The message from President Biden’s national security adviser was startling.
Chinese hackers had gained the ability to shut down dozens of U.S. ports, power grids and other infrastructure targets at will, Jake Sullivan told telecommunications and technology executives at a secret meeting at the White House in the fall of 2023, according to people familiar with it. The attack could threaten lives, and the government needed the companies’ help to root out the intruders.
What no one at the briefing knew, including Sullivan: China’s hackers were already working their way deep inside U.S. telecom networks, too.
The two massive hacking operations have upended the West’s understanding of what Beijing wants, while revealing the astonishing skill level and stealth of its keyboard warriors—once seen as the cyber equivalent of noisy, drunken burglars.
China’s hackers were once thought to be interested chiefly in business secrets and huge sets of private consumer data. But the latest hacks make clear they are now soldiers on the front lines of potential geopolitical conflict between the U.S. and China, in which cyberwarfare tools are expected to be powerful weapons.
U.S. computer networks are a “key battlefield in any future conflict” with China, said Brandon Wales, a former top U.S. cybersecurity official at the Department of Homeland Security, who closely tracked China’s hacking operations against American infrastructure. He said prepositioning and intelligence collection by the hackers “are designed to ensure they prevail by keeping the U.S. from projecting power, and inducing chaos at home.”
As China increasingly threatens Taiwan, working toward what Western intelligence officials see as a target of being ready to invade by 2027, the U.S. could be pulled into the fray as the island’s most important backer. Other friction between Washington and Beijing has intensified in recent years, with President-elect Donald Trump threatening a sharp trade war and China building a tighter alliance with Russia. Top U.S. officials in both parties have warned that China is the greatest danger to American security.
In the infrastructure attacks, which began at least as early as 2019 and are still taking place, hackers connected to China’s military embedded themselves in arenas that spies usually ignored, including a water utility in Hawaii, a port in Houston and an oil-and-gas processing facility.
Investigators, both at the Federal Bureau of Investigation and in the private sector, found the hackers lurked, sometimes for years, periodically testing access. At a regional airport, investigators found the hackers had secured access, and then returned every six months to make sure they could still get in. Hackers spent at least nine months in the network of a water-treatment system, moving into an adjacent server to study the operations of the plant. At a utility in Los Angeles, the hackers searched for material about how the utility would respond in the event of an emergency or crisis. The precise location and other details of the infrastructure victims are closely guarded secrets, and couldn’t be fully determined.
American security officials said they believe the infrastructure intrusions—carried out by a group dubbed Volt Typhoon—are at least in part aimed at disrupting Pacific military supply lines and otherwise impeding America’s ability to respond to a future conflict with China, including over a potential invasion of Taiwan.
In the separate telecom attacks, which started in mid-2023 or earlier and were first reported by The Wall Street Journal in September, a hacking group—this one known as Salt Typhoon—linked to Chinese intelligence burrowed into U.S. wireless networks as well as systems used for court-appointed surveillance.
They were able to access data from over a million users, and snapped up audio from senior government officials, including some calls with Trump by accessing the phone lines of people whose phones he used. They also targeted people involved in Vice President Kamala Harris’s presidential campaign.
They were also able to swipe from Verizon and AT&T a list of individuals the U.S. government was surveilling in recent months under court order, which included suspected Chinese agents.
The intruders used known software flaws that had been publicly warned about but hadn’t been patched. Investigators said they were still probing the full scope of the attack.
Lawmakers and officials given classified briefings in recent weeks told the Journal they were shocked at the depth of the intrusions and at how hard the hacks may be to resolve, and some telecom company leaders said they were blindsided by the attack’s scope and severity.
“They were very careful about their techniques,” said Anne Neuberger, President Biden’s deputy national security adviser for cybersecurity. In some cases hackers erased cybersecurity logs, and in others the victim companies didn’t keep adequate logs, meaning there were details “we will never know regarding the scope and scale of this,” she said.
Liu Pengyu, the spokesman for the Chinese embassy in Washington, accused the U.S. of peddling disinformation about threats from Chinese hackers to advance its geopolitical ambitions. Chinese leader Xi Jinping told President Biden during their meeting in Peru in November that there was no evidence to support the allegations, he said.
“Some in the U.S. seem to be enthusiastic about creating various types of ‘typhoons,’” the spokesman said, referring to the names assigned to the hacking groups. “The U.S. needs to stop its own cyberattacks against other countries and refrain from using cybersecurity to smear and slander China.”
Verizon said a small number of high-profile customers in government and politics were specifically targeted by the threat actor and that those people had been notified. “After considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident,” said Vandana Venkatesh, chief legal officer at Verizon.
An AT&T spokeswoman said the company detected “no activity by nation-state actors in our networks at this time,” adding that the Chinese government targeted a “small number of individuals of foreign intelligence interest” and that affected customers were notified in cooperation with law enforcement.
