon hacked major U.S. telecom companies, accessing call and text data from roughly one million Americans —including senior officials and political candidates.

Code Red:

A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns

Salt Typhoon

In October 2024, public reporting highlighted a new PRC-linked threat targeting U.S. and allied telecommunications firms to obtain and exploit customer communications data.17 This new threat actor, dubbed Salt Typhoon, compromised at least nine U.S. telecommunications companies, according to Anne Neuberger, then-White House deputy national security advisor for cyber and emerging technologies. These companies include Verizon, AT&T, and Charter Communications.18 Salt Typhoon has sent shock waves through the U.S. government, as the actors appear to have targeted around one million U.S. individuals, many located in the Washington, D.C. area. The breach was able to access call and text message data, including time stamps, dates, and IP addresses of unencrypted communications of customers, including several high-ranking officials. Salt Typhoon actors most likely targeted the communications of then-presidential and vice-presidential candidates Donald J. Trump and J.D. Vance, as well as Harris-Walz campaign staff and senior Biden administration officials.19

The Salt Typhoon actors were also able to gain access and exploit systems used by U.S. law enforcement agencies for court-authorized wiretaps of targets of criminal and national security investigations, most likely providing the PRC with insight into Chinese espionage operatives known to U.S. intelligence agencies, and, logically, those who remain undetected by the U.S. Intelligence Community.20 Recent analysis has shown that Salt Typhoon mixes quasi-commercial corporate contractors to obfuscate detection and attribution to its central tasking from the PRC’s Ministry of State Security (MSS). However, it is likely Salt Typhoon is shared between the MSS and the People’s Liberation Army, providing Beijing with a long term signals intelligence capability, as well as the potential for use during conflict.21

The seriousness of PRC-linked threat actors having access to U.S. and allied telecommunications data for individuals, intelligence targets, and senior officials cannot be overstated, and the fact that such a threat could impact what is arguably one of the best resourced of the various critical infrastructure sectors is deeply troubling. Simply put: if it can happen to the telecom sector, it can happen to any sector.

17 “Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications,” November 15, 2024, Congressional Research Service, accessed January 15, 2025, < https://crsreports.congress.gov/product/pdf/IF/IF12798>.

18 Beek, Kristina, “China’s Salt Typhoon Adds Charter, Windstream to Telecom Victim List,” January 6, 2025, Dark Reading, accessed January 15, 2025, https://www.darkreading.com/cyberattacks-data-breaches/china-salt-typhoon-charter-windstream-telecom-victims>.

19 Lyngaas, Sean and Kristen Holmes, “Chinese Hackers Targeted Trump and Vance’s Phone Data,” October 25, 2024, CNN, accessed January 15, 2025, < https://www.cnn.com/2024/10/25/politics/chinese-hackers-targeted-trump-and-vances-phone-data/index.html>.

20 Page, Carly, “Meet the Chinese ‘Typhoon’ Hackers Preparing for War,” January 10, 2025, TechCrunch, accessed January 15, 2025, < https://techcrunch.com/2025/01/10/meet-the-chinese-typhoon-hackers-preparing-for-war/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAANIKMms0V6bfGglp3LUS5Awh6jwIWQhZwWJngw4GrFGPaXitndA1pnXHRNk2D3gPeeJ8jMYvbmcADhmxdgBEp7aH1wgQ8_luyyWTFFRpLXNoM6CQtRbTk8ORocqfb77ud6l87BuraGOOR6WFxT88Ds8NIetigwUStA0rlM97yqF1>.

21 “Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat,” September 4, 2025, Domain Tools Investigations, accessed October 13, 2025, < https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent threat/?utm_source=tldrinfosec&utm_source=CIG+Newsletter&utm_campaign=95e181b45a-EMAIL_CAMPAIGN_2025_10_05_04_29&utm_medium=email&utm_term=0_-95e181b45a-122984053>.

SALT Typhoon

WHAT IS IT?

