How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons
Massive ‘Typhoon’ cyberattacks on U.S. infrastructure and telecoms sought to lay groundwork for potential conflict with Beijing, as intruders gathered data and got in position to impede response and sow chaos
The message from President Biden’s national security adviser was startling.
Chinese hackers had gained the ability to shut down dozens of U.S. ports, power grids and other infrastructure targets at will, Jake Sullivan told telecommunications and technology executives at a secret meeting at the White House in the fall of 2023, according to people familiar with it. The attack could threaten lives, and the government needed the companies’ help to root out the intruders.
What no one at the briefing knew, including Sullivan: China’s hackers were already working their way deep inside U.S. telecom networks, too.
The two massive hacking operations have upended the West’s understanding of what Beijing wants, while revealing the astonishing skill level and stealth of its keyboard warriors—once seen as the cyber equivalent of noisy, drunken burglars.
China’s hackers were once thought to be interested chiefly in business secrets and huge sets of private consumer data. But the latest hacks make clear they are now soldiers on the front lines of potential geopolitical conflict between the U.S. and China, in which cyberwarfare tools are expected to be powerful weapons.
U.S. computer networks are a “key battlefield in any future conflict” with China, said Brandon Wales, a former top U.S. cybersecurity official at the Department of Homeland Security, who closely tracked China’s hacking operations against American infrastructure. He said prepositioning and intelligence collection by the hackers “are designed to ensure they prevail by keeping the U.S. from projecting power, and inducing chaos at home.”
As China increasingly threatens Taiwan, working toward what Western intelligence officials see as a target of being ready to invade by 2027, the U.S. could be pulled into the fray as the island’s most important backer. Other friction between Washington and Beijing has intensified in recent years, with President-elect Donald Trump threatening a sharp trade war and China building a tighter alliance with Russia. Top U.S. officials in both parties have warned that China is the greatest danger to American security.
In the infrastructure attacks, which began at least as early as 2019 and are still taking place, hackers connected to China’s military embedded themselves in arenas that spies usually ignored, including a water utility in Hawaii, a port in Houston and an oil-and-gas processing facility.
Investigators, both at the Federal Bureau of Investigation and in the private sector, found the hackers lurked, sometimes for years, periodically testing access. At a regional airport, investigators found the hackers had secured access, and then returned every six months to make sure they could still get in. Hackers spent at least nine months in the network of a water-treatment system, moving into an adjacent server to study the operations of the plant. At a utility in Los Angeles, the hackers searched for material about how the utility would respond in the event of an emergency or crisis. The precise location and other details of the infrastructure victims are closely guarded secrets, and couldn’t be fully determined.
American security officials said they believe the infrastructure intrusions—carried out by a group dubbed Volt Typhoon—are at least in part aimed at disrupting Pacific military supply lines and otherwise impeding America’s ability to respond to a future conflict with China, including over a potential invasion of Taiwan.
In the separate telecom attacks, which started in mid-2023 or earlier and were first reported by The Wall Street Journal in September, a hacking group—this one known as Salt Typhoon—linked to Chinese intelligence burrowed into U.S. wireless networks as well as systems used for court-appointed surveillance.
They were able to access data from over a million users, and snapped up audio from senior government officials, including some calls with Trump by accessing the phone lines of people whose phones he used. They also targeted people involved in Vice President Kamala Harris’s presidential campaign.
They were also able to swipe from Verizon and AT&T a list of individuals the U.S. government was surveilling in recent months under court order, which included suspected Chinese agents.
The intruders used known software flaws that had been publicly warned about but hadn’t been patched. Investigators said they were still probing the full scope of the attack.
Lawmakers and officials given classified briefings in recent weeks told the Journal they were shocked at the depth of the intrusions and at how hard the hacks may be to resolve, and some telecom company leaders said they were blindsided by the attack’s scope and severity.
“They were very careful about their techniques,” said Anne Neuberger, President Biden’s deputy national security adviser for cybersecurity. In some cases hackers erased cybersecurity logs, and in others the victim companies didn’t keep adequate logs, meaning there were details “we will never know regarding the scope and scale of this,” she said.
Liu Pengyu, the spokesman for the Chinese embassy in Washington, accused the U.S. of peddling disinformation about threats from Chinese hackers to advance its geopolitical ambitions. Chinese leader Xi Jinping told President Biden during their meeting in Peru in November that there was no evidence to support the allegations, he said.
