China’s ‘Typhoon’ cyber operations target US critical infrastructure sectors in move toward large-scale disruption
Written by Black Hot Fire Network on October 31, 2025
A new report from Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security identifies sector-specific risks, noting that cyber intrusions across U.S. energy, water, telecommunications, transportation, and healthcare infrastructures suggest that People’s Republic of China (PRC)-linked ‘Typhoon’ hackers are probing critical systems to enable large-scale disruption in future conflicts. These installations have faced state-sponsored cyber operations, referred to by Microsoft as ‘Typhoons,’ indicating Beijing’s preparations for potential conflict. These activities aim to disrupt logistics, delay military deployments, and target essential civilian systems.
The report highlights a significant shift in China’s offensive cyber strategy, evolving from espionage to the potential for widespread disruption. Countering this growing threat requires a comprehensive, coordinated effort that involves cybersecurity, intelligence, diplomacy, and resilience across governments and allied nations. It also found that domestically, the legal framework for responding to state-sponsored cyber threats remains fragmented. At the international level, the typhoon campaigns highlight the limitations of existing norms and agreements.
Titled ‘Code Red: A Guide to Understanding China’s Sophisticated Typhoon Cyber Campaigns,’ the McCrary report noted that “critical infrastructure operators face distinct challenges depending on their sector, and the typhoon campaigns demonstrate that no domain is immune.”
McCrary assessed that in the energy sector, cyber intrusions into industrial control systems (ICS) or supervisory control and data acquisition (SCADA) networks represent perhaps the most immediate national security risk. “Even localized disruptions could cause cascading power outages across multiple states, crippling military installations, logistics hubs, hospitals, and businesses. China’s Volt Typhoon activity shows a sophisticated interest in this area, raising the possibility that the PRC could selectively disable portions of the grid to delay U.S. deployments in the Indo-Pacific or cause other general disruption at home as a distraction for any military action.”
It pointed out that historical precedent underscores this danger. Russia’s 2015 and 2016 cyberattacks on Ukraine’s power grid left hundreds of thousands without electricity, providing a glimpse of the consequences of energy infrastructure manipulation in a geopolitical conflict.
Moving to the water sector, the McCrary report mentioned that many municipal water utilities operate on outdated systems with limited cybersecurity budgets and personnel, making them prime targets for low-cost exploitation. Intrusion into these systems could disrupt water treatment processes, damage pumps and valves, or contaminate the supply, posing direct risks to public safety. A water sector outage has the potential for larger cascading effects, as many other sectors, including the energy sector and the healthcare and public health sector, depend on water to function.
“Depending on the scope and scale, a water outage could lead to widespread communications failures, emergency services interruptions, and military recall disruptions during a crisis,” it added. “Volt Typhoon has already demonstrated the ability to interfere with control systems at water facilities, highlighting the PRC’s recognition that civilian lifeline services are potential pressure points in times of crisis.”
The telecommunications sector is also exposed, as demonstrated by the Salt Typhoon campaign. By penetrating major providers such as Verizon, AT&T, and Charter Communications, PRC-linked actors gained visibility into call records, text message metadata, and geolocation information for an estimated one million U.S. individuals, including senior government officials.
McCrary report identifies that “such access gives Beijing not only a counterintelligence advantage but also coercive leverage, as sensitive communications could be disrupted, surveilled, or manipulated during a crisis. The compromise of lawful intercept systems used by U.S. law enforcement agencies is particularly alarming, as it may have revealed the scope of U.S. counterintelligence operations targeting Chinese operatives. In the transportation domain, the risks extend across air, sea, and land.”
Furthermore, cyberattacks on air traffic management systems could ground flights, delay troop movements, or disrupt the resupply of forward-deployed forces, not to mention crippling the larger U.S. economy. Similarly, interference with maritime port operations could create bottlenecks in the flow of materiel across the Pacific, a scenario that would be especially damaging in the early stages of a Taiwan contingency. The Colonial Pipeline ransomware incident of 2021, although not linked to China, provides a sobering illustration of how even short-term disruptions in transportation and logistics networks can ripple across the economy and military readiness.
The McCrary report acknowledged that the healthcare sector is increasingly recognized as a critical infrastructure vulnerable to foreign cyber operations. “Hospitals and research institutions hold sensitive data and rely on networked medical devices that could be disrupted or manipulated. A campaign targeting healthcare facilities during a national security crisis would not only impede care for civilians and service members but also undermine public morale, amplifying the coercive effect of PRC cyber operations.”
Taken together, the sector-specific analysis makes clear that the typhoon actors are not pursuing isolated technical exploits but rather probing for systemic vulnerabilities across multiple lifeline sectors. The goal is not only to collect intelligence but also to preposition capabilities that could impose strategic costs on the U.S. at a time of Beijing’s choosing.
