In a recent wave of cyberattacks, Chinese Communist hackers have shifted their focus from targeting U.S. commercial secrets and private consumer data to infiltrating critical infrastructure within the United States. These attacks have raised concerns about the potential geopolitical conflicts between China and the U.S., as well as the growing threat posed by cyber warfare tools utilized by the Chinese Communist regime to disrupt and paralyze infrastructure, sow chaos, and impede U.S. containment efforts against China.
A secret meeting held at the White House in the fall of 2023 revealed that Chinese hackers had gained the ability to potentially shut down dozens of American ports, power grids, and other infrastructure targets. This heightened risk posed a significant threat to lives, prompting the U.S. government to seek assistance from telecommunications and technology companies to eradicate the invaders.
Following the emergence of large-scale “Typhoon” cyberattacks targeting American infrastructure and telecommunications networks, it became apparent that Chinese hackers had evolved from mere cyber thieves to sophisticated tools utilized in cyber warfare, showcasing their remarkable technical capabilities and stealthiness.
Former senior cybersecurity official at the Department of Homeland Security, Brandon Wales, emphasized that the U.S. computer networks would become paramount battlegrounds in any future conflicts with China. He warned that the pre-deployment and intelligence-gathering efforts of Chinese hackers aimed to thwart U.S. projection of force and sow domestic chaos to ensure victory for China.
With the escalating threat posed by China towards Taiwan and their potential goal of militarily taking over Taiwan by 2027, the U.S. could be forced into the Taiwan Strait conflict as a key supporter of Taiwan. Additionally, amidst the ongoing Russia-Ukraine conflict, China has formed closer ties with Russia, leading senior U.S. officials and lawmakers to highlight Communist China as the most significant threat to U.S. security.
Reports from The Wall Street Journal in January 2024 revealed that Chinese hackers had been targeting U.S. infrastructure since at least 2019 and continue to do so. These hackers, with ties to the Chinese military, have infiltrated unconventional targets, including a water utility in Hawaii, a port in Houston, and an oil and gas company.
The FBI and private sector investigators found that Chinese hackers would sometimes lurk for years, periodically testing access permissions. For instance, in one regional airport, hackers had long-established access to the airport’s system, returning every six months to ensure continued entry. In another case regarding a water treatment system network, hackers spent at least nine months before infiltrating a neighboring server to study the operation of the water treatment facility. At a utility company in Los Angeles, hackers searched for data on how the company responds to emergencies or crises.
U.S. security officials believed that the infrastructure intrusion operations carried out by a Chinese hacker group known as “Volt Typhoon” were partly aimed at disrupting the U.S. Pacific military supply line and hindering U.S. military capabilities in potential conflicts with Communist China, including scenarios where China might forcefully invade Taiwan.
Around mid-2023 or earlier, Chinese hackers began targeting U.S. telecommunications networks. The Wall Street Journal’s reports in September 2023 first highlighted an incident involving a hacker group called “Salt Typhoon” infiltrating U.S. wireless networks and communication systems used for court-authorized surveillance.
The “Salt Typhoon” hackers were linked to Chinese intelligence agencies, enabling them to access data from over a million U.S. telecom users and intercept audio calls of senior U.S. government officials, including calls involving former President Trump. They also targeted communications of individuals involved in Vice President Kamala Harris’ presidential campaign.
Furthermore, the hackers obtained lists of individuals monitored by U.S. government in recent months based on court orders from companies like Verizon and AT&T, which included suspected Chinese operatives.
These hacking activities exploited known vulnerabilities in U.S. telecom systems software, despite prior warnings, researchers continue to investigate the full extent of the cyberattacks on the telecom systems.
In recent weeks, congressional members and officials briefed on classified materials told The Wall Street Journal that they were shocked by the depth of the hacking intrusion and the difficulty in mitigating the attacks. Some telecom company leaders expressed being caught off guard by the scope and severity of the hacking attacks.