“Some in the U.S. seem to be enthusiastic about creating various types of ‘typhoons,’” the spokesman said, referring to the names assigned to the hacking groups. “The U.S. needs to stop its own cyberattacks against other countries and refrain from using cybersecurity to smear and slander China.”
Verizon said a small number of high-profile customers in government and politics were specifically targeted by the threat actor and that those people had been notified. “After considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident,” said Vandana Venkatesh, chief legal officer at Verizon.
An AT&T spokeswoman said the company detected “no activity by nation-state actors in our networks at this time,” adding that the Chinese government targeted a “small number of individuals of foreign intelligence interest” and that affected customers were notified in cooperation with law enforcement.
‘Shocking how exposed we are’
Some national security officials involved in the investigation said they believe the telecom hack is so severe, and the networks so compromised, that the U.S. may never be able to say with certainty that the Chinese hackers have been fully rooted out.
Several senior lawmakers and U.S. officials have switched from making traditional cellphone calls and texts to using encrypted apps such as Signal, for fear that China may be listening in. Federal law-enforcement officials have told state and local law enforcement to do the same. (Federal agents already use their own encrypted systems for classified work.)
In late December, in response to the Salt Typhoon campaign, federal cybersecurity officials published new guidance recommending the public use end-to-end encryption for communications, and said text-based multifactor authentication for account logins should be avoided in favor of app-based methods.
U.S. officials have warned for more than a decade about fast-evolving threats in cyberspace, from ransomware hackers locking computers and demanding payments to state-directed thefts of valuable corporate secrets. They also raised concerns about the use of Chinese equipment, including from telecom giants Huawei and ZTE, arguing they could open a back door to unfettered spying. In December, the Journal reported that U.S. authorities are investigating whether the popular home-internet routers made by China’s TP-Link, which have been linked to cyberattacks, pose a national-security risk.
But Beijing didn’t need to leverage Chinese equipment to accomplish most of its goals in the massive infrastructure and telecom attacks, according to U.S. officials and others familiar with the investigation. In both hacks, China exploited a range of aging telecom equipment that U.S. companies have trusted for decades.
In the telecom attacks, the hackers exploited unpatched network devices from security vendor Fortinet and compromised large network routers from Cisco Systems. In at least one case, they took control of a high-level network management account that wasn’t protected by multifactor authentication, a basic safeguard.
That granted them access to more than 100,000 routers from which they could further their attack—a serious lapse that may have allowed the hackers to copy traffic back to China and delete their own digital tracks.
The router hijacking took place within AT&T’s networks, a person familiar with the matter said.
AT&T declined to comment on the router attack. Cisco and Fortinet declined to comment.
In December, Neuberger said the number of U.S. telecom victims had grown to nine, and that there could be more.
In addition to deep intrusions into AT&T and Verizon, hackers pierced other networks belonging to Lumen Technologies and T-Mobile. The Chinese hackers also reached into Charter Communications, Consolidated Communications and Windstream, according to people familiar with the matter.
Lumen said it no longer sees evidence of the attackers in its network and that no customer data was accessed. T-Mobile said it stopped recent attempts to infiltrate its systems from advancing and protected sensitive customer information from being accessed.
Some U.S. officials, including Neuberger, have said the hack underscores the need for baseline cybersecurity requirements for the telecom industry. The Biden administration created such mandates through executive actions for pipelines, railways and the aviation industry.
“Cyberspace is a fiercely contested battlefield,” said Sullivan, the national security adviser. “We…have made considerable progress, but serious vulnerabilities remain in sectors where we don’t have mandatory cybersecurity requirements.”
Sen. Dan Sullivan (R., Alaska), during a congressional hearing in December, said “It’s shocking how exposed we are, and still are.” He described a recent classified briefing on the telecom hacks as “breathtaking.”
The infrastructure hacks also alarmed officials. In April, during a five-hour session with his Chinese counterpart in Beijing, U.S. Secretary of State Antony Blinken said China’s attacks on physical infrastructure were concerning, dangerous and escalatory, people familiar with the encounter said.
Flanked by aides at a long table with pots of tea and water, China’s Foreign Minister Wang Yi shrugged and called the allegations a phantom concocted by the U.S. to increase support for military spending.