PRC actors broke into privately held U.S. telecommunications systems including the most common phone carriers in the U.S. and Europe. This allowed them to track phone and text-message data of Americans, including high-ranking officials.

WHAT HAS THE U.S. GOVERNMENT DONE?

Issued sanctions and public cybersecurity advisories to help telecommunications firms harden their defenses. Still, many cyber experts believe more needs to be done to deter these activities in the future.

WHICH INDUSTRIES ARE IMPACTED?

Telecommunications, education, government, internet service providers, hospitality and transportation

DISCLOSED / 2024

Linen Typhoon & Violet Typhoon 06

Microsoft linked Linen Typhoon and Violet Typhoon to zeroday attacks in SharePoint that targeted U.S. government, energy, and defense sectors, revealing China’s growing speed and sophistication in cyber espionage and political targeting.

Linen Typhoon & Violet Typhoon

In 2025, Microsoft attributed active exploitation of newly discovered zero-day vulnerabilities in Microsoft SharePoint to Linen Typhoon, Violet Typhoon, and related groups. These actors rapidly weaponized vulnerabilities to gain access to organizations across government, energy, and defenserelated sectors. Zero-day attacks are those that exploit a previously unknown vulnerability in software, firmware, or hardware.22

Linen Typhoon has been tied to intellectual property theft and espionage. Violet Typhoon, in contrast, is associated with politically sensitive targeting, including U.S. policymakers, non-governmental organizations, and political dissidents.23 Both groups illustrate how China blends rapid exploitation of new vulnerabilities with broader strategic intelligence objectives. Moreover, the speed with which these groups adapted to exploit SharePoint zero-days demonstrates their continuing agility.

Linen and Violet Typhoon exemplify China’s accelerating cyber maturity by rapidly exploiting global software vulnerabilities to conduct espionage and political targeting that threaten U.S. technological leadership and democratic institutions. Their operations highlight Beijing’s integration of cyber capabilities into a broader strategy of coercive statecraft.

Recent incidents attributed to Linen and Violet Typhoon in 2025 underscore a troubling evolution in China’s cyber operations, namely, the ability to operationalize zero-day vulnerabilities at a pace previously seen only among the most advanced state actors. Within hours of public disclosure, these groups were already deploying tailored exploits, a sign of extensive prepositioning and a mature vulnerability research ecosystem within China’s state-linked cyber apparatus. This rapid mobilization reflects a broader trend in which PRC threat actors no longer rely solely on stolen exploits but increasingly develop and refine their own tools to maintain access and advantage.

Evidence gathered by incident response teams indicates that Linen Typhoon’s campaigns have increasingly focused on research institutions and advanced manufacturing firms, particularly those involved in semiconductor design, aerospace engineering, and renewable energy technology. This pattern suggests a sustained effort to acquire intellectual property that supports China’s long-term industrial and military modernization goals. Violet Typhoon, meanwhile, continues to demonstrate a preference for information operations and strategic influence. Its targeting of policymakers and advocacy organizations aligns with attempts to shape narratives around Taiwan, human rights, and international trade—issues central to Beijing’s geopolitical agenda.

22 Computer Security Resource Center, National Institutes for Standards and Technology, accessed October 7, 2025, < https://csrc.nist.gov/glossary/term/zero_day_attack#:~:text=Definitions:,%2C%20firmware%2C%20or%20software%20vulnerability.>.

23 Greig, Jonathan, “Chinese Nation-State Groups Exploiting SharePoint Vulnerability, Microsoft Confirms,” July 22, 2025, The Record Media, accessed August 28, 2025, < https://therecord.media/microsoft-sharepoint-vulnerabilities-china-groups-exploiting>.

LINEN & VIOLET Typhoon

WHAT IS IT?

The PRC is exploiting vulnerabilities that are believed to be previously unknown in widely used software. Vendors have had no time to fix and patch these vulnerabilities – if they even know about them – so we call these “zero days.” Both Linen & Violet Typhoon use a zero-day vulnerability in Microsoft SharePoint which is believed to be used by a large majority of government agencies and business across the west. Linen’s campaign has the specific goal of gathering intellectual property theft and conducting espionage. Violet targets U.S. government officials, non-governmental organizations and some with dissenting views on actions by the PRC.

