Recent campaigns by Chinese state-backed cyber espionage groups targeting critical infrastructure in the United States demonstrated the considerable capabilities and patience that groups such as Volt Typhoon and Salt Typhoon possess. But it also revealed significant weaknesses in U.S. defenses, and showed how difficult it can be to identify and remediate these types of intrusions.
The Typhoon groups are cyber espionage teams generally associated with the Chinese government, and Salt Typhoon specifically has been blamed for last year’s significant intrusion at several U.S. telecom companies. That operation enabled the group to access core parts of the telco operators’ infrastructure, including some of the systems that are used to comply with law enforcement requests for information under the CALEA statute. The intrusions, revealed late last year, caused tremendous concern in Washington and throughout the technology sector. For security experts who have been warning about the fragility of the U.S. critical infrastructure for many years, the Salt Typhoon attacks were just one more link in a long chain.
At a hearing on the attacks held last week by the House Committee on Oversight and Government Reform, committee members expressed concern about the scope of the attacks and what other operations like this could be undiscovered at this point.
“Our nation’s critical infrastructure is under attack at a staggering pace,” said Rep. William Timmons.
The security experts on the witness panel emphasized that this intrusion is part of a bigger picture.
“We need to be thinking about the next problem. It’s as if we’re driving and hitting a bunch of potholes and we don’t want to ignore the potholes but it’s scariest when there’s gigantic sinkholes ahead of us. Unless we figure out a way to deal with that on a national level and in a coordinated way, then I think we’ll look back on Salt Typhoon as perhaps child’s play,” Ed Amoroso, CEO of TAG Infosphere and the former longtime CISO at AT&T, told the committee.
These types of intrusions are not new, but the scope and scale of them has been growing as threat actors become more adept and audacious. That evolution also makes it more difficult for defenders to find and track these groups, a fact that highlights the need for continuous advanced threat hunting in these environments. Finding intrusions as soon as possible, before they have a chance to do real damage, is critical to enterprise and government defense, something that is coming into even sharper focus as adversaries employ AI-driven offensive strategies and tools.
“Our adversaries are not waiting. They are actively integrating AI into their offensive cyber arsenals—using machine learning to automate reconnaissance, exploit development, and the coordination of persistent, targeted attacks. If we do not respond in kind with equal or greater sophistication, we risk being outmatched not just occasionally, but systemically,” Amoroso said.
Adversaries shift their tactics and infrastructure all the time, which makes identification of threats that much more challenging. What was there yesterday may be gone today. The challenge of finding these threats and remediating the issues they exploit is a serious one, but it’s one that must be addressed on a continuous basis.
“Salt Typhoon will happen again unless we make radical changes,” Matt Blaze, a professor of computer science and law at Georgetown University, told the committee.
