Under Attack? Contact Us Start a Free Demo
Under Attack? Contact Us Start a Free Demo
,
Sai
2 September 2025

Deconstruction of Chinese Typhoon Strategy: Volt Typhoon vs Salt Typhoon in the Context of Chinese Statecraft

Executive Summary

The People’s Republic of China (PRC) has deployed a sophisticated and multi-faceted cyber strategy that presents a significant and evolving threat to global security. At the forefront of this effort are two distinct but related state-sponsored cyber threat groups, Volt Typhoon and Salt Typhoon. While sharing a common national sponsor and a focus on critical infrastructure, their operational objectives are fundamentally different. Volt Typhoon, attributed to the People’s Liberation Army (PLA), is strategically focused on pre-positioning for future disruptive and destructive cyberattacks. In contrast, Salt Typhoon, linked to the Ministry of State Security (MSS), is a high-stakes espionage and counterintelligence operation aimed at sustained intelligence collection. The collective and coordinated nature of these campaigns represents a strategic shift in Chinese statecraft, moving beyond traditional intellectual property theft to a posture of information dominance and wartime preparedness. This report deconstructs the unique doctrines of each group and provides a comparative analysis to illuminate the full scope of the threat, concluding with recommendations for a more effective and proactive defensive posture.

A New Era of Chinese Cyber Threats

The current geopolitical landscape is marked by intensifying competition, a dynamic reflected in the domain of cyberspace. For years, Chinese state-sponsored cyber activity was primarily characterized by large-scale economic espionage and intellectual property theft. However, recent disclosures from intelligence and cybersecurity agencies in the United States and its allies have exposed a significant doctrinal evolution. The rise of sophisticated cyber operations, collectively termed “Typhoon” campaigns, signals a more aggressive and strategic posture. The term “Typhoon” itself, while similar in its two most prominent forms—Volt and Salt—belies a profound difference in their strategic objectives and operational methodologies. The unmasking of these distinct threats allows for a deeper understanding of China’s long-term ambitions and the challenges they pose to national and economic security.

Volt Typhoon: A Doctrine of Strategic Disruption
Attribution and Purpose

Volt Typhoon is a nation-state-sponsored cyber threat actor that has been systematically staging infrastructure to launch cyberattacks against critical sectors in the United States and its territories since at least 2021. The group is widely assessed to be affiliated with the People’s Republic of China (PRC) and is believed to be a component of the People’s Liberation Army (PLA), a key distinction from other PRC-linked groups. 

The group’s primary objective is not traditional espionage for intellectual property or data theft. Instead, its mission is to pre-position digital capabilities within U.S. critical infrastructure to enable disruption or destruction during a future geopolitical crisis. This is not a reactive form of cyber warfare but a proactive strategic maneuver. A full-scale kinetic conflict, such as a contingency over Taiwan, would require immediate and decisive action. By establishing covert and persistent access to vital networks in advance, the PLA can bypass the time-consuming and often noisy initial exploitation phases of a cyber operation. This advanced placement ensures that disruptive capabilities are ready to be leveraged instantly, potentially to slow U.S. military mobilization or undermine civilian morale by crippling essential services like power, communications, and water systems. This approach aligns with a broader Chinese military doctrine of “peacetime-wartime integration,” where a constant state of readiness is maintained to achieve information dominance at the outset of a conflict. As a result, this threat has been described by senior U.S. officials as the “defining threat of our generation” due to its potential to directly impact civilian and military operations.

Tactics, Techniques, and Procedures (TTPs)

Volt Typhoon’s operational success is rooted in its mastery of “living-off-the-land” (LOTL) techniques. This tactic involves using legitimate, built-in network administration tools and functions already present in a victim’s environment, such as PowerShell or Bash, rather than deploying custom malicious software. This strategic choice allows the group to blend in with normal network activity and remain covert for extended periods, effectively evading traditional signature-based detection tools that are designed to identify known malware. 

Initial access is typically achieved by exploiting known vulnerabilities in public-facing edge devices and applications from vendors such as Fortinet, Ivanti, Citrix, and Cisco. Once inside, Volt Typhoon actors conduct extensive reconnaissance using native tools like netstat and ipconfig to map out the network and identify high-value targets. Credential theft is a primary objective, with the group exfiltrating data from the Local Security Authority Subsystem Service (LSASS) memory and the NTDS.dit Active Directory database. This allows them to escalate privileges and move laterally across the network using stolen credentials via remote services like Remote Desktop Protocol (RDP). To further obscure their presence, the group often clears logs and renames files before exiting a compromised environment, complicating forensic analysis.
Target Profile

The targeting strategy of Volt Typhoon is highly focused and deliberate. The group directs its campaigns at strategically significant sectors within the United States and its territories, including electric utilities, telecommunication networks, water systems, and transportation hubs. This strategic focus is designed to target the very infrastructure that underpins both civilian life and military logistics. For instance, by infiltrating telecommunication networks in areas like Guam, a key hub for U.S. naval operations, the group can position itself to disrupt crucial communications in a future conflict. The group’s selection of targets is not random; it is a calculated effort to gain access to systems that can be leveraged for sabotage, consistent with their overarching military objective of pre-positioning for disruption.