WHICH INDUSTRIES ARE IMPACTED?

Government, defense, human rights organizations, former officials, NGOs, think tanks, higher education, media, finance, healthcare

DISCLOSED / 2025

Silk Typhoon (Hafnium)

Silk Typhoon exploits trusted IT management and enterprise software to infiltrate supply chains, allowing China-linked actors to compromise vendors and gain covert access to hundreds of downstream critical networks.

Code

Silk Typhoon (Hafnium)

Silk Typhoon is known for exploiting enterprise software and remote management tools to steal credentials and pivot into downstream customer environments.24 This creates a supply-chain effect: by compromising one vendor, Silk Typhoon can silently reach many victims, including critical infrastructure operators. The group’s focus on IT management software highlights China’s intent to leverage trusted digital pathways for strategic access.

Silk Typhoon reveals China’s strategy of exploiting trusted IT management and enterprise software to infiltrate entire supply chains, extending access far beyond a single target. By compromising vendors that serve critical infrastructure operators, it enables the PRC to silently reach hundreds of downstream networks, posing a systemic risk to national security and economic stability.

Silk Typhoon’s operations have grown increasingly precise, focusing on high-value software suppliers whose tools are deeply embedded across government and commercial systems. The group’s campaigns often begin with careful reconnaissance of vendor update mechanisms, exploiting weak authentication or misconfigured remote access services to insert malicious code into legitimate updates. Once deployed, these compromised updates provide seamless, authorized entry into customer environments, allowing Silk Typhoon to move laterally through networks without raising alarms.

This approach mirrors earlier global supply-chain incidents but reflects a new level of discipline and strategic targeting. Unlike financially motivated cybercriminals, Silk Typhoon maintains persistence for extended periods, emphasizing intelligence collection and covert access rather than immediate disruption. By embedding itself within software used to manage infrastructure, cloud environments, and network performance, the group effectively transforms trusted digital tools into long-term espionage platforms.

This actor’s targeting patterns align closely with Beijing’s national priorities in technology acquisition and infrastructure resilience. Compromised vendors often support industries central to China’s industrial policies, including energy distribution, telecommunications, and advanced manufacturing. This alignment suggests a deliberate effort to position the PRC for both strategic advantage and potential leverage in times of political or economic tension.

The systemic nature of these intrusions underscores the growing interdependence between cybersecurity and supply-chain integrity. Traditional perimeter defenses are often ineffective when the threat originates within trusted software channels. U.S. agencies have since warned that such campaigns could allow foreign adversaries to establish persistent footholds across networks essential to critical infrastructure, with potential implications for both national security and global commerce. As Silk Typhoon continues to refine its methods, its operations serve as a warning of how quickly state-sponsored actors are adapting to exploit the connective tissue of modern digital ecosystems.

24 “Nation-State Actor Silk Typhoon,” January 25, 2024, Microsoft Security Insider, accessed August 28, 2025, < https://www.microsoft.com/en-us/ security/security-insider/threat-landscape/silk-typhoon>.

SILK Typhoon

WHAT IS IT?

The PRC is targeting common IT solutions like remote management and cloud services and exploiting unpatched application vulnerabilities. Once inside, they attempt to move throughout the software supply chain, silently reaching many victims including critical infrastructure operators. This method of entry can be particularly pervasive because remote access is increasingly common in IT and OT systems.

WHICH INDUSTRIES ARE IMPACTED?

Information technology (IT) services, remote monitoring and management (RMM) companies, managed service providers (MSPs), healthcare, legal, higher education, defense, government, NGOs, energy

DISCLOSED / 2025

Nylon Typhoon 08

Nylon Typhoon is a PRC-linked cyber-espionage group that exploits weak remote access systems and stolen credentials to quietly maintain long-term, covert access to sensitive government, diplomatic, and policy networks, enabling China to monitor decision-making and coordinate intelligence operations with stealth and persistence.

