Among the cybersecurity threats confronting the United States, few are more significant than the sabotage potential posed by China-backed hackers, which top U.S. officials have labeled an “epoch-defining threat.”

In recent months, U.S. intelligence officials have reported that hackers backed by the Chinese government have infiltrated critical U.S. infrastructure networks, including water, energy, and transportation systems. According to officials, the objective is to prepare for potentially devastating cyberattacks in the event of a future conflict between China and the U.S., such as a possible Chinese invasion of Taiwan.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” FBI Director Christopher Wray told lawmakers earlier this year.

The U.S. government and its allies have since taken action against the “Typhoon” group of Chinese hacking organizations, releasing new information about the dangers they present.

In January, the U.S. disrupted a group known as “Volt Typhoon,” composed of Chinese government hackers focused on preparing for future cyberattacks. In September, authorities dismantled a botnet operated by another Chinese hacking group called “Flax Typhoon,” which posed as a private Beijing-based company and helped cover the tracks of Chinese government hackers. More recently, a new China-backed group named “Salt Typhoon” emerged, capable of gathering intelligence on Americans and potential U.S. surveillance targets by compromising wiretap systems used by U.S. phone and internet providers.

Here’s what we know about the Chinese hacking groups preparing for potential conflict.

Volt Typhoon
Volt Typhoon marks a shift in Chinese hacking strategy, moving from simply stealing sensitive U.S. information to targeting the disruption of the U.S. military’s “ability to mobilize,” according to the FBI.

Microsoft first uncovered Volt Typhoon in May 2023, revealing that since mid-2021, the group had targeted and infiltrated network equipment like routers, firewalls, and VPNs. However, it’s believed they may have been operating for up to five years. Following Microsoft’s report, Volt Typhoon compromised thousands of internet-connected devices by exploiting vulnerabilities in outdated equipment no longer receiving security updates. This allowed them to infiltrate the IT systems of several critical infrastructure sectors, including aviation, water, energy, and transportation, positioning themselves for potential future cyberattacks.

“This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the U.S. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down,” said John Hultquist, chief analyst at security firm Mandiant.

In January, the U.S. government announced it had successfully disrupted a botnet used by Volt Typhoon, consisting of thousands of hijacked small office and home network routers across the U.S. The Chinese hacking group exploited these devices to conceal their malicious activity targeting U.S. critical infrastructure. The FBI reported that it removed malware from the compromised routers, severing the group’s access to the botnet.

Flax Typhoon
Flax Typhoon, first identified in an August 2023 Microsoft report, is another China-backed hacking group. Officials revealed that it operated under the guise of a Beijing-based cybersecurity company, Integrity Technology Group, which has acknowledged its ties to the Chinese government. In September, the U.S. government took control of a botnet operated by Flax Typhoon, which used a customized version of the Mirai malware to infect hundreds of thousands of internet-connected devices.

U.S. officials explained that this botnet was used to “conduct malicious cyber activity disguised as routine internet traffic from infected consumer devices.” The botnet allowed other Chinese government-backed hackers to infiltrate networks worldwide, stealing information and endangering critical infrastructure. According to Microsoft, Flax Typhoon has been active since mid-2021, primarily targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan, as well as U.S. and foreign corporations.

Salt Typhoon
The most recent—and potentially most alarming—China-backed hacking group uncovered is Salt Typhoon. This group made headlines in October for a highly sophisticated operation in which it allegedly compromised the wiretap systems of major U.S. telecom and internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon.

Reports suggest Salt Typhoon may have infiltrated these companies through compromised Cisco routers. The scale of the breach remains unclear, but according to national security sources, it could be “potentially catastrophic.” By gaining access to the wiretap systems used by law enforcement for court-authorized data collection, Salt Typhoon may have accessed sensitive information, including data on Chinese individuals under U.S. surveillance. The extent of the breach, which may have lasted for months or longer, is still under investigation.