Anne Neuberger, Deputy National Security Advisor for Cybersecurity under the Biden administration, mentioned that Chinese hackers are very cautious about their technological capabilities. In certain instances, hackers deleted their network access logs, while in other cases, victim companies did not preserve sufficient logs, making it difficult to ascertain the extent of the breaches.
Verizon stated that a few high-profile government and political customers were specific targets of the hackers, and these customers were notified. Vandana Venkatesh, Verizon’s Chief Legal Officer, confirmed that Verizon had successfully countered the activities related to this specific incident.
A spokeswoman for AT&T mentioned that no activities by government actors were found in their network. She also pointed out that the Chinese government targeted “a few individuals of foreign intelligence interest,” and AT&T had collaborated with law enforcement agencies to notify affected customers.
Some national security officials, familiar with the investigation, expressed concerns that the telecom hacking attacks were severe, indicating significant network damage that potentially prevented complete eradication of Chinese hackers from the U.S. infrastructure.
Due to concerns of possible Chinese surveillance, some senior lawmakers and U.S. officials have switched from traditional phone calls and text messages to using encrypted applications like Signal. Meanwhile, FBI agents have long utilized their encrypted systems for confidential communication.
In late December 2024, in response to the “Salt Typhoon” hacker activities, federal cybersecurity officials issued new guidelines recommending the use of end-to-end encryption for communications and avoiding text-based account logins for authentication, instead advocating for application-based authentication.
For over a decade, U.S. officials have issued warnings about rapidly evolving threats in cyberspace, ranging from ransomware hackers targeting computers for hefty payments to theft of valuable corporate secrets directed and supported by state governments. Concerns have also been raised regarding the use of Chinese equipment, including devices from Huawei and ZTE, which are feared to provide backdoors for potential spying activities by the Chinese government. In December 2024, reports indicated that U.S. authorities were investigating whether popular home network routers produced by Chinese company TP-Link pose a national security risk and are linked to network attacks.
However, according to U.S. officials and other sources familiar with the investigations, Beijing does not necessarily need to utilize Chinese equipment to carry out large-scale attacks on most of the U.S. infrastructure and telecom systems. In these hacking attacks, the Chinese exploited vulnerabilities in a range of outdated telecom equipment trusted by U.S. companies for decades.
For instance, in the telecom attacks, hackers took advantage of unpatched network equipment from security vendor Fortinet and compromised large network routers from Cisco Systems. In at least one case, Chinese hackers gained access to a senior network management account without multi-factor authentication, allowing them to access over 100,000 routers for potential further attacks—a serious oversight enabling hackers to copy traffic back to China and erase their digital traces. The router hijacking operation reportedly occurred within AT&T’s network.
In December 2024, Neuberger noted that the number of affected U.S. telecom companies had increased to nine and could potentially be more.
Apart from the deep intrusion into AT&T and Verizon, hackers infiltrated networks of Lumen Technologies and T-Mobile. Chinese hackers were reported to have gained access to the networks of Charter Communications, Consolidated Communications, and Windstream.
Lumen Technologies stated that they no longer saw evidence of attackers in their network and that customer data remained protected. T-Mobile reported that they had blocked recent attempts to infiltrate their systems, safeguarding sensitive customer information from unauthorized access.
Several U.S. officials, including Neuberger, highlighted that the hacking incident underscored the necessity for fundamental network security requirements within the telecom industry. The Biden administration had issued executive orders to establish mandatory missions to prevent attacks on pipelines, railways, and aviation systems.
National Security Advisor Sullivan emphasized, “Cyberspace is a fiercely competitive battlefield. We have made significant progress, but there remain serious vulnerabilities in areas where mandatory network security requirements are lacking.”
During a congressional hearing in December 2023, Senator Dan Sullivan expressed astonishment at the significant current risks and ongoing threats. His reaction to recent classified briefings on the telecom hacking events was described as “chilling.”
The infrastructure hacking attacks have also become a topic of discussion in U.S.-China relations. In April 2024, Secretary of State Antony Blinken held a five-hour meeting with Chinese Foreign Minister Wang Yi in Beijing, expressing U.S. concerns about the dangers and escalation of Chinese attacks on American infrastructure.