Salt Typhoon: A Doctrine of High-Stakes Espionage
Attribution and Purpose

Salt Typhoon is a separate and distinct sophisticated cyber espionage operation also orchestrated by a Chinese state-sponsored threat group. The group is widely believed to be affiliated with China’s Ministry of State Security (MSS), the country’s foreign intelligence service. This attribution is a critical distinction from Volt Typhoon’s link to the PLA, as it indicates a mission focused on intelligence collection rather than military preparedness for disruption. Salt Typhoon’s activities align with broader geopolitical objectives of intelligence gathering and counterintelligence, which are components of China’s “100-Year Strategy”. 

The group’s specific targeting of systems used for U.S. law enforcement wiretaps (CALEA requests) goes beyond simple data theft and into the realm of strategic counterintelligence. By compromising these core systems, Salt Typhoon is not only stealing sensitive communications but is also actively undermining the U.S. government’s ability to conduct its own surveillance and counterintelligence operations. This is a profound threat to national security, as it jeopardizes the very tools used to monitor criminal and foreign intelligence activities. The targeting of phones belonging to high-profile individuals, including political campaign staff and former presidents, further underscores the group’s focus on collecting information on key government figures and decision-makers. 

Tactics, Techniques, and Procedures (TTPs)

Salt Typhoon’s tactics are tailored to its espionage mission, with a primary focus on compromising the “data choke points” within critical infrastructure, particularly telecommunications networks. The group has been observed targeting major U.S. providers such as Verizon, AT&T, T-Mobile, and Lumen, as well as core network components like Cisco routers.

The group’s initial access vectors are varied, including the exploitation of both known (N-day) and zero-day vulnerabilities in public-facing servers. While also employing “living-off-the-land” tactics similar to Volt Typhoon, Salt Typhoon has demonstrated a higher level of technical sophistication with the use of custom and more advanced tools, such as the “Demodex” Windows kernel-mode rootkit, to gain remote control and evade detection. The group also employs advanced persistence mechanisms, including modifying Access Control Lists (ACLs) to allow traffic from their command-and-control servers and setting up encrypted remote access via non-standard ports. These tactics are indicative of a well-resourced and technically proficient intelligence service.  

Target Profile

The scope of Salt Typhoon’s operations is extensive and global. The group has reportedly compromised over 200 targets in more than 80 countries, with a particular emphasis on telecommunications providers. The campaign against U.S. telecommunications companies, revealed in late 2024, compromised the systems of at least nine major providers, affecting over a million users. The compromised data included user metadata, such as date and time stamps, IP addresses, and phone numbers. In some cases, the attackers were able to obtain audio recordings of calls made by high-profile individuals, highlighting the depth of their access. Beyond telecommunications, the group has also infiltrated hotels, government agencies, and the U.S. National Guard, further demonstrating its broad mandate for intelligence collection.

A Comparative Analysis: Commonalities and Profound Differences

While Volt Typhoon and Salt Typhoon are often mentioned in the same breath, a close examination reveals that they are two distinct and purpose-built cyber operations that are part of a coordinated PRC strategy.

Shared Ground: The Chinese State’s Cyber Toolkit

The groups share several key commonalities that reflect a cohesive national approach to cyber operations. Both are unequivocally state-sponsored by the PRC, with their activities aligning with broader geopolitical objectives. They both rely on long-term persistence, maintaining covert access to compromised networks for years, with activity dating back to at least 2021. A core tactical commonality is the extensive use of “living-off-the-land” techniques, which allow them to evade traditional security defenses by leveraging native system tools and binaries. Both groups also target critical infrastructure, recognizing its strategic value to national security.  

Fundamental Distinctions: The Twin Pillars of Chinese Cyber Strategy

Despite these similarities, the core differences between the two groups are profound and revealing. The most crucial distinction is their primary objective. Volt Typhoon’s mission is disruption, aimed at enabling future sabotage and denial-of-service, a military-oriented goal. In stark contrast, Salt Typhoon’s mission is espionage, focused on intelligence collection and counterintelligence, an intelligence-oriented goal. This difference in mission is directly reflected in their sponsoring entities: Volt Typhoon is linked to the military PLA, while Salt Typhoon is tied to the intelligence service MSS. 