Code Red:

A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns

Nylon Typhoon

Nylon Typhoon is yet another PRC-linked group focusing on a specific infiltration method, this time exploiting unpatched remote access devices and stealing credentials. These techniques have historically been focused on targeting governments, think tanks, and diplomatic entities, but its tradecraft is also a warning for critical infrastructure. Its emphasis on durable, credential-based persistence reflects the PRC’s strategy of maintaining long-term access options against sensitive networks.25

Nylon Typhoon underscores China’s intent to maintain long-term, covert access to sensitive government and policy networks by exploiting weak remote access systems and stolen credentials. Its persistence-oriented tradecraft demonstrates that even low-visibility cyber actors can quietly position the PRC to compromise diplomatic, defense, and think-tank operations critical to U.S. decision-making and influence.

Recent investigations suggest that Nylon Typhoon has refined its operations to prioritize stealth and endurance over speed or disruption. Unlike more aggressive intrusion sets that rely on malware implants or destructive payloads, Nylon Typhoon often depends on stolen credentials and legitimate remote access tools to quietly blend into normal network traffic. This method allows the group to operate for months—sometimes years—before detection, harvesting sensitive policy communications, diplomatic correspondence, and strategic planning documents.

Nylon Typhoon frequently targets organizations involved in shaping foreign policy or defense cooperation, particularly those connected to U.S. alliances in Asia and Europe. Its activity patterns suggest an intent to monitor deliberations and decision-making processes rather than merely collect static data. By maintaining a persistent presence in policy and research networks, the PRC can anticipate diplomatic moves, track internal debates, and adjust its own foreign policy posture accordingly.

Technical evidence also points to a growing overlap between Nylon Typhoon and other PRC intrusion sets, indicating that data collected from one campaign may be shared across broader intelligence objectives. This level of coordination hints at a more centralized cyber command structure within China’s intelligence apparatus, where specialized teams conduct distinct phases of long-term espionage campaigns under unified strategic direction.

Perhaps most concerning is Nylon Typhoon’s demonstrated ability to exploit the trust placed in remote connectivity. As remote work and distributed systems become permanent features of government and research operations, the same pathways that enable collaboration also present enduring vulnerabilities. Analysts warn that this type of credential-based infiltration is particularly difficult to remediate, as it often survives software updates, password resets, and even partial network overhauls.

25 “Nylon Typhoon Actor,” January 25, 2024, Microsoft Security Insider, accessed August 28, 2025, < https://www.microsoft.com/en-us/security/ security-insider/threat-landscape/nylon-typhoon>.

Code Red: A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns

NYLON Typhoon

WHAT IS IT?

PRC cyber actors are exploiting unpatched vulnerabilities that allow them to get into a network and then gain credentials to related systems. Once inside, they deploy custom malware that wreak havoc inside the system.

WHICH INDUSTRIES ARE IMPACTED?

Government, NGOs, diplomatic organizations

DISCLOSED / 2024

Sector Specific Risks 09

Cyber intrusions across U.S. energy, water, telecom, transportation, and healthcare systems show that PRC-linked “typhoon” actors are probing critical infrastructure to position for potential large-scale disruption during future conflict.

“Critical infrastructure operators face distinct challenges depending on their sector, and the typhoon campaigns demonstrate that no domain is immune.”

