In the quiet corridors of cyberspace, a new kind of threat is taking shape. It’s not about ransomware or credit card theft. It’s not even about spying in the traditional sense. What we’re seeing is something deeper, more calculated – and more dangerous.
China’s state-backed hacking groups are no longer just gathering intelligence. They are positioning themselves inside the networks that keep the modern world running.[1] And when the time comes, they’re ready to switch everything off. Over the past year, two of Beijing’s most aggressive cyber actors – Volt Typhoon and Salt Typhoon – have ramped up operations targeting critical infrastructure. Their campaigns, uncovered by Microsoft and confirmed by U.S. intelligence agencies, have shown a level of stealth and persistence that should set off alarms across capitals and boardrooms alike.
Volt Typhoon, in particular, is known for its “living off the land” tactics – using built-in system tools and stolen credentials to remain undetected while moving laterally through networks.[2] Its targets span a wide range: energy grids, maritime logistics hubs, water utilities, and transport networks. These are not opportunistic hacks. They are slow-moving, long-term infiltrations designed to give China the ability to cause disruption during a crisis.[3]
Salt Typhoon, meanwhile, has taken aim at telecommunications infrastructure. In late 2024, the group reportedly gained access to U.S. telecom networks, extracting sensitive call logs, geolocation data, and potentially even the content of conversations.[4] According to security analysts, the breaches were so precise and widespread that the full scope of the damage is still not known.[5]
Andthis isn’t just an American problem.
Most recently, Chinese-linked hackers were blamed for cyberattacks against Indian government cloud infrastructure during a military standoff near the border.[6] In Taiwan, a group known as Flax Typhoon has continued its campaign against public agencies, aiming to weaken government systems from the inside out.[7]
In each case, the strategy appears consistent: gain access, stay hidden, and wait.
What makes this trend particularly alarming is the global nature of modern infrastructure. A breach in one country often leads to exposure in many others. European telecoms, energy firms, and logistics companies are deeply connected to their U.S. counterparts. That makes them easy targets – and potential pawns.
Meanwhile, attackers move faster than most firms can react. Part of the challenge is technological. Much of today’s infrastructure is built on legacy systems – industrial control units, smart sensors, routers – that were never designed with cybersecurity in mind.[8] Many of these devices operate with minimal visibility. They can’t be scanned or monitored in real time. They don’t support modern encryption. In practice, this gives attackers the perfect cover.
Volt Typhoon has taken full advantage of these blind spots. The group has been observed using common command-line tools to collect data and maintain access for months at a time. It hides traffic by bouncing it through compromised home and office routers, making it nearly impossible to trace in real time.
Artificial intelligence may be dominating cybersecurity headlines, but what China is doing right now doesn’t require any futuristic tech. The tools are familiar. What’s changed is the scale, the patience – and the ambition.[9]
For governments and companies alike, the implications are serious. Who should take the lead in ensuring a sustainable and encompassing network for resilience proves to be an ongoing conundrum.[10] The stakes are no longer just data breaches or embarrassing leaks. The stakes are electricity grids, water supplies, public transport, emergency communications.[11] And in a geopolitical crisis, the difference between operational infrastructure and total shutdown could come down to whether an adversary has already mapped your system.
The response must match the threat.
Across Europe, regulators are beginning to take cybersecurity more seriously, pushing for stricter standards across critical industries. But implementation is uneven, and too often focused on compliance rather than resilience.[12] A more forward-leaning approach is needed – one that treats network monitoring, anomaly detection, and incident response not as add-ons, but as core business functions.[13] That means real-time monitoring tools capable of flagging the kinds of subtle anomalies that state-backed actors depend on. It means baking cybersecurity into procurement processes, especially for suppliers and contractors. And it means sharing threat intelligence between private companies and public agencies – not just during a crisis, but every day.
Most importantly, it means rethinking what it means to be “secure”.
The lesson of Volt Typhoon is that perimeter defences don’t work against actors who are already inside. The lesson of Salt Typhoon is that telecommunications networks – long considered neutral carriers of information – are now front-line targets in strategic cyber conflict. If boards and policymakers treat these threats as abstract or future problems, they will be caught flat-footed. The only question now is how long it will take for these digital infiltrations to move from dormant threat to active disruption.
[1] Georgiev, G., Petrova, V. and Tsabala, K., Breaking the Code: Russian and Chinese Disinformation and Illicit Financial Flows in Southeast Europe, Sofia: CSD, 2023.
[2] Microsoft Threat Intelligence, Volt Typhoon targets US critical infrastructure with living-off-the-land techniques, May 2023.
[3] Cybersecurity and Infrastructure Security Agency (CISA), NSA, FBI Joint Advisory, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, May 2023.
[4] Politico, "Chinese hackers used broad telco access to geolocate millions of Americans and record phone calls", 27 December 2024.
[5] US Department of State, U.S. Takes Action Against PRC-Linked Cyber Actors for Treasury Hack and Salt Typhoon, January 2025.
[6] The Times of India, "Operation Sindoor: Govt digital infrastructure faced 75% of cyber attacks", 14 May 2025.
[7] Indo-pacific Defense Forum, "Taiwan bolstering cybersecurity infrastructure against China-backed hackers", 7 May 2025.
[8] Tantkleff, A., Misakian, A. and Taylor, C., Cybersecurity in the Age of Industry 4.0, September 2024.
[9] Sabev, M., Georgiev, G. and McLaren, R., Safeguarding the Foundations: Strengthening Civil Security in Bulgaria, Montenegro, North Macedonia and Serbia, Sofia: CSD, 2024.
[10] Marotta, A. and Madnick, S., Analyzing the Interplay Between Regulatory Compliance and Cybersecurity, Massachusetts Institute of Technology, Cambridge, MA, January 2020.
[11] FORTA, Navigating Industrial Cybersecurity: A Field Guide.
[12] Kraemer, M., The State of NIS2: A Fragmented Implementation Across the EU, April 2025.
[13] Comunale, T. and Rusev, A., Cybercrime and Businesses, Sofia: CSD, 2023.