The targeting logic for each group is also distinct. Volt Typhoon’s targets are selected for their operational value in a conflict—that is, their ability to physically disable or disrupt a system. Salt Typhoon’s targets are selected for their informational value, providing a conduit to access sensitive communications and intelligence. The following table provides a clear, side-by-side comparison of these attributes.

Attribute Volt Typhoon Salt Typhoon
Primary Objective Pre-positioning for disruption and sabotage Long-term intelligence and counterintelligence espionage
Sponsoring Entity People’s Liberation Army (PLA) Ministry of State Security (MSS)
Key Targets (Sectors) Critical infrastructure: energy, water, transportation, telecommunications Telecommunications, government, hotels, and military networks globally
Core Tactics Living-off-the-land (LOTL), credential theft, log clearing Living-off-the-land (LOTL), exploiting zero-day and N-day vulnerabilities, wiretap compromise
Noteworthy Tools/Malware Native Windows tools, custom web shells, covert networks Native Windows tools, “Demodex” kernel-mode rootkit, covert networks
Key Incidents Infiltration of U.S. critical infrastructure in Guam and other territories since at least 2021  

Compromise of nine U.S. telecommunications providers and access to sensitive communications from over a million users  

Attribution Aliases Insidious Taurus, VANGUARD PANDA, BRONZE SILHOUETTE  

Earth Estrie, Ghost Emperor, UNC2286, FamousSparrow  

The Broader Strategic Implications: A Coordinated Threat

The simultaneous and long-term operations of Volt Typhoon and Salt Typhoon are not isolated incidents but rather represent a coordinated, multi-domain strategy by the PRC. This collective threat signifies a fundamental shift in China’s cyber doctrine, moving beyond pure economic espionage to a more aggressive posture of pre-positioning for both military disruption and deep-seated intelligence collection.

This evolution aligns with the PLA’s new military doctrine of “peacetime-wartime integration,” which emphasizes maintaining a state of readiness to leverage cyber capabilities at the onset of a conflict. By pre-positioning in critical infrastructure networks, Volt Typhoon prepares the operational environment for potential future hostilities. At the same time, Salt Typhoon conducts parallel deep espionage, gathering the intelligence necessary for long-term strategic advantage. This coordinated approach demonstrates a sophisticated division of labor within China’s cyber apparatus, where different state entities pursue complementary objectives under a unified strategic umbrella.  

The exposure of these campaigns has highlighted the critical role of public-private collaboration. When U.S. government agencies like CISA, NSA, and the FBI released advisories detailing Volt Typhoon’s activities, it forced the group to “drop back to the drawing board” and adapt its tactics. This public exposure of the threat, coupled with proactive defense guidance, demonstrated the effectiveness of a collaborative, whole-of-nation defense against advanced nation-state actors. The use of private companies and contractors, such as Integrity Technology Group, further complicates attribution and response, as it provides the PRC with a scalable talent pool and an added layer of plausible deniability.   
Recommendations and Defensive Posture

The nature of the Volt and Salt Typhoon campaigns demands a paradigm shift in defensive strategy. Traditional cybersecurity measures, focused on detecting and blocking known malware, are insufficient against actors who “live-off-the-land” and abuse legitimate tools. Defending against these sophisticated threats requires a focus on fundamental controls and a new approach to network monitoring.

First, critical infrastructure owners and operators must prioritize the fundamentals of cybersecurity, as recommended by CISA. This includes robust patch management, particularly for public-facing devices, to eliminate initial access vectors. The widespread implementation of multi-factor authentication (MFA) and the careful management of end-of-life systems are also essential to protect against credential theft and known vulnerabilities.  

Second, organizations must shift their focus toward enhanced visibility and behavioral analytics. Since these threats do not rely on malicious binaries, defenders must look for anomalies in user and network behavior. This requires a deeper look at logging practices, with an emphasis on logging routine administrative activity and ensuring logs are centralized and secured to prevent attackers from clearing them. User and Entity Behavior Analytics (UEBA) can be a highly effective approach, as it establishes a baseline of normal behavior and can flag suspicious deviations, such as an account logging in at an unusual time or attempting to access a new server. 