” Sector Specific Risks

In the energy sector, cyber intrusions into industrial control systems (ICS) or supervisory control and data acquisition (SCADA) networks represent perhaps the most immediate national security risk. Even localized disruptions could cause cascading power outages across multiple states, crippling military installations, logistics hubs, hospitals, and businesses. China’s Volt Typhoon activity shows a sophisticated interest in this area, raising the possibility that the PRC could selectively disable portions of the grid to delay U.S. deployments in the Indo-Pacific or cause other general disruption at home as a distraction for any military action. Historical precedent underscores this danger. Russia’s 2015 and 2016 cyberattacks on Ukraine’s power grid left hundreds of thousands without electricity, providing a glimpse of the consequences of energy infrastructure manipulation in a geopolitical conflict.26

In the water sector, many municipal water utilities operate on outdated systems with limited cybersecurity budgets and personnel, making them prime targets for low-cost exploitation. Intrusion into these systems could disrupt water treatment processes, damage pumps and valves, or contaminate supply, posing direct risks to public safety. A water sector outage has the potential for larger cascading effects, as many other sectors, including the energy sector and the healthcare and public health sector, depend on water to function. Depending on the scope and scale, a water outage could lead to widespread communications failures, emergency services interruptions, and military recall disruptions during a crisis. Volt Typhoon has already demonstrated the ability to interfere with control systems at water facilities, highlighting the PRC’s recognition that civilian lifeline services are potential pressure points in times of crisis.27

The telecommunications sector is also exposed, as demonstrated by the Salt Typhoon campaign. By penetrating major providers such as Verizon, AT&T, and Charter Communications, PRC-linked actors gained visibility into call records, text message metadata, and geolocation information for an estimated one million U.S. individuals, including senior government officials.28 Such access

26 “Cyber Attack Against Ukrainian Critical Infrastructure,” July 20, 2021, Cybersecurity Advisory, Cybersecurity and Infrastructure Security Agency, accessed September 2, 2025, < https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01>.

27 Vasquez, Christian, “White House, EPA Warn Water Sector of Cybersecurity Threats,” March 19, 2024, CyberScoop, accessed September 2, 2025, < https://cyberscoop.com/epa-water-threats-governors/>.

28 Collier, Kevin, “Telecoms Haven’t Notified Most Victims of Chinese Phone Data Hacking Campaign, Sources Say,” December 12, 2024, NBC

McCrary Institute for Cyber and Critical Infrastructure Security, Auburn University Task Force on the People’s Republic of China

gives Beijing not only a counterintelligence advantage but also coercive leverage, as sensitive communications could be disrupted, surveilled, or manipulated during a crisis. The compromise of lawful intercept systems used by U.S. law enforcement agencies is particularly alarming, as it may have revealed the scope of U.S. counterintelligence operations targeting Chinese operatives. In the transportation domain, the risks extend across air, sea, and land. Cyberattacks on air traffic management systems could ground flights, delay troop movements, or disrupt the resupply of forward-deployed forces, not to mention crippling the larger U.S. economy. Similarly, interference with maritime port operations could create bottlenecks in the flow of materiel across the Pacific, a scenario that would be especially damaging in the early stages of a Taiwan contingency. The Colonial Pipeline ransomware incident of 2021, although not linked to China, provides a sobering illustration of how even short-term disruptions in transportation and logistics networks can ripple across the economy and military readiness. 29

Finally, the healthcare sector is increasingly recognized as critical infrastructure vulnerable to foreign cyber operations. Hospitals and research institutions hold sensitive data and rely on networked medical devices that could be disrupted or manipulated. A campaign targeting healthcare facilities during a national security crisis would not only impede care for civilians and service members but also undermine public morale, amplifying the coercive effect of PRC cyber operations. Taken together, the sector-specific analysis makes clear that the typhoon actors are not pursuing isolated technical exploits but rather probing for systemic vulnerabilities across multiple lifeline sectors. The goal is not only to collect intelligence but also to preposition capabilities that could impose strategic costs on the United States at a time of Beijing’s choosing.

News, accessed September 2, 2025,< https://www.nbcnews.com/tech/security/phone-hack-data-chinese-salt-typhoon-metadata-fbi-security-encrypt-rcna183233>.

29 Khan, Shariq, “Colonial Pipeline’s Main U.S. Gasoline Artery Likely Shut Until Friday,” January 15, 2025, Reuters, accessed September 2, 2025, < https://www.reuters.com/business/energy/colonial-pipelines-main-us-gasoline-artery-likely-shut-until-friday-2025-01-15/>.

