The Unseen Storm: How China’s Typhoon APT Groups Are Setting the Stage for Cyberwarfare

April 17, 2025

Agenda

Example H3

Example H4

Example H5

Example H6

It wasn’t an alarm blaring in a SOC. It wasn’t a red flashing screen demanding Bitcoin. It wasn’t even a report from a junior analyst catching a suspicious login.

Instead, the warning came in the form of a dull, bureaucratic advisory buried deep in a government report. It said, in sanitized language, what cybersecurity teams dread most:

They’re already inside.

For years, Chinese state-sponsored attackers have moved through the networks of the most critical industries—telecommunications, energy, defense, and government. Not to vandalize, not to ransom, but to wait.

And now, a new storm has taken shape.

This is the first in a comprehensive series that will explore the Typhoon family of Advanced Persistent Threat (APT) groups—Volt, Salt, and Flax—unpacking their tactics, operations, and what security teams need to do to stop them. Each of these groups has a different approach, but they share one truth: they are already embedded in critical systems around the world.

Meet the Typhoon APT Groups

The Typhoon APT groups—Volt, Salt, and Flax—represent more than just groups of hackers. They are patient, methodical operators who specialize in silence. They are patient, building beachheads for the future. They don’t smash windows; they copy the keys. They don’t trip alarms; they move like employees.

These teams are quietly preparing for the future waves of cyberwarfare..

Volt Typhoon: The Ghost in the Network

In late 2023 and again in early 2024, CISA and the FBI issued a chilling warning: Volt Typhoon had been inside U.S. critical infrastructure for months, moving undetected, preparing access for potential sabotage.

This was an ongoing operation, one that had been happening long before anyone noticed. It wasn’t an attempt or some theoretical breach.

Volt Typhoon is stealthily living off the land, blending into the everyday hum of IT operations. They rarely leave footprints or use flashy malware or ransomware. While SOC analysts focus on endpoints and logs, Volt Typhoon operates in the blind spots—hiding inside legitimate IT tools, moving like a ghost through the systems that keep entire countries running.

The Volt Typhoon APT group has developed a distinct profile for their methods and their targets.

‍

Volt Typhoon Profile
Industry Targets	Critical infrastructure: telecommunications, energy grids, and defense systems Government agencies: organizations responsible for national security and supply chain management Military logistics and contractors: providers of classified and defense-related technologies
Key Characteristics	Uses remote administration tools like PowerShell and WMI instead of deploying malware Prioritizes stealth over speed, ensuring persistent, long-term access Focuses on reconnaissance over immediate theft—mapping systems, collecting intelligence, and establishing footholds Gains access through compromised enterprise-grade firewalls, VPN concentrators, and security appliances Steals authentication tokens, session cookies, and privileged access credentials to move laterally without raising suspicion
Notable Attacks	2023: U.S. critical infrastructure breach – Volt Typhoon had burrowed into telecom and energy networks for months before being detected. CISA and the FBI confirmed that the group had been pre-positioning for potential sabotage. Telecom espionage – Targeted major telecom providers to intercept communications and map national infrastructure. Network appliance exploitation – Bypassed endpoint detection by hijacking trusted security devices—firewalls, VPN concentrators, and network monitoring tools—to remain persistent.

‍

If you’re thinking, “But we have endpoint security!”—great. Volt Typhoon doesn’t use endpoints. They live in the gaps, inside systems your SOC isn’t looking at, waiting for the day they’re told to act.

Salt Typhoon: The Deep Cover Operative

Cyber threats may come and go like seasonal viruses but Salt Typhoon is different. They don’t just break in—they set up a second home inside your network and settle in for the long haul.

Where Volt Typhoon is a ghost, Salt Typhoon is more like a parasite. Their goal is to gain unshakable, redundant footholds. They avoid the proverbial gates by building custom keys and paths, hiding them in as many places as they can.

They focus on long-term espionage, infrastructure persistence, and data exfiltration that no one notices until it’s too late.

‍

Salt Typhoon Profile
Industry Targets	Government agencies and defense contractors Aerospace and advanced technology firms Supply chain service providers and third-party IT vendors
Key Characteristics	Deploys custom-modified malware variants (SparrowDoor, Demodex) for data exfiltration Uses watering hole attacks—compromising industry-specific forums and software updates to infect highly targeted victims Establishes redundant access points—if you shut one door, they have three more hidden Prioritizes stealthy exfiltration over smash-and-grab data theft
Notable Attacks	Global telecom espionage – Salt Typhoon compromised telecommunications providers to monitor government and military communications. Aerospace and defense breaches – Infiltrated contractors working on sensitive R&D projects, siphoning off high-value intellectual property. Supply chain infiltration – Attacked third-party software vendors to gain access to their customers—because why break into one company when you can own a dozen at once?

‍

The greater concer is that Salt Typhoon isn’t just inside your network. They’re inside the network of the companies you depend on.

Flax Typhoon: The Cyber Wildcard

Some attackers are disciplined, strategic, and targeted. Flax Typhoon is none of those things.

They are the opportunists—casting the widest net possible, breaching as many networks as they can, and figuring out what’s valuable later. Unlike Volt and Salt, who have specific missions, Flax Typhoon is here for everything.

‍

Flax Typhoon Profile
Industry Targets	Cloud service providers and managed IT firms Financial institutions, healthcare, and technology enterprises Public sector and critical infrastructure organizations
Key Characteristics	Specializes in credential harvesting at scale—stealing authentication tokens, passwords, and session cookies for future use Uses a mix of open-source attack tools and custom malware Adapts its strategy depending on how well-defended the target is Focuses on laying groundwork for future access, even if an attack isn’t immediate
Notable Attacks	Cloud infrastructure breaches – Suspected in multiple attacks against IT and cloud service providers. Financial and healthcare industry espionage – Leveraged spear-phishing to compromise executives and IT staff. Zero-day exploitations – Known to use undisclosed software vulnerabilities for stealthy network intrusions.

‍

Flax Typhoon isn’t here for one thing. They’re here for everything.

The Real Threat: What Happens When They Flip the Switch?

These groups aren’t just scouting. They aren’t experimenting.

They are preparing.

They are inside networks, inside supply chains, inside systems that cannot go down. And one day, when the signal comes, they will flip the switch.

A telecom blackout. A grid failure. A sudden, synchronized disruption that looks like a technical failure but isn’t.

The moment geopolitical tensions escalate, these infiltrations can be weaponized. A power grid outage. A military logistics failure. The foundation is already in place.

How to Think About Prevention

If you’re still thinking in terms of preventing breaches, you’re already too late. The focus now is on containment and control.

Prevention is ideal, but it only works if you assume you haven't already been breached. If Volt Typhoon has been inside telecom networks for months, how many other companies already have APTs quietly moving through their systems?

The Typhoon APT groups aren’t coming. They’re here. Now we have to make sure they can’t continue to move laterally and further dig in.

The question isn’t how to keep them out—but how to trap them before they strike.

Next up: Volt Typhoon—the patient infiltrator already inside U.S. infrastructure.