Finally, given the shared emphasis on credential theft, a zero-trust architecture and strong privileged access management (PAM) are non-negotiable. It is also imperative to secure the supply chain and third-party vendors, as attackers may use these trusted relationships as a pivot point to gain access to downstream customer environments. The threats posed by these groups are not theoretical but “real and urgent,” and the path forward requires a coordinated and proactive defense across government and industry.

The Path Forward: NetSecurity’s ThreatResponder

As ransomware attacks grow in complexity and impact, CISOs face the formidable challenge of safeguarding their organizations from this ever-evolving threat. NetSecurity’s ThreatResponder offers a robust solution tailored to the needs of today’s cybersecurity leaders. This AI-powered, cloud-native platform provides comprehensive endpoint security capabilities, including:

  • Real-time Threat Detection and Response: Swift identification and neutralization of ransomware threats before they can inflict damage.
  • Vulnerability Management: Proactive identification and remediation of vulnerabilities to prevent exploitation.
  • Forensic Investigations and Threat Hunting: In-depth analysis and hunting capabilities to uncover hidden threats and strengthen defenses.
  • Identity Threat Detection and Response (ITDR): Safeguarding user credentials and preventing identity-based attacks.

With its lightweight agent and multi-functional capabilities, ThreatResponder empowers organizations to prevent ransomware attacks and ensure cyber resilience. It is the trusted ally CISOs need to navigate the complex landscape of modern cyber threats.

Don’t wait until it’s too late. Secure your endpoints with ThreatResponder today and experience the future of endpoint security.

ThreatResponder Dashboard
Start a Free Demo
Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Tags

CISO CISO Viewpoint Cybersecurity 101 Digital Forensics EDR ITDR MSSP NEWS Red Teaming Threat Intel & Research ThreatResponder ThreatResponder Forensics

Featured Articles

CISO Threat Intel & Research ThreatResponder

Inside Scattered Spider: How a Teen-Led Threat Group Breached Fortune 500 Giants

14 July 2025
CISO CISO Viewpoint EDR MSSP NEWS ThreatResponder

When an EDR Pushed Its Customers Into Darkness: What a Major EDR Outage Teaches Us About Cyber Resilience

29 May 2025
EDR MSSP ThreatResponder

Why MSSPs Are Choosing ThreatResponder: A Future-Proof Platform for Scalable Security

27 May 2025
CISO CISO Viewpoint EDR NEWS Threat Intel & Research ThreatResponder

“Well-Funded” Doesn’t Mean “Well-Secured”: How A Popular EDR Was Exploited to Deploy Babuk Ransomware

24 May 2025
CISO EDR Threat Intel & Research ThreatResponder

RansomHub Ransomware Uses a New Backdoor Betruger! How to Combat It?

21 March 2025
CISO CISO Viewpoint EDR ThreatResponder

How to stay one step ahead of cybercriminals? ThreatResponder is the future of cybersecurity

16 March 2025
CISO CISO Viewpoint ThreatResponder

Why CISOs Need an Integrated Endpoint Security Platform in 2025

24 January 2025

TRY ThreatRESPONDER

Stop Advanced Cyber Attacks, Data Breaches, and Insider Threats

Start a Free Demo

Related Articles

Threat Intel & Research ThreatResponder

Top APTs and Ransomware Groups to Watch in 2025

Sai
31 July 2025
EDR ITDR Threat Intel & Research ThreatResponder

How Threat Actors Exfiltrate ntds.dit from Windows Machines — And How ThreatResponder Helps Stop Them

Sai
17 July 2025
CISO Threat Intel & Research ThreatResponder

Inside Scattered Spider: How a Teen-Led Threat Group Breached Fortune 500 Giants

Sai
14 July 2025
Close

Computer Forensics Investigation

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed vulputate velit mi, non hendrerit justo varius ac. Cras gravida, dolor vel pulvinar tempus, erat massa facilisis tortor, in lobortis dui arcu at ligula. Nunc consequat arcu non lobortis eleifend. Vestibulum vel metus finibus, semper nunc nec, tristique felis. Donec auctor vestibulum sapien. Mauris tristique eget metus in vulputate. Etiam nec tempor odio. Praesent quis commodo metus, eu fringilla ipsum. Fusce quis aliquam mauris, vel sollicitudin ex. Praesent sed imperdiet sapien, vitae interdum turpis. Cras mollis nisi at lorem eleifend viverra at vitae est. Mauris luctus sem in arcu pharetra suscipit. Aliquam id eleifend elit, in ullamcorper neque. Nam gravida urna et ipsum fringilla lobortis. Vivamus eget fermentum purus. Duis est nulla, interdum sed iaculis eu, ultrices a arcu. Donec commodo, diam