Peaking at the Chinese Espionage Playbook: Salt & Volt Typhoon

China’s state-sponsored hacking groups — Salt Typhoon and Volt Typhoon — have carried out some of the most alarming cyber-espionage campaigns against U.S. critical infrastructure to date. These operations have targeted everything from telecom providers to energy utilities, raising the temperature on national security and exposing systemic weaknesses in infrastructure defenses.

This ain’t your average phishing campaign — this is deep, stealthy, years-long infiltration with global consequences. Let’s break down what happened, what it means, and how to defend against it.

Overview of the Threat

Salt Typhoon and Volt Typhoon are advanced persistent threat (APT) groups linked to China’s Ministry of State Security (MSS). Their missions differ slightly — Salt is focused on surveillance and data theft, while Volt is clearly prepositioning for potential disruption — but their methods, impact, and implications all point to one thing: long-term strategic access into the systems we depend on daily.

These aren’t “smash and grab” hacks. This is cyber trench warfare.

Salt Typhoon: Spying on America’s Backbone

Salt Typhoon has methodically targeted U.S. telecommunications companies, including AT&T, Verizon, Lumen, and satellite communication providers like Viasat [1][2]. In some cases, the group maintained persistent access for over three years.

Key Tactics

• Initial Access: Exploited vulnerabilities in Cisco devices (CVE-2018-0171, CVE-2023-20198, CVE-2023-20273), often combined with stolen or weak credentials [3].

• Post-Exploitation: Established GRE tunnels to quietly exfiltrate data, capture device configs, and extract telephone audio, call records, SMS content, and geolocation data [4].

• Operational Targets: Included not just corporate traffic, but individuals linked to both major U.S. presidential campaigns [5].

Why It Matters

• This isn’t theoretical — they siphoned real-world data, potentially geolocating millions and intercepting private conversations.

• Telecom networks are the underpinning of modern communication. Compromise here means potential access to governments, businesses, and citizens alike.

• They went undetected in some networks for years, even as traffic was being harvested and exfiltrated in real time.

Volt Typhoon: Lurking in the Grid

Volt Typhoon, meanwhile, has zeroed in on U.S. energy, water, utility, and transportation infrastructure. They’re not just stealing data — they’re setting up the ability to pull the plug when it counts.

In a closed-door meeting in late 2024, Chinese officials indirectly acknowledged Volt Typhoon’s attacks as a response to U.S. support for Taiwan — essentially a digital saber-rattle [6].

Key Tactics

• Living off the land: Used native Windows tools like PowerShell, WMIC, and command-line utilities to blend into normal system behavior, making them nearly invisible to traditional antivirus or EDR [7].

• Initial Access: Came through routers, exposed VPNs, and insecure edge devices — not through flashy zero-days, but through weak defenses and misconfigurations.

• Long-Term Persistence: One U.S. utility in Massachusetts was reportedly breached for over 300 days without detection [8].

Strategic Objective

• This is pre-positioning: establishing deep access now to disable or disrupt operations later — likely in the event of a military or geopolitical flashpoint over Taiwan [9].

Side-by-Side Comparison

Defensive Measures: What to Do Now

You don’t need a government budget to raise your cyber game. Here’s what defenders — whether corporate, telecom, or government — should be doing today:

1. Patch Immediately

• Apply updates to Cisco IOS XE and router firmware across your network, especially for vulnerabilities CVE‑2023‑20198, CVE‑2023‑20273, and CVE‑2018‑0171 [3].

• Audit devices for signs of unauthorized configuration changes (e.g., GRE tunnels, unknown admin users).

2. Lock Down External Access

• Disable unnecessary ports and services.

• Block direct internet access to admin interfaces and remote management ports.

3. Monitor for Lateral Movement

• Enable behavioral detection for odd uses of PowerShell, WMIC, and netsh.

• Monitor for abuse of native tools and strange command-line strings.

4. Rotate Credentials & Enforce MFA

• Especially for all network and infrastructure admin accounts.

• Use hardware tokens or push notifications with behavior alerts — not just SMS.

5. Segment Networks

• Keep management interfaces isolated from production traffic.

• Don’t let compromise of one device mean compromise of the whole system.

6. Run Red Team Exercises

• Simulate Volt Typhoon-style persistence and Salt Typhoon-style exfiltration.

• Don’t just hunt malware — hunt behaviors.

Final Thoughts

Salt and Volt Typhoon are two sides of the same coin: long-game, high-stakes digital warfare. One wants your data, the other wants your switchboard. Both aim to destabilize, disrupt, and dominate without firing a shot.

This isn’t about fearmongering — it’s about preparedness. These campaigns aren’t coming. They’re here. Right now. You patch. You hunt. You prepare. Or you get caught flat-footed when it matters most.

Sources

1. SecurityWeek – “China Admits to Volt Typhoon Cyberattacks”

2. The Register – “Salt Typhoon Breaches 9+ U.S. Telecoms”

3. Cisco – CVE-2018-0171, CVE-2023-20198, CVE-2023-20273 Security Advisories

4. BleepingComputer – “Chinese Hackers Used Cisco Router Exploits”

5. The Hacker News – “Chinese APTs Target U.S. Presidential Campaign Staff”

6. The Guardian – “China Quietly Acknowledges Cyber Activity in Taiwan Dispute”

7. CISA – Volt Typhoon MITRE Mapping & Behavior Guidance

8. AP News – “Massachusetts Utility Breach Remained Hidden for 300+ Days”

9. CPO Magazine – “Volt Typhoon and the Threat of Prepositioned Access”