Code Red: A Guide to Understanding China's Sophisticated Typhoon Cyber Campaigns

In recent years, the United States and its allies have faced an unprecedented surge in sophisticated cyber operations linked to the People’s Republic of China (PRC). These state-sponsored cyber incursions mark a decisive shift in Beijing’s cyber strategy beyond traditional espionage and data theft toward embedding disruptive capabilities within U.S. critical infrastructure. The intent and impact behind this activity, collectively referred to as the “Typhoons” by Microsoft, is deeply troubling. This evolution signals China’s preparation for potential future conflict and a persistent escalation in the cyber domain against the United States, in which cyber operations could be used to degrade logistics, delay deployments or pressure U.S. decision-makers through attacks on civilian lifeline systems. Taken together, the Typhoons represent a combination of disruption, operational preparation of the battlefield, espionage and criminal behavior. 

This capability exhibits a real and present danger for Americans’ daily lives, the U.S. economy and our own ability to project military force. Whether, when and to what extent the PRC may choose to unleash these capabilities is not known, although the potential for a 2027 invasion of Taiwan is a key indicator of potential timing that is often cited by U.S. officials. Government, industry and the public should remain concerned that the PRC is able to exploit our information and operational systems to such a degree that daily functioning of critical sectors could one day be taken down at a time of the Chinese government’s choosing. 

China’s cyber evolution builds on a decade of persistent operations, including the 2014 U.S. indictment of People’s Liberation Army (PLA) hackers and the 2015 Office of Personnel Management breach. The Typhoons represent a new phase of long-term, covert access to infrastructure systems that could be exploited at Beijing’s will. The PRC’s strategy blends espionage, coercion and gray-zone warfare, leveraging cyberspace as a tool to weaken U.S. resilience without open conflict.

Among these actors, Volt Typhoon poses the most immediate operational threat. Detected in 2023, it infiltrated U.S. critical infrastructure using stealthy, credential-based methods to maintain access to energy, water and telecommunications networks. Its goal is not espionage but disruption, positioning China to disable or manipulate systems vital to national defense. Flax Typhoon similarly exploited Internet of Things (IoT) devices, focusing on espionage and data collection, while Salt Typhoon targeted U.S. telecommunications providers, compromising data for over one million Americans including senior government officials and political figures. This breach revealed an alarming ability to access sensitive communications and law enforcement surveillance systems. Linen, Violet, Silk and Nylon Typhoons further demonstrate China’s agility, exploiting zero-day vulnerabilities in widely used enterprise software and expanding into political, defense and diplomatic domains.

These campaigns expose systemic risks across all sectors. Energy and water infrastructure face the gravest consequences, where disruptions could cascade into military, hospital and data center outages. Telecommunications and transportation networks are equally vulnerable, while healthcare institutions present emerging targets for coercive leverage. The Typhoon actors are not isolated operations; they are coordinated components of a comprehensive PRC strategy to prepare for conflict while eroding U.S. strategic confidence.

The U.S. and allies have responded through indictments, sanctions and public attribution, but these measures remain insufficient. Existing legal frameworks, such as the Computer Fraud and Abuse Act, are poorly suited to counter state-directed cyber campaigns. International norms remain weak, and Beijing’s use of third-party contractors obscures attribution and accountability. To counter these threats, the U.S. must strengthen deterrence by hardening infrastructure through zero-trust architectures and real-time anomaly detection, while also enhancing international coordination and updating legal authorities for persistent, state-sponsored cyber conflict.

The Typhoon actors mark a key moment in China’s offensive cyber strategy and capabilities, transitioning from mere theft to potential disruption at scale. Defending against this evolving threat demands a whole-of-government and allied approach that integrates cybersecurity, intelligence, diplomacy and resilience. The challenge is no longer just technical — it is strategic, requiring the United States to adapt its policies, laws and partnerships to confront the realities of 21st-century cyber warfare.