This week we talk about cyberespionage, China, and asymmetrical leverage.
We also discuss political firings, hardware infiltration, and Five Eyes.
Recommended Book: The Fourth Turning Is Here by Neil Howe
Transcript
In the year 2000, then-General Secretary of the Chinese Communist Party, Jiang Zemin (jong ZEM-in), approved a plan to develop so-called “cyber coercive capabilities”—the infrastructure for offensive hacking—partly as a consequence of aggressive actions by the US, which among other things had recently bombed the Chinese embassy in Belgrade as part of the NATO campaign in Yugoslavia.
The US was a nuclear power with immense military capabilities that far outshone those of China, and the idea was that the Chinese government needed some kind of asymmetrical means of achieving leverage against the US and its allies to counter that. Personal tech and the internet were still relatively young in 2000—the first iPhone wouldn’t be released for another seven years, for context—but there was enough going on in the cyber-intelligence world that it seemed like a good point of leverage to aim for.
The early 2000s Chairman of the CCP, Hu Jintao, backed this ambition, citing the burgeoning threat of instability-inducing online variables, like those that sparked the color revolutions across Europe and Asia, and attack strategies similar to Israel’s Stuxnet cyberattack on Iran as justification, though China’s growing economic dependence on its technological know-how was also part of the equation; it could evolve its capacity in this space relatively quickly, and it had valuable stuff that was targetable by foreign cyberattacks, so it was probably a good idea to increase their defenses, while also increasing their ability to hit foreign targets in this way—that was the logic here.
The next CCP Chairman, Xi Jinping, doubled-down on this effort, saying that in the cyber world, everyone else was using air strikes and China was still using swords and spears, so they needed to up their game substantially and rapidly.
That ambition seems to have been realized: though China is still reportedly regularly infiltrated by foreign entities like the US’s CIA, China’s cybersecurity firms and state-affiliated hacker groups have become serious players on the international stage, pulling off incredibly complex hacks of foreign governments and infrastructure, including a campaign called Volt Typhoon, which seems to have started sometime in or before 2021, but which wasn’t discovered by US entities until 2024. This campaign saw Chinese hackers infiltrating all sorts of US agencies and infrastructure, initially using malware, and then entwining themselves with the operating systems used by their targets, quietly syphoning off data, credentials, and other useful bits of information, slowly but surely becoming even more interwoven with the fabric of these systems, and doing so stealthily in order to remain undetected for years.
This effort allowed hackers to glean information about the US’s defenses in the continental US and in Guam, while also helping them breach public infrastructure, like Singapore’s telecommunications company, Singtel. It’s been suggested that, as with many Chinese cyberattacks, this incursion was a long-game play, meant to give the Chinese government the option of both using private data about private US citizens, soldiers, and people in government for manipulation or blackmail purposes, or to shut down important infrastructure, like communications channels or electrical grids, in the event of a future military conflict.
What I’d like to talk about today is another, even bigger and reportedly more successful long-term hack by the Chinese government, and one that might be even more disruptive, should there ever be a military conflict between China and one of the impacted governments, or their allies.
—
Salt Typhoon is the name that’s been given to a so-called '“advanced persistent threat actor,” which is a formal way of saying hacker or hacker group, by Microsoft, which plays a big role in the cybersecurity world, especially at this scale, a scale involving not just independent hackers, but government-level cyberespionage groups.
This group is generally understood to be run out of the Chinese Ministry of State Security, or MSS, and though it’s not usually possible to say something like that for certain, hence the “generally understood” component of that statement, often everyone kind of knows who’s doing what, but it’s imprudent to say so with 100% certainty, as cyberespionage, like many other sorts of spy stuff, is meant to be a gray area where governments can knock each other around without leading to a shooting war. If anyone were to say with absolute certainty, yes, China is hacking us, and it’s definitely the government, and they’re doing a really good job of it, stealing all our stuff and putting us at risk, that would either require the targeted government to launch some sort of counterstrike against China, or would leave that targeted government looking weak, and thus prone to more such incursions and attacks, alongside any loss of face they might suffer.
So there’s a lot of hand-waving and alluding in this sphere of diplomacy and security, but it’s basically understood that Salt Typhoon is run by China, and it’s thought that they’ve been operating since at least 2020.
Their prime function seems to be stealing as much classified data as they can from governments around the world, and scooping up all sorts of intellectual property from corporations, too.
China’s notorious for collecting this kind of IP and then giving it to Chinese companies, which have become really good at using such IP, copying it, making it cheaper, and sometimes improving upon it in other ways, as well. This government-corporation collaboration model is fundamental to the operation of China’s economy, and the dynamic between its government, it’s military, its intelligence services, and its companies, all of which work together in various ways.
It’s estimated that Salt Typhoon has infiltrated more than 200 targets in more than 80 countries, and alongside corporate entities like AT&T and Verizon, they also managed to scoop up private text messages from Kamala Harris’ and Donald Trump’s presidential campaigns in 2024, using hacks against phone services to do so.
Three main Chinese tech companies allegedly helped Salt Typhoon infiltrate foreign telecommunications companies and internet service providers, alongside hotel, transportation, and other sorts of entities, which allowed them to not just grab text messages, but also track people, keeping tabs on their movements, which again, might be helpful in future blackmail or even assassination operations.
