Three Chinese state-sponsored campaigns disclosed in 2023 and 2024 represent a qualitative shift in the publicly documented threat from Beijing. Previous Chinese cyber operations — APT-10, APT-40, APT-41, and their predecessors — were primarily collection operations: enter a network, extract intellectual property or credentials, exit before detection. The Typhoon campaigns documented by CISA and the FBI from 2023 through 2024 pursue different objectives. They are about access, persistence, and positioning — laying the groundwork for operations that have not yet been executed.
Volt Typhoon: Pre-Positioned for Conflict
Volt Typhoon is the most strategically significant of the three. Active from 2023 through 2024 and documented in a CISA advisory issued in February 2024, the campaign involved PRC state-sponsored actors compromising U.S. critical infrastructure — communications, energy, transportation, water — and maintaining persistent access without conducting data theft or destructive operations. The advisory was explicit about the intent: these actors were positioning to disrupt U.S. critical infrastructure if ordered to do so in a future contingency. That contingency, understood by every reader of the advisory, is a military confrontation over Taiwan.
Volt Typhoon used living-off-the-land techniques — exploiting built-in operating system tools and legitimate network administration software rather than custom malware — to make detection by signature-based security tools difficult. The group prioritized stealth and persistence over collection, which is a behavioral signature more consistent with pre-positioned wartime capability than with conventional espionage. The February 2024 advisory represented the U.S. government publicly naming a Chinese operation while it may still have been active in some environments — an unusual move that reflected how seriously the intelligence community assessed the threat.
Salt Typhoon: Telecommunications Compromise
Salt Typhoon, disclosed by a joint FBI and CISA statement in November 2024, compromised commercial telecommunications companies to access customer communications. The targeting of telecom infrastructure gives state-sponsored actors access not just to communications content but to metadata — who is calling whom, when, and from where — which has intelligence value independent of the communications themselves. The scope of the compromise at time of disclosure was not fully characterized in public statements, but the joint FBI-CISA statement confirmed that telecommunications companies had been penetrated and that customer communications had been accessed. For any organization that relies on commercial telecommunications to transmit sensitive information, the Salt Typhoon disclosure confirmed that the underlying carrier infrastructure itself cannot be treated as a trusted boundary.
Flax Typhoon: Botnet Infrastructure
Flax Typhoon, disclosed by the FBI in September 2024, operated differently from the other Typhoon campaigns. Rather than directly penetrating high-value targets, Flax Typhoon actors seized control of internet-connected consumer and small business devices — cameras, routers, network-attached storage systems — and aggregated them into a botnet that could then be used to conduct or obscure other attacks. FBI Director Christopher Wray announced the disruption of the Flax Typhoon botnet and disclosed the group’s identity at the Aspen Cyber Summit in September 2024. The botnet model inserts an intermediary layer between the operator and the target, complicating attribution and providing scalable attack infrastructure at low cost.
Taken together, the three Typhoon campaigns describe a Chinese cyber posture in 2024 that was simultaneously building disruptive capability against infrastructure, penetrating communications networks, and assembling proxy infrastructure for offensive use. These are not the activities of a program focused on commercial intellectual property extraction. They are the activities of a program preparing operational options for a conflict environment that Chinese strategic planning increasingly treats as a realistic near-term scenario. The window between access and execution is the only window available for defensive action, and the Typhoon disclosures suggest that window has been narrowing for at least two years.