Typhoon In The Fifth Domain: China's Evolving Cyber Strategy

Uploaded on 2025-09-08 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-China, GOVERNMENT-National, FREE TO VIEW

A comprehensive report by cybersecurity firm Cyfirma has shed light on the transformation of China's cyber operations, highlighting a shift from economic espionage to sophisticated, politically motivated campaigns that threaten global security. 

Published on the firm's blog, the analysis examines landmark operations like Salt Typhoon and Volt Typhoon, underscoring China's ambition to dominate cyberspace amid escalating geopolitical tensions.

The report warns that these developments exploit vulnerabilities in Western infrastructure, particularly in the United States, and calls for urgent reforms to counter the growing threat.

From Espionage To Strategic Dominance

China's cyber activities have undergone a profound evolution over the past decades, according to the report. In the initial phase, from the early digital era to around 2013, operations primarily focused on economic espionage.

Chinese actors exploited weaknesses in Western corporate and government systems to pilfer intellectual property and sensitive data, bolstering the nation's industrial and technological growth.

The turning point came between 2013 and 2020, under President Xi Jinping's leadership. This period saw a centralisation of cyber capabilities, with the establishment of the Cyberspace Administration of China and streamlined military commands. Key events included the 2015 cyber attack on the U.S. Office of Personnel Management, which compromised over 20 million records, and Edward Snowden's 2013 revelations about American surveillance programmes. These disclosures prompted a "Sputnik moment" for China, accelerating initiatives like "Made in China 2025" to achieve technological self-reliance.

Since 2020, the strategy has pivoted to politically and militarily driven operations. The report describes this as a move towards disruption and deterrence, exemplified by campaigns designed to undermine adversaries in potential conflicts, such as over Taiwan. This phase reflects China's doctrine of "active defence," emphasising pre-emptive actions to neutralise threats before they materialise.

The Salt Typhoon Campaign: A Global Surveillance Operation

One of the report's focal points is the Salt Typhoon campaign, uncovered in 2023. Attributed to Chinese state-sponsored actors, this operation infiltrated telecommunications networks in over 80 countries, with a particular emphasis on the United States. Hackers compromised major U.S. carriers, gaining access to call records, private messages, and geolocation data. The attackers employed "living off the land" techniques, using legitimate tools to maintain persistent, undetected access and move laterally across networks.

Described as a "Snowden-level" breach, Salt Typhoon targeted outdated infrastructure and exploited stolen credentials. The FBI labelled it one of the most consequential cyber breaches in U.S. history, notifying approximately 600 companies of potential risks due to their network vulnerabilities or commercial ties. Responses from affected firms varied: Verizon contained the intrusion, AT&T reported limited targeting, and T-Mobile successfully prevented data exfiltration. The campaign's global scope enabled mass surveillance, raising alarms about compromised law enforcement wiretapping systems and the potential for China to glean insights into U.S. investigative methods.

Volt Typhoon: Embedding Digital Threats In Critical Infrastructure

Equally alarming is the Volt Typhoon operation, revealed in 2024 and linked to the People's Liberation Army. This military-led effort embedded "digital booby traps" in U.S. critical infrastructure sectors, including manufacturing, utilities, transportation, construction, maritime operations, information technology, education, and government services. The malware was designed to mimic normal network activity, evading detection and positioning for sabotage during a crisis.

Targets encompassed water treatment plants, power grids, and transportation hubs—dual-use assets that could disrupt both civilian life and military mobilisation. U.S. officials, backed by Five Eyes intelligence allies, view these implants as strategic tools capable of causing widespread harm, akin to multiple ransomware attacks but without financial demands. FBI Director Christopher Wray testified in 2024 about the "real-world harm" potential, noting how disruptions could halt hospital functions, ammunition production, or reinforcements in the Pacific. In a Taiwan scenario, such actions could delay U.S. interventions by triggering cascading failures, thereby deterring involvement through increased domestic costs.

Structural Asymmetries In Cyber Defence

The report attributes the success of these campaigns to fundamental differences in cyber defence models. China's authoritarian system features the Great Firewall, a robust mechanism for censorship and protection that screens malicious code and safeguards state-controlled infrastructure. This integrated approach allows aggressive offensive operations with minimal fear of reprisal.