Wang accused the U.S. of fabricating illusions to support increased military spending.
During another meeting following the aforementioned interaction, U.S. officials provided evidence to the Chinese side linking the hacks to Chinese IP addresses. Familiar with the dialogue, U.S. officials informed The Wall Street Journal that Chinese officials pledged to investigate the matter and provide feedback to the U.S., but no further progress was made.
Sources revealed that the first shot in China’s new type of cyber warfare against the U.S. occurred on August 19, 2021, when Chinese hackers took just 31 seconds to establish a foothold on critical digital infrastructure at one of America’s largest ports—Houston Port.
At the Houston Port, a hacker infiltrator posed as an engineer from a port software vendor, gaining access to a server meant for remotely resetting passwords for employees working from home. Before the port could recognize the threat and cut off the password server’s connection to the network, the hacker managed to download an encrypted password set involving all port employees.
The hacker left a backdoor upon exit, allowing them or other hackers to easily return as they pleased.
Around that time, a cybersecurity vendor noted this activity and flagged it to the port’s cybersecurity supervisor, who dismissed it as a false alarm after inspection, then left for lunch.
Subsequently, two more intruders from suspicious IP addresses entered the password server, downloading the complete list of employee login credentials using network links from the server.
The hackers then began exploring the port’s network with their access privileges, prompting the cybersecurity vendor to issue a warning about a repeat of the attacker’s activities.
Only then did the port’s cybersecurity personnel remove the infected server from their network, putting an end to the hacking incident.
Afterward, Chris Wolski, the port’s cybersecurity lead, contacted the U.S. Coast Guard, responsible for managing American ports, reporting the attack and saying, “We seem to have a problem.”
While the Houston Port managed to eliminate the threat, undetected access to the passwords allowing unrestricted entry into the port’s internal network might enable hackers to navigate through hidden areas until they decide to take action. Investigators stated that the hackers could potentially disrupt or halt port operations.
At the time, the Houston Port had just upgraded from basic antivirus software and only had a part-time IT staff member handling cybersecurity. This hacking incident served as an important early warning to U.S. officials, signaling that China was attacking non-corporate or government secrets targets and utilizing “novel” invasion techniques.
The FBI found that the hacking incident at Houston Port was due to an unknown flaw in the password software.
A team in Redmond, Washington utilized Microsoft products like Office 365, Windows OS, or Azure cloud, relying on built-in security features that emitted billions of signals to identify security threats.
Based on information from Microsoft and other intelligence sources, federal agents have conducted extensive investigations across the U.S., hearing similar stories while probing over ten websites in 2022 and 2023. The compromised cybersecurity conditions of victims varied, with some companies unaware of network breaches. Hackers typically did not install malware or steal commercial or government secrets or private data, merely aiming at network intrusion to familiarize themselves with the systems.
In prior cases, FBI agents could track hackers once they rented servers within the U.S. for attacks.
Instead, this time, hackers used routers used in small offices and home offices, which disguised their intrusion as legitimate U.S. traffic.
These routers, primarily manufactured by Cisco and Netgear, were vulnerable to attacks due to their outdated nature, no longer receiving routine security updates from the manufacturers. Once under hacker control, these routers served as stepping stones for other victims without triggering alarms, making the hacking look like routine traffic.
By late 2023, the FBI had identified hundreds of attackers using compromised small office routers. Prosecutors sought court authorization to remotely access the routers and issue directives to remove malware—given that this malware had entered the homes of unsuspecting U.S. victims who purchased routers years ago without realizing that their Wi-Fi networks were being surreptitiously attacked.
In January 2024, a judge approved the request, allowing the FBI to execute this operation, effectively neutralizing a critical tool used by the hackers.
Sources familiar with security analysis, both current and former U.S. officials, indicated that NSA analysts observed Beijing laying the foundation for potential military attacks on Taiwan through cyber warfare. This information helped focus on new infrastructure hacking activities, showcasing the broader picture of Chinese hacker activities.