Policy & Legal Implications

The U.S. and its allies have countered PRC “typhoon” cyber campaigns through sanctions, indictments, and public attributions, but weak enforcement, slow attribution, and fragmented legal frameworks have limited deterrence against China’s state-backed operations.

” Policy & Legal Implications

“China continues to operate with relative impunity ...confident that the long investigative timelines and limited enforcement mechanisms of Western democracies cannot keep pace...”

The U.S. and its allies have responded to the typhoons with a combination of legal, diplomatic, and operational tools. These include public attributions, coordinated sanctions, indictments of individual Chinese hackers, and joint advisories highlighting indicators of compromise.30 While such actions may raise costs to the PRC and signal unity, they have not fundamentally altered Beijing’s calculus. China continues to operate with relative impunity, employing third-party firms as a strategy to cloud timely attribution, confident that the long investigative timelines and limited enforcement mechanisms of Western democracies cannot keep pace with the speed and adaptability of its cyber operators. Further, as the PRC leverages the use of third parties and contractors to help them hide its hand and sow uncertainty in attribution, it becomes harder for policies and governments to quickly unify to meet the benchmark for action. Attribution at speed continues to be a persistent challenge, especially across services and governments.

Domestically, the legal framework for responding to state-sponsored cyber threats remains fragmented. Existing authorities under the Computer Fraud and Abuse Act (CFAA) and related statutes are designed to prosecute individuals, not to deter nation-states leveraging cyber contractors as proxies. The Justice Department has pursued indictments against Chinese actors, but these measures are largely symbolic given that the perpetrators remain outside U.S. jurisdiction.31 Similarly, the use of Treasury Department sanctions against PRC-linked firms, while impactful in limiting their access to Western markets, does little to constrain their operations within China’s state-sponsored ecosystem. This mismatch between available legal tools and the strategic nature of the threat suggests a need for new legislation tailored specifically to persistent, state-backed cyber campaigns.

At the international level, the typhoon campaigns highlight the limitations of existing norms and agreements. The Tallinn Manual, while influential in academic and policy circles, is non-binding and lacks universal adoption. China has consistently resisted efforts at the United Nations to establish

30 “Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise,” January 17, 2025, U.S. Department of the Treasury, accessed September 2, 2025, < https://home.treasury.gov/news/press-releases/jy2792>.

31 “Justice Department Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaign,” March 5, 2025, Press Release, U.S. Department of Justice, accessed September 2, 2025, < https://www.justice.gov/opa/pr/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global>.

McCrary Institute for Cyber and Critical Infrastructure Security, Auburn University Task Force on the People’s Republic of China

binding rules that would limit cyber operations against critical infrastructure, instead advocating for state sovereignty in cyberspace, a position that legitimizes its own practices while constraining external scrutiny.32 As a result, international law remains an uneven deterrent, leaving the U.S. and its allies to rely on ad hoc coalitions and public attributions to push back against PRC activity.

There is also a challenge related to attribution. While the U.S. and its allies increasingly publish joint reports naming PRC-linked actors, attribution in cyberspace is inherently complex and politically sensitive. Beijing routinely denies involvement, framing U.S. statements as politically motivated, which reduces the impact of “naming and shaming” campaigns. Without a stronger enforcement mechanism, attributions struggle to deter future activity, even when they are accurate.

Policy responses must therefore go beyond indictments and advisories. One avenue is to strengthen deterrence by denial, investing in the resilience of critical infrastructure sectors to ensure that Chinese intrusions cannot achieve their intended disruptive effects. Another is to adopt a more proactive defend forward posture, as outlined in U.S. Cyber Command’s 2018 strategy, which envisions disrupting adversary campaigns at their source before they reach U.S. networks.33 However, this approach raises legal and diplomatic questions. Under what circumstances does a preemptive cyber action constitute a use of force under international law, and how should proportionality be applied in cyberspace? These unresolved debates complicate the development of a consistent and credible deterrence strategy.

