Some thoughts about Typhoons

The names read like a meteorological warning system: Volt Typhoon, Salt Typhoon, Flax Typhoon. But these aren't weather events—they're Chinese state-sponsored threat actors that have been making headlines throughout 2024, and the storm warnings are getting louder.

I've been fielding a lot of questions about these groups lately, so I wanted to share some thoughts on what's happening, why it matters, and what organizations should be doing about it.

The threat from China: Telecoms and beyond. What's changed recently?

The main recent development is twofold: the emergence of campaigns by Volt Typhoon, Salt Typhoon, and Flax Typhoon, along with the collective "sounding of the alarm" by AUKUS intelligence and defense communities, as well as targeted organizations. In particular, the impact of Salt Typhoon's intrusions into U.S. ISPs—and the resulting potential data exposure and privacy/security consequences for the U.S. population—has quickly elevated Chinese espionage and pre-positioning to an issue of retail politics.

China's aims: How are these evolving?

China has an openly stated strategic goal of surpassing the United States as the global hegemon by 2049, and these aims have not changed since the initiation of its 100-year plan. With Xi's rise to power in 2013, techniques and tactics grew noticeably more overt and aggressive in pursuit of these goals. In the cybersecurity sphere, this shift is exemplified by moving from covert, espionage-focused cyber operations to a more openly aggressive "spray and pray" approach around the end of 2019.

Strategically, the West is beginning to recognize that it has effectively been at war with China for the better part of 30 years. However, because these actions did not align with the West's traditional definition of warfare, open acknowledgment and preparation of responses is only now starting to emerge.

Chinese groups: Who are the main ones to be aware of?

Flax Typhoon is the "noisiest" group in terms of breadth and constancy, given its opportunistic targeting of IoT devices to sustain Operational Relay Box networks.

Salt Typhoon should be a key consideration for ISPs, IT infrastructure providers, and especially for organizations downstream or adjacent to these types of companies.

Volt Typhoon's focus on targeting critical and defense infrastructure, combined with its continued preference for stealthier "Living Off the Land" techniques, is important for any organization within a critical infrastructure category to consider.

There are a variety of other groups, but these three have been the most frequently discussed and are currently regarded as the most significant from a national security standpoint.

What should businesses be doing about the China threat now and into 2025?

1. Consider your line of business and where it might fit into nation-state targeting. Critical infrastructure verticals, and any organization where a significant amount of data transits or is stored, are clearly in the crosshairs—but it isn't limited to just these types of companies. As the last few years of intrusions have shown, this form of targeting is no longer as exclusive as it once was.

2. Take steps to understand your external attack surface. Monitor feeds such as CISA's Known Exploited Vulnerabilities database, and ensure you're prioritizing patches based on reachability and the likelihood of exploitation.

3. For smaller organizations that might get caught up in the activities of Flax Typhoon: Limit the internet-facing exposure of IoT devices like cameras and DVRs. Ensure these systems are regularly patched and do not have default passwords enabled. In general, choose IoT vendors that follow product security best practices, such as running a vulnerability disclosure program.

The Bottom Line

The Typhoon campaigns represent a significant evolution in how nation-state actors approach strategic competition. These aren't smash-and-grab operations—they're patient, persistent efforts to establish footholds that can be leveraged when geopolitical tensions escalate.

The good news is that the fundamentals of defense still apply: know your attack surface, patch what's exploitable, and don't leave default credentials on internet-facing systems. The bad news is that for many organizations, these basics still aren't being done consistently.

The storm is here. Time to batten down the hatches.