Western security officials shared data on infrastructure hacking intrusions with allies.
Focus on targets like Guam and the U.S. West Coast indicated to many senior national security officials across various U.S. agencies under the Biden administration that Chinese hackers’ primary focus was on Taiwan, striving to slow U.S. response to a potential Taiwan conflict to buy valuable wartime for Beijing. Other hacker targets seemed to indicate different intentions, with one targeting a small air traffic control facility on the U.S. West Coast, and others included water treatment plants. Informants revealed that these choices suggested Chinese hackers were looking for ways to inflict civilian pain in the United States, such as disrupting plane routes or shutting down local water treatment facilities.
Former NSA Deputy Director George Barnes mentioned that by late 2022 and early 2023, he pondered whether Beijing’s plan was to have their hacking activities discovered to deter U.S. intervention in a potential Taiwan conflict.
Barnes stated that following Taiwan—if a Taiwan Strait conflict were to occur—the U.S. would be a “Zero Target” for destructive cyber attacks by Chinese hackers aiming to impede U.S. actions against China’s takeover of Taiwan.
During the summer of 2024, U.S. officials informed telecommunications companies that a hacker group in contact with China’s state intelligence department had breached their networks, constituting a comprehensive attack on American communication systems.
The infiltrators exploited interconnections within telecom companies—often lacking multi-factor authentication—for data transfer pathways, infiltrating communication networks. This additional layer of protection, similar to various consumer banking practices for login credentials, did not always exist between telecom providers partially due to its impact on phone calls and network traffic speed.
The hackers also accessed phone lines used by several senior national security and policy officials and intercepted audio from at least one incoming president, Vice President Kamala Harris, individuals involved in Trump’s and Harris’ campaigns.
Investigators noted that the hackers also attempted to gain access to Verizon and AT&T’s interception monitoring systems, apparently seeking to understand FBI and other agencies’ awareness of Beijing’s espionage activities in the U.S. and internationally.
During the investigations, it was found that Chinese hackers could maintain prolonged access to the monitoring systems without detection; for instance, they infiltrated a telecom company network and stayed for about 6 months; they lingered in another telecom network for approximately 18 months.
By October 2023, several weeks following The Wall Street Journal’s initial disclosure of telecom hacking incidents, persisting Chinese hackers remained in the interception systems of the two companies. U.S. officials believe these hackers have been cleared by now.
Investigators mentioned a change in the hacking behavior of Chinese hackers right after the initial reports, rendering the location and expulsion of the intruders more complex.
In the fall of 2023, Verizon leaders and cybersecurity experts convened a closed-door meeting in Texas to strategize on how to detect and expel hacker intruders. Subsequently, the company conducted vulnerability assessments on every router in their network.
Investigators learned that Chinese hackers would sometimes remain passive, merely observing network traffic, at other times, they would siphon off network data through carefully designed paths globally, circling back to China. Chinese hackers excelled at finding a foothold for observing network traffic, akin to a network engineer at work, and were skilled at concealing their network traces.
The telecommunication intrusion by Chinese hackers had a regional focus, with phone records of individuals working in the Washington D.C. area and its surrounding regions becoming their primary intrusion targets. They accessed call records for over a million users, including dates and timestamps, source and target IP addresses, phone numbers, and unique phone identifiers.
An FBI official familiar with the investigation remarked, “We’ve seen a significant amount of data being intercepted.”
Investigators are currently conducting extensive inquiries into the telecom hacking events, with some lawmakers growing impatient over the extended time required for Chinese hackers’ expulsion.
President-elect Trump and his new cabinet were poised to take office, with Trump appointing hawkish Congressman Mike Waltz as his White House National Security Advisor, nominating Tulsi Gabbard as the new Director of National Intelligence, and Kash Patel as the new FBI Director. Expectations were high for significant adjustments within the U.S. intelligence and national security system under Trump’s new administration, shaping how they would counter the Chinese hackers.
(Acknowledgment to The Wall Street Journal for references in this report)