CCP-LINKED ACTORS STILL THREATEN AMERICAN CRITICAL INFRASTRUCTURE

On his recently concluded trip through Asia, Secretary of Defense Pete Hegseth met with counterparts in Japan, Malaysia, Vietnam, and South Korea about the mounting threat from China and to “ensure that China understands that we have a credible deterrent.” During the trip, while on his way to a meeting of Association of Southeast Asian Nations (ASEAN) defense ministers, the Secretary emphasized that China will remain a key focus of the upcoming National Defense Strategy. 2022’s National Defense Strategy had warned that China’s People’s Liberation Army (PLA) “is rapidly advancing and integrating its space, counterspace, cyber, electronic, and informational warfare capabilities to support its holistic approach to joint warfare.”  

True to that warning, groups linked to the Chinese Communist Party (CCP) have ramped up their cyber operations in recent years, threatening targets within the United States. At the end of October, the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University released its latest report on China’s “Typhoons” – a collective of activity so-named by Microsoft that signals “a persistent escalation in the cyber domain against the United States, in which cyber operations could be used to degrade logistics, delay deployments or pressure U.S. decision-makers through attacks on civilian lifeline systems.” 

The Typhoons Pose a Significant Risk That Must Be Taken Seriously 

The McCrary Institute report warns that the Typhoons represent a shift in strategy towards “embedding disruptive capabilities within U.S. critical infrastructure” as preparation for potential future conflict in which the CCP could exploit existing access to harm Americans or disrupt U.S. military engagement. As the report writes, “Energy and water infrastructure face the gravest consequences, where disruptions could cascade into military, hospital, and data center outages. Telecommunications and transportation networks are equally vulnerable, while healthcare institutions present emerging targets for coercive leverage.” These campaigns are coordinated, component parts of a larger strategy by the CCP:  

Volt Typhoon: CCP-linked actors have targeted critical infrastructure in the U.S., gaining access to utility systems and pre-positioning themselves to be able to disrupt services such as water, electric, or other sensitive systems if given the order.

Flax Typhoon: Focused on gaining access to Internet of Things (IoT) devices to gain and maintain access to organizations in order to collect intelligence and conduct espionage.

Salt Typhoon: In 2024, at least nine telecommunications companies – including Verizon, AT&T, and Charter Communications – were compromised, allowing CCP-linked actors to track American phones and text messages, including high-ranking U.S. officials.

Linen Typhoon and Violet Typhoon: Exploited “zero-day” vulnerabilities in Microsoft SharePoint to gain access to systems belonging to government agencies, non-governmental organizations, and businesses.

Silk Typhoon: Taking advantage of vulnerabilities in enterprise software, remote management tools, and cloud services in order to steal credentials and reach additional victims. 

Nylon Typhoon: Traditionally focused on governments, think tanks, and diplomatic entities, Nylon Typhoon uses unpatched vulnerabilities to gain access to systems and deploy malware.  

Taken together, the Typhoons represent an advancement of the CCP beyond traditional espionage and are a stark reminder of the potential for massive disruption that could be caused if the United States fails to mount an adequate response. 

Medical Devices Made by Chinese Companies May Provide a Vector for Attack 

In addition to municipal utilities such as water and electricity, the McCrary Institute also warned that “the healthcare sector is increasingly recognized as critical infrastructure vulnerable to foreign cyber operations. Hospitals and research institutions hold sensitive data and rely on networked medical devices that could be disrupted or manipulated.” The Protecting America Initiative (PAI) has previously drawn attention to the risk posed by medical devices made by Chinese companies after the Food and Drug Administration and the Cybersecurity & Infrastructure Security Agency issued warnings about patient monitors made by a Chinese company that had a backdoor allowing unauthorized access, threatening both patient safety as well as data security. We will continue to advocate for policies to remove those devices from the supply chain to harden our defenses against bad actors who would exploit access to them.  

FCC Steps Up 

At the end of October, the Federal Communications Commission (FCC) voted to block new approvals for telecommunications equipment made by Chinese companies that have been designated as national security risks. According to the FCC, “These new rules will establish a process for the FCC to prohibit the continued importation, marketing, and sale of previously authorized devices that the agency subsequently placed on the Covered List based on national security concerns. The FCC could apply this new rule in a targeted manner. Additionally, the new rules will close the modular transmitter loophole—meaning that certain insecure Huawei, Hikvision, or other Covered List modular transmitters could no longer be included as components within otherwise lawful or authorized devices.” 

As FCC Chairman Brendan Carr explains, allowing the sale of previously authorized device models or equipment made from component parts from Covered List entities “present loopholes that bad actors could use to threaten the security of our networks.” The FCC’s decision will make it more difficult for bad actors to gain access to U.S. communications networks. 

The U.S. Needs a Whole-of-Government Response  

The United States must reckon with the danger of having CCP-linked actors gaining access to our most private and vulnerable systems and shore up defenses to critical infrastructure to make it more difficult for bad actors to exploit. The McCrary Institute points out the need for a whole-of-government response to this threat, writing that “[i]t is a national security imperative that federal, state, local, tribal, territorial, and private sector partners cooperate in new and robust ways to minimize potential future operational disruptions and sensitive data compromises, which, if combined, could cause a super storm.” PAI agrees and has advocated for both federal and state policy solutions to address this very issue and safeguard national security.