The McCrary report finds that the typhoon actors represent a new phase in Chinese cyber operations, one centered on long-term persistence, access to critical infrastructure, and coercive leverage over the U.S. “Volt Typhoon’s embedded presence in critical infrastructure, Salt Typhoon’s vast surveillance of telecom networks, and the opportunistic exploits of Linen, Violet, and Silk Typhoon are strands of a coherent strategy. The United States has begun to push back through advisories, indictments, and take-downs. Yet the fundamental contest is one of endurance.”
It added that as long as Beijing views U.S. critical infrastructure as both a target and a lever of influence, “the typhoon actors will remain a defining feature of the cyber domain in an era of great power competition. And they are not letting up. Whether known to the U.S. government or not, by the time this paper is published, there will almost certainly be another typhoon threat actively targeting the United States.”
The report adds that the U.S. and its allies have countered the typhoons with a mix of legal, diplomatic, and operational measures, including public attributions, coordinated sanctions, hacker indictments, and joint advisories on indicators of compromise. “While these actions raise costs for Beijing and demonstrate allied unity, they have not changed China’s behavior.”
Highlighting that the PRC continues to operate with relative impunity, using third-party firms to obscure attribution and exploit the slow investigations and weak enforcement of Western democracies, the report noted that by relying on intermediaries, Beijing further complicates attribution and delays coordinated responses. Rapid attribution across agencies and governments remains a persistent challenge.
Citing the Tallinn Manual, while influential in academic and policy circles, is non-binding and lacks universal adoption. The McCrary report noted that China has consistently resisted efforts at the United Nations to establish binding rules that would limit cyber operations against critical infrastructure, instead advocating for state sovereignty in cyberspace, a position that legitimizes its own practices while constraining external scrutiny. As a result, international law remains an uneven deterrent, leaving the U.S. and its allies to rely on ad hoc coalitions and public attributions to push back against PRC activity.
The McCrary report also disclosed a challenge related to attribution. “While the U.S. and its allies increasingly publish joint reports naming PRC-linked actors, attribution in cyberspace is inherently complex and politically sensitive. Beijing routinely denies involvement, framing U.S. statements as politically motivated, which reduces the impact of ‘naming and shaming’ campaigns. Without a stronger enforcement mechanism, attributions struggle to deter future activity, even when they are accurate.”
It also pointed out that policy responses must extend beyond indictments and advisories. Strengthening deterrence by denial through greater resilience in critical infrastructure can blunt the impact of Chinese intrusions. Another option is to adopt a more ‘proactive defend forward posture’ posture, as outlined in U.S. Cyber Command’s 2018 strategy, aimed at disrupting adversary campaigns before they reach U.S. networks. Yet this raises legal and diplomatic concerns over when preemptive cyber actions constitute a use of force and how proportionality applies in cyberspace, questions that continue to hinder a coherent deterrence strategy.
Evidently, the typhoon campaigns underscore the importance of allied coordination. “Sanctions and indictments are most effective when imposed jointly, as demonstrated by the 2024 U.S.-U.K. sanctions against Volt Typhoon operators,” according to the McCrary report. “Yet many allies have varying thresholds for attribution and differing legal standards for cyber response, creating gaps that Beijing can exploit. A long-term policy imperative for Washington will be to harmonize legal frameworks across NATO, the Indo-Pacific, and other partner networks to ensure collective resilience and to signal to Beijing that cyber aggression against one will provoke a coordinated response by many.”
In sum, the actions of the typhoon actors reveal that the legal and policy toolkit of the U.S. and its allies remains underdeveloped relative to the scale of the challenge. Strengthening these frameworks will be essential if deterrence is to shift from symbolic costs to meaningful constraints on Beijing’s cyber strategy.
In conclusion, the McCrary report observes that the ongoing and persistent nature of the typhoon actors represents a major advancement in the PRC’s offensive cyber capabilities, including consequences reaching far beyond traditionally observed cyber espionage. In an emerging era of hybrid and gray zone warfare, malicious cyber campaigns like these will play an increasingly prominent, regular role, requiring improved vigilance and mitigation efforts for the U.S. government and its partners, including critical infrastructure owners and operators.
The report also emphasizes the national security imperative that federal, state, local, tribal, territorial, and private sector partners cooperate in new and robust ways to minimize potential future operational disruptions and sensitive data compromises, which, if combined, could cause a super storm. Additionally, the threat posed by the typhoon actors is not merely a cybersecurity challenge, but should be looked at as a broader threat to the U.S. and its allies posed by China. As the PRC develops new ways to undermine U.S. national security, it is critical to adopt a whole-of-government approach to countering such threats.