In another meeting later that week, other U.S. officials presented evidence linking the intrusions to China-based IP addresses. The Chinese officials said they would look at it and get back to the Americans, but never substantively did, U.S. officials familiar with the interactions said.
This account of the two devastating cyberattacks is based on interviews with around 50 national security, law enforcement and private-sector officials. Many of the details have never been reported.
Port attack
The first shot that revealed the new cyberwar came midmorning on Aug. 19, 2021, when Chinese hackers gained a foothold in the digital underpinnings of one of America’s largest ports in just 31 seconds.
At the Port of Houston, an intruder acting like an engineer from one of the port’s software vendors entered a server designed to let employees reset their passwords from home. The hackers managed to download an encrypted set of passwords from all the port’s staff before the port recognized the threat and cut off the password server from its network.
Afterward, the port’s cybersecurity chief, Chris Wolski, called the Coast Guard, which has authority over U.S. ports, to notify it of the attack: “It looks like we have a problem.”
The Houston port neutralized the threat, but unfettered access to the port’s passwords could have given hackers the ability to move around in internal networks and find places to hide until they wanted to act. They could have eventually been in position to disrupt or halt operations, according to investigators.
The attack on the port—which at that time had only recently upgraded from basic antivirus software and from just one IT employee working part time on cybersecurity—was a crucial early tip to U.S. officials that China was going after targets that didn’t house corporate or government secrets, and was using novel ways to get in.
The FBI found the intrusion relied on a previously unknown flaw in the password software.
A group of Microsoft analysts determined that the same hacking group had used the flaw in the software, which came from another company, to also target consulting services and IT companies. The analysts also spotted the hackers targeting networks in Guam, the U.S. territory in the Pacific that is home to a key American naval base, where the intruders had breached a communications provider.
The Redmond, Wash., team prowls for security threats, using billions of signals that come from security features built into Microsoft products, including Office 365, the Windows operating system or Azure cloud.
The intruders started showing up in other surprising places, from the Hawaii water utility and a West Coast port, to sectors including manufacturing, education and construction, according to U.S. officials and researchers at cyber-threat firms.
Microsoft analysts realized they were seeing novel behavior from China, with a host of Chinese hackers inside critical infrastructure, which appeared to have little espionage or commercial value, at the same time.
Tom Burt, until recently Microsoft’s vice president for customer trust and safety, said in an interview the company’s threat researchers identified commonalities in the tradecraft and victim targeting that helped link the attacks to a common hacking group. “And that all builds up to, oh, OK, we know this is a new actor group in China,” he said.
With the information from Microsoft and other intelligence streams, federal agents fanned out across the U.S. to investigate, and throughout 2022 and ’23 heard a similar story at visits to more than a dozen sites. The victims had mediocre cybersecurity, and some had no idea they had even been breached. The hackers generally weren’t installing malware or stealing data such as trade or government secrets or private information—they were just trying to get in and learn the system.
Using old routers
In previous cases, FBI agents could often trace hackers once they found the servers in the U.S. they were renting for their attacks.
This time, the hackers were getting in via a type of router used by small and home offices, which disguised the intrusions as legitimate U.S. traffic.
The routers, largely built by Cisco and Netgear, were vulnerable to attack because they were so old they were no longer receiving routine security updates from their manufacturers. Once in the hackers’ control, the routers functioned as steppingstones to other victims, without raising alarms because the incursions looked like routine traffic. Netgear declined to comment.
Separately, analysts at the National Security Agency had observed that Beijing was starting to lay the cyber groundwork for a potential Taiwan invasion, including in the U.S., according to current and former U.S. officials familiar with the analysis. The information helped bring the new infrastructure hacking activity into focus, showing investigators a bigger picture.
American officials shared with allies data on the infrastructure intrusions, Western security officials said.
The focus on Guam and West Coast targets suggested to many senior national-security officials across several Biden administration agencies that the hackers were focused on Taiwan, and doing everything they could to slow a U.S. response in a potential Chinese invasion, buying Beijing precious days to complete a takeover even before U.S. support could arrive.
Other targets gave analysts pause. One was a small air-traffic control facility on the West Coast, others were water-treatment plants. Those choices suggested the hackers were looking for ways to inflict pain on American civilians, including by scrambling plane routes or shutting off local water-treatment facilities, according to officials familiar with the discussions.