In contrast, the U.S. relies on a decentralised, privately managed framework involving thousands of entities with inconsistent cybersecurity standards.

Small utilities often use outdated systems with default passwords, while constitutional protections like the Fourth Amendment restrict government monitoring. The Biden administration's 2021 mandates for sectors like pipelines and water utilities aimed to bolster defences, but legal hurdles have delayed implementation. Efforts to ban Chinese-manufactured equipment, supported by a $3 billion programme, overlook vulnerabilities in Western-made systems, highlighting broader obsolescence issues.

Geopolitical Impact

The implications extend beyond immediate security risks. Salt Typhoon's surveillance capabilities could compromise sensitive U.S. operations and personal data, while Volt Typhoon threatens societal resilience by targeting essential services. Globally, these operations enhance China's intelligence gathering, building profiles for geopolitical leverage across continents.

Attribution remains challenging due to the campaigns' covert nature and China's denials, citing insufficient evidence. The 2015 Obama-Xi accord failed to halt activities, as evidenced by the 2023 Microsoft hack. This asymmetry challenges Western norms, potentially reshaping international cyber standards and exposing open societies to persistent threats.

Resilience & Reform

In conclusion, the Cyfirma report portrays Salt Typhoon and Volt Typhoon as markers of China's shift to operations that threaten critical infrastructure and global stability. By exploiting the U.S.'s fragmented framework, China aims to dominate the "fifth domain" of cyberspace.

Western nations must foster public-private partnerships, international collaboration, and investments in resilient systems to mitigate these risks and preserve open societies in an era of intensifying cyber rivalry.

Image: 

You Might Also Read: 

Geopolitics, Nation-State Hackers & Cyberwar:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Best Fraud Protection Software & Solutions In 2025
North Korean Hackers Exploit Cyber Intelligence Platforms to Evade Detection »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CDW

CDW

CDW is a leading multi-brand provider of information technology solutions to business, government, education and healthcare customers in the United States, the United Kingdom and Canada.

SealPath

SealPath

SealPath enables companies to protect and control their documents wherever they are: In their PC, in their corporate network, on a partner’s network, in the cloud.

SI-CERT

SI-CERT

SI-CERT (Slovenian Computer Emergency Response Team) is the national cyber scurity incident response center for Slovenia.

Vitrociset

Vitrociset

Vitrociset design complex systems for defence, homeland security, space and transport. Activities include secure communications and cybersecurity.

AntemetA

AntemetA

AntemetA specializes in network infrastructure, security and cloud computing, helping companies transform their Information Systems.

CSIRT GOV - Poland

CSIRT GOV - Poland

Computer Security Incident Response Team CSIRT GOV, run by the Head of the Internal Security Agency, acts as the national CSIRT responsible for coordinating the response to computer incidents.

KOVRR

KOVRR

Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.

Intuity

Intuity

The Intuity suite of services provides companies with a complete awareness of their security status and helps them in an efficient, efficient and sustainable improvement process.

LSoft Technologies

LSoft Technologies

LSoft Technologies is a leader in data recovery software technologies.

Encore Media Group

Encore Media Group

Encore Media Group provide an international enterprise technology event series exploring IoT, Blockchain AI, Big Data, 5G, Cyber Security and Cloud.

Prodera Group

Prodera Group

Prodera Group is a specialist technology consulting partner trusted to help navigate the complex and dynamic lifecycle of change and transformation.

Enginsight

Enginsight

Enginsight provides a comprehensive solution for monitoring and securing your servers and clients.

OnSecurity

OnSecurity

OnSecurity replaces the overhead of traditional penetration testing firms with a simple online interface, making it easy to book tests as and when needed.

Searchlight Cyber

Searchlight Cyber

Searchlight Cyber is a leading darknet intelligence company. Working with law enforcement, industry, and end users to help protect society against the threats of the darknet.

Leostream

Leostream

Leostream's Remote Desktop Access Platform enables seamless work-from-anywhere flexibility while maintaining security and constant visibility of users.

Keeran Networks

Keeran Networks

Established in Edmonton in 1999, Keeran specializes in delivering comprehensive IT support and solutions aimed at optimizing technology investments for businesses.