Background: The Emergence of Volt Typhoon
The emergence and identification of ‘Volt Typhoon’ as a strategic cyber espionage asset of China was first made by Microsoft in 2023. China has, over the past five years, utilized Volt Typhoon through ever evolving tactics, techniques and procedures (TTPs). This includes a wide range of sophisticated malware tools to penetrate critical American infrastructure networks that provide indispensable services in the communication, manufacturing, utility, transportation, maritime, governmental, information technology and education sectors in both Guam (where the US Naval Base Guam and Anderson Air Force base are located) and CONUS (Continental United States). Believed to be operational since 2021 Volt Typhoon is now a confirmed Advanced Persistent Threat (APT) and State Sponsored Cyber Attack weapon of the Peoples Republic of China (PRC).
CISA's Response: The CI Fortify Initiative
The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) issued a new initiative last week against Volt Typhoon and other State Sponsored Cyber Attack Actors attempting to infiltrate American critical infrastructure called ‘CI Fortify’. According to CISA Acting Director Nick Andersen “CI Fortify is timely, actionable guidance that helps organizations protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure,”. The question arises as to the exact intent of the Chinese government in launching these attacks on US (and other Western Government’s) key infrastructure platforms. According to the International Institute for Strategic Studies (IISS) “ Volt Typhoon’s activities are now widely regarded as an effort by the Chinese government to pre-position on critical infrastructure targets in preparation for disruption operations in the event of a military crisis with the US”.
Trump's Visit to China: Business Over Cyber Security
Whether US President Donald Trump’ high stakes visit to China (which starts today- May 13/26) and meetings with China President Xi Jinping includes talks about the threatening nature of Volt Typhoon and other Cyber hacking units of the PRC is doubtful. Mr. Trump’s priorities right now are in Tech business deals, US Tariffs and trying to realign China’s support for Iran because of the ongoing war in the Persian Gulf. Mr. Trump has brought an all-star entourage on the trip including Apple CEO, Tim Cook, SpaceX and Tesla CEO Elon Musk, Meta President, Dina Powell McCormick; Sanjay Mehrotra CEO of computer memory maker Micron; Chuck Robbins, CEO of longtime telecom giant Cisco; and Cristiano Amon CEO of semiconductor maker Qualcomm. It’s clear that ‘Team Trump’ arrived in Beijing with the intention to improve business and political ties and not to bring up contentious issues such as Volt Typhoon cyber-attacks.
Strategic Implications: Empowering Future Cyber Capabilities
Donald Trump’s historic visit to China highlights a troubling foreseeable outcome: That the PRC will be further empowered to enhance Volt Typhoon’s hacking capabilities as well as other state sponsored APT’s associated with the PRC. Volt Typhon deploys ‘living -off-the-land techniques’ and hands-on-keyboard activity according to Microsoft. This includes issuing “commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.” The People's Liberation Army (PLA) Cyberspace Force of China oversees and directs the Volt Typhoon cyber-attacks which in turn gives the PRC a massive advantage in pre-planning and preparation activities to launch future cyber-attacks against critical US infrastructure in the event of military hostilities between the two countries.
Political Reality: Iran and Trade Take Priority
The political reality is that the Sino-American talks will be dominated by the Iran War and trade issues both of which are the US President’s most urgent concerns. The PRC’s state sponsored cyber-attacks is a secondary issue that will most likely not be on the agenda when Mr. Trump meets personally with President Xi. Although the FBI claimed in early 2024 that it had ‘Shut-down’ Volt Typhoon and a year later FBI Director Christopher Wray “revealed that his department had neutralized” a cyberattack carried out by Volt Typhoon” the fact remains that the PRC’s state sponsored cyber-attacks still poses a growing global threat to the US and all NATO and Western nations. The PRC has several other hacking groups identified as ATP’s including the ‘Salt Typhoon’ and a Shanghai-based cyber actor, Yin Kecheng, who was sanctioned by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) in January 2025.
China's History of State-Sponsored Cyber Espionage
China has a history of aggressively conducting covert espionage operations against the US, EU countries, Australia and New Zealand for decades. The PRC started its state sponsored cyber hacking operations in earnest in the late 2000’s. Between 2009 and 2015 numerous US criminal indictments were issued against Hackers based in main land China. This was because “most of these hackers were based in the PLA directly so China’s government could not plausibly deny its direct involvement”. As a result, in 2015 then US President Barak Obama signed an agreement with President Xi that “neither country would engage in cyber economic espionage”. Despite this agreement the PRC has rapidly evolved its state sponsored hacking capabilities (especially over the past 10 years) so that it can now claim full deniability over the multitude of accusations that it is directing highly sophisticated cyber-attacks against the US and other Western countries.
Key PRC Cyber Warfare Institutions
The Cyberspace Force and Unit 61398 of the PLA are the PRC’s backbone in planning and executing cyberwarfare operations against the U.S., NATO, the EU Australia and New Zealand. Universally known as ‘APT1’, Unit 61398 was initially exposed in 2013 in a report authored by the US cybersecurity firm Mandiant. That was over a decade ago. Since then UNIT 61398 and Cyberspace Force oversee a vast cyber warfare organization that is engaged in economic, political and financial espionage on a global scale. In addition, the PRC utilizes the Ministry of State Security (MSS) for covert state sponsored cyber-attacks. Created over forty years ago, the MSS is China’s premier civilian intelligence agency and considered the counter-part of the CIA. The MSS (and its provincial sub-agencies) have “during the past decade, been involved with the targeting of U.S. aerospace technology”.
PRC Admission and Strategic Signalling
In an April 2025 secret meeting held in Geneva, Chinese officials “indirectly” admitted to US Officials that the PRC had launched the Typhoon Cyber Attacks as “a response to the U.S.’s military backing of Taiwan.” This indicates that the PRC is emboldened to raise the ante with the US over rising tensions about Tawain and the South China sea.
Conclusion: An Alarming and Underestimated Threat
As the war with Iran and trade ties take priority over the next three days during President Trump’s visit to China one factor remains abundantly clear: The Peoples Republic of China is ready able and willing to launch further state cyber-attacks against the US and its allies by deploying the VOLT Typhoon (and other APT actors) with full impunity. This is an alarming outcome with potential economic, political and military consequences that President Trump can not even imagine.