The People’s Republic of China runs the most sustained documented cyber espionage program targeting the United States. The Congressional Research Service’s updated cyberattack compendium covers Chinese state-linked operations beginning as far back as 2006 and running through 2024, with the Ministry of State Security and the People’s Liberation Army serving as the primary perpetrating entities across campaigns that targeted intellectual property, critical infrastructure, telecommunications networks, and the personal data of tens of millions of Americans.
The Intellectual Property Campaign
The dominant throughline across China’s documented operations is the systematic theft of intellectual property. APT-10, attributed to the Ministry of State Security and active from at least 2006 through 2018, targeted transportation, technology, shipping, consulting, healthcare, and energy companies by exploiting cloud and managed service providers as access vectors — a supply-chain approach that gave the group leverage over multiple downstream targets through a single compromised intermediary. APT-40, active from 2011 through 2018, focused specifically on submersibles, autonomous vehicles, chemicals, aircraft, genetics, and infectious disease research. APT-41, running from 2014 through 2020, cast a wider net across IT companies, telecommunications firms, academic institutions, and NGOs, combining intellectual property theft with ransomware deployment and cryptocurrency mining on illegally accessed machines.
MSS-linked actors also ran a parallel campaign from 2009 through 2020 targeting technology manufacturing, healthcare, energy, defense, and educational institutions, with the campaign ultimately expanding to include theft of COVID-19 research. DOJ charged two hackers associated with that operation in July 2020. The operational span — over a decade of continuous activity in a single campaign — reflects the patient, long-duration approach that distinguishes state intelligence programs from criminal operations.
Military and Defense Targeting
PLA-attributed operations ran alongside the MSS campaigns with a harder military focus. A campaign running from 2006 through 2014 targeted U.S. manufacturers to steal sensitive information benefiting Chinese state enterprises. The 2017 Equifax hack, attributed to PLA actors, resulted in the theft of personally identifiable information on nearly 150 million Americans — one of the largest PII breaches in history, with obvious downstream counterintelligence applications. Aerospace remained a persistent target: MSS-linked actors ran a campaign from 2010 through 2015 specifically against turbofan engine technology, and a separate Chinese national admitted to stealing jet engine technology from United Technologies across 2008 through 2014.
The Typhoon Campaigns
The most recent and strategically significant Chinese operations documented in the CRS report are the Typhoon-branded campaigns of 2023 and 2024. Volt Typhoon, attributed to state-sponsored actors and active from 2023 through 2024, did not steal data. It established persistent access to U.S. critical infrastructure — positioning for disruption if ordered to execute in a future conflict scenario. The CISA advisory describing Volt Typhoon framed it explicitly as pre-positioning for potential wartime use. Salt Typhoon, active in 2024, compromised commercial telecommunications companies to access customer communications. Flax Typhoon, also 2024, targeted internet-connected devices — cameras, storage systems — to build a botnet from which further attacks could be launched. BlackTech, documented in 2023, compromised routers to attack targets in the United States and Japan simultaneously.
The pattern across two decades is consistent: China uses its intelligence apparatus and military cyber units to extract technological advantage from U.S. private and government entities, and it has more recently expanded from collection toward access operations targeting infrastructure. The transition from espionage to pre-positioned disruption capability is the development that matters most to any organization operating systems that could be considered critical infrastructure in a conflict context.