Finally, the typhoon campaigns underscore the importance of allied coordination. Sanctions and indictments are most effective when imposed jointly, as demonstrated by the 2024 U.S.-U.K. sanctions against Volt Typhoon operators. Yet many allies have varying thresholds for attribution and differing legal standards for cyber response, creating gaps that Beijing can exploit. A long-term policy imperative for Washington will be to harmonize legal frameworks across NATO, the Indo-Pacific, and other partner networks to ensure collective resilience and to signal to Beijing that cyber aggression against one will provoke a coordinated response by many.

In sum, the actions of the typhoon actors reveal that the legal and policy toolkit of the United States and its allies remains underdeveloped relative to the scale of the challenge. Strengthening these frameworks will be essential if deterrence is to shift from symbolic costs to meaningful constraints on Beijing’s cyber strategy.

32 Segal, Adam, “China’s Alternative Cyber Governance Regime,” March 13, 2020, statement before the U.S. China Economic Security Review Commission, accessed September 3, 2025, < https://www.uscc.gov/sites/default/files/testimonies/March%2013%20Hearing_Panel%203_ Adam%20Segal%20CFR.pdf>.

33 “Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command,” 2018, U.S. Department of Defense, accessed September 2, 2025, < https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf>.

Conclusion

China’s “typhoon” cyber actors mark a new era of persistent, state-backed operations targeting U.S. critical infrastructure, demanding a unified national and allied response to counter their long-term coercive threat.

“Lastly, the threat posed by the typhoon actors is not merely a cybersecurity challenge, but should be looked at as a broader threat to the United States and its allies posed by China.”

” Conclusion

The ongoing and persistent nature of the typhoon actors represent a major advancement in the PRC’s offensive cyber capabilities and include consequences reaching far beyond traditionally observed cyber espionage. In an emerging era of hybrid and gray zone warfare, malicious cyber campaigns like these will play an increasingly prominent, regular role, requiring improved vigilance and mitigation efforts for the U.S. government and its partners, including critical infrastructure owners and operators. It is a national security imperative that federal, state, local, tribal, territorial, and private sector partners cooperate in new and robust ways to minimize potential future operational disruptions and sensitive data compromises, which, if combined, could cause a super storm. Lastly, the threat posed by the typhoon actors is not merely a cybersecurity challenge, but should be looked at as a broader threat to the United States and its allies posed by China. As the PRC develops new ways to undermine U.S. national security, it is critical to adopt a whole-of-government approach to countering such threats.

The typhoon actors reflect a new phase of Chinese cyber operations: one that prioritizes long-term persistence, access to critical sectors, and coercive leverage over the United States. Volt Typhoon’s embedded presence in critical infrastructure, Salt Typhoon’s vast surveillance of telecom networks, and the opportunistic exploits of Linen, Violet, and Silk Typhoon are strands of a coherent strategy. The United States has begun to push back through advisories, indictments, and take downs. Yet the fundamental contest is one of endurance. As long as Beijing views U.S. critical infrastructure as both a target and a lever of influence, the typhoon actors will remain a defining feature of the cyber domain in an era of great power competition. And they are not letting up. Whether known to the U.S. Government or not, by the time this paper is published, there will almost certainly be another typhoon threat actively targeting the United States.

About The McCrary Institute

The McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University is dedicated to defending the systems that power our national and economic security, our communities and our way of life

Positioned at the intersection of policy, applied research and public-private partnerships, the Institute serves as a trusted convener of national leaders — shaping strategy, aligning priorities and driving real-world cybersecurity solutions to protect the nation’s critical infrastructure.

Our Mission

To defend the systems that power our national and economic security, our communities, and our way of life.

Our Leadership

Frank J. Cilluffo

Director

Nicholas Sellers

Associate Director & Chief Operating Officer

Victoria Dillon

Deputy Director & Chief Communications Officer

Kyle Klein

Deputy Director for Policy & Partnerships

Craig Whittinghill

Deputy Director for Applied Research & Services