Those three companies seem to be real-deal, actual companies, not just fronts for Chinese intelligence, but the government was able to use them, and the services and products they provide, to sneak malicious code into all kinds of vital infrastructure and all sorts of foreign corporations and agencies—which seems to support concerns from several years ago about dealing with Chinese tech companies like Huawei; some governments decided not to work with them, especially in building-out their 5G communications infrastructure, due to the possibility that the Chinese government might use these ostensibly private companies as a means of getting espionage software or devices into these communications channels or energy grids. The low prices Huawei offered just wasn’t worth the risk.
The US government announced back in 2024 that Salt Typhoon had infiltrated a bunch of US telecommunications companies and broadband networks, and that routers manufactured by Cisco were also compromised by this group. The group was also able to get into ISP services that US law enforcement and intelligence services use to conduct court-authorized wiretaps; so they weren’t just spying on individuals, they were also spying on other government’s spies and those they were spying on.
Despite all these pretty alarming findings, in the midst of the investigation into these hacks, the second US Trump administration fired the government’s Cyber Safety Review Board, which was thus unable to complete its investigation into Salt Typhoon’s intrusion.
The FBI has since issued a large bounty for information about those involved in Salt Typhoon, but that only addresses the issue indirectly, and there’s still a lot we don’t know about this group, the extent of their hacking, and where else they might still be embedded, in part because the administration fired those looking into it, reportedly because the administration didn’t like this group also looking into Moscow’s alleged interference in the 2016 presidential election, and Salt Typhoon’s potential interference with the 2024 presidential election, both of which Trump won.
The US government has denied these firings are in any way political, saying they intend to focus on cyber offense rather than defense, and pointing out that the current approach to investigating these sorts of things was imperfect; which is something that most outside organizations would agree on.
That said, there are concerns that these firings, and other actions against the US’s cyberthreat defensive capabilities, are revenge moves against people and groups that have said the 2020 presidential election, which Trump lost to Joe Biden, was the most secure and best-run election in US history; which flies in the face of Trump’s preferred narrative that he won in 2020—something he’s fond of repeating, though without evidence, and with a vast body of evidence against his claim.
The US has also begun pulling away from long-time allies that it has previously collaborated with in the cyberespionage and cyberdefense sphere, including its Five Eyes partners, the UK, Canada, Australia, and New Zealand.
Since Tulsi Gabbard was installed as the Director of National Intelligence by Trump’s new administration, US intelligence services have been instructed to withhold information about negotiations with Russia and Ukraine from these allies; something that’s worrying intelligence experts, partly because this move seems to mostly favor Russia, and partly because it represents one more wall, of many, that the administration seems to be erecting between the US and these allies. Gabbard herself is also said to be incredibly pro-Russian, so while that may not be influencing this decision, it’s easy to understand why many allies and analysts are concerned that her loyalties might be divided in this matter.
So what we have is a situation in which political considerations and concerns, alongside divided priorities and loyalties within several governments, but the US in particular right now, might be changing the layout of, and perhaps even weakening, cybersecurity and cyberespionage services at the very moment these services might be most necessary, because a foreign government has managed to install itself in all kinds of agencies, infrastructure, and corporations.
That presence could allow China to milk these entities for information and stolen intellectual property, but it could also put the Chinese government in a very favorable position, should some kind of conflict break out, including but not limited to an invasion of Taiwan; if the US’s electrical grids or telecommunications services go down, or the country’s military is unable to coordinate with itself, or with its allies in the Pacific, at the moment China invades, there’s a non-zero chance that would impact the success of that invasion in China’s favor.
Again, this is a pretty shadowy playing field even at the best of times, but right now there seems to be a lot happening in the cyberespionage space, and many of the foundations that were in place until just recently, are also being shaken, shattered, or replaced, which makes this an even more tumultuous, uncertain moment, with heightened risks for everybody, though maybe the opposite for those attacking these now more-vulnerable bits of infrastructure and vital entities.
Show Notes
https://www.nbcnews.com/tech/security/china-used-three-private-companies-hack-global-telecoms-us-says-rcna227543
https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF
https://www.nytimes.com/2025/04/05/us/politics/trump-loomer-haugh-cyberattacks-elections.html
https://www.france24.com/en/americas/20250826-has-the-us-shut-its-five-eyes-allies-out-of-intelligence-on-ukraine-russia-peace-talks
https://www.axios.com/2025/09/04/china-salt-typhoon-fbi-advisory-us-data
https://www.wsj.com/politics/national-security/chinese-spies-hit-more-than-80-countries-in-salt-typhoon-breach-fbi-reveals-59b2108f
http://axios.com/2025/08/02/china-usa-cyberattacks-microsoft-sharepoint
https://www.axios.com/2024/12/03/salt-typhoon-china-phone-hacks
https://www.nytimes.com/2025/09/04/world/asia/china-hack-salt-typhoon.html
https://www.euronews.com/2025/09/04/trump-and-jd-vance-among-targets-of-major-chinese-cyberattack-investigators-say
https://www.congress.gov/crs-product/IF12798
https://www.fcc.gov/document/implications-salt-typhoon-attack-and-fcc-response
https://en.wikipedia.org/wiki/Salt_Typhoon
https://en.wikipedia.org/wiki/2024_global_telecommunications_hack
https://en.wikipedia.org/wiki/Chinese_interference_in_the_2024_United_States_elections
https://www.theregister.com/2025/08/28/how_does_china_keep_stealing/
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4287371/nsa-and-others-provide-guidance-to-counter-china-state-sponsored-actors-targeti/
https://chooser.crossref.org/?doi=10.2307%2Fjj.16040335
https://en.wikipedia.org/wiki/Cyberwarfare_and_China
https://en.wikipedia.org/wiki/Volt_Typhoon