At the NSA, deputy director George Barnes wondered in late 2022 and early 2023 if Beijing’s plan was for the hackers to be found out, intimidating the U.S. into staying out of a potential conflict in Taiwan, he said in an interview.
After Taiwan itself, the U.S. “would be target zero” for disruptive cyberattacks in the event of a conflict over the island, said Barnes, who left the NSA in late 2023 after decades at the spy agency.
By the end of 2023, the FBI had amassed enough information to identify hundreds of the small office routers commandeered by the hackers. Prosecutors asked a judge for authorization to go into the routers remotely and issue a command to neutralize the malware—essentially going into the homes of unsuspecting American victims, who had bought the routers years ago and had no idea their Wi-Fi network was secretly being used as a launchpad for an attack.
In January 2024, a judge approved the request, and the FBI carried out the operation, defanging one of the hackers’ important tools.
Telecom attack
At least several months earlier, a separate group of hackers linked to China had begun a different domestic attack—this time, an all-out assault on U.S. communications systems.
In the summer of 2024, some of the same companies whose executives had visited the White House in the fall of 2023 were told by U.S. officials that a group linked to China’s intelligence operations in the Ministry of State Security had crept into their networks.
The intruders exploited pathways that telecom companies use to hand data off to each other through links that often lack multifactor authentication. Such extra layers of protection, akin to what many consumers use to log in to bank accounts, don’t always exist between telecom providers in part because the barriers can slow down phone call and web traffic.
The hackers were also able to compromise cellphone lines used by scores of senior U.S. national security and policy officials, and at least some phone audio from Trump, incoming Vice President JD Vance and people affiliated with both the Trump and Harris presidential campaigns.
Separately, the hackers sought to access wiretap surveillance systems at Verizon and AT&T in an apparent effort to learn how much the FBI and others understood about Beijing’s spies operating in the U.S. and internationally, investigators said.
They remain unsure whether Salt Typhoon actors were able to funnel real-time content, such as calls or texts from people under law-enforcement surveillance, from the wiretap breaches back to China.
The hackers maintained access to the surveillance systems for a long time without detection. At one company, they were inside for about six months, in the other, for about 18 months, according to investigators. Hackers were still inside the wiretap systems of both companies as of October, weeks after the Journal first publicly exposed the intrusions. U.S. officials believe the hackers are now out of the wiretap systems.
After the Journal’s first reports, the hackers changed their behavior, further complicating efforts to locate and evict them, according to investigators.
This fall, a group of Verizon leaders and cybersecurity experts hunkered down in closed sessions in Texas to spot intruders, study their behavior and determine how to oust them. The carrier has since reviewed each router in its network to check for vulnerabilities.
Investigators learned that the hackers at times lurked, simply observing network traffic, and in other cases swiped it, exfiltrating their haul through elaborate paths around the globe before funneling it to China. They were expert at creating footholds from which they could observe network traffic. They would, for example, behave the way network engineers might and then cover up their tracks.
The hackers’ focus was in part regional: Phone records of individuals who work in and around Washington, D.C., were a priority. They accessed call event-date records—including date and time stamps, source and destination IP addresses, phone numbers and unique phone identifiers—from over a million users.
“We saw a massive set of data acquired,” an FBI official familiar with the investigation said.
The relationship between the private sector and federal officials investigating the hack has at times grown tense, with each side saying the other is falling short in their responsibilities. Some lawmakers have grown impatient with the time it has taken to expel the hackers.
Shortly before Thanksgiving, Sullivan, the national security adviser, again convened top executives from telecommunications firms—many of the same ones he called together roughly a year earlier to get help on the infrastructure hacks. This time, the telecoms were themselves the victims, and Sullivan pushed for progress.
Investigators are still determining the full scope and intent of the data haul. They said the data could help hackers establish who different people in the government talk to and better understand their social and professional circles. That intelligence could help facilitate future intrusions or attacks on those individuals.
Robert McMillan and Sadie Gurman contributed to this article.
Write to Dustin Volz at dustin.volz@wsj.com, Aruna Viswanatha at aruna.viswanatha@wsj.com, Sarah Krouse at sarah.krouse@wsj.com and Drew FitzGerald at andrew.fitzgerald@wsj.com