As CCP Cybersabotage Escalates, US Changes Posture

Aug 14, 2025 - 10:17 Updated: Aug 14, 2025 - 10:04

As CCP Cybersabotage Escalates, US Changes Posture

Once considered mainly an economic thief in cyberspace, the Chinese Communist Party (CCP) is now seen by the U.S. military as its top cyberthreat and “pacing adversary,” capable of not only espionage, but also potential sabotage of lifeline systems.

More than a dozen cybersecurity annual reviews and 2025 trend reports sound the alarm on the regime’s increasingly sophisticated cybercapabilities, with one even crowning 2024 as the “inflection point” in Chinese cyberespionage.

The recent large-scale hacks into U.S. critical infrastructure and telecommunications networks that went undetected for months, if not years, seemed a far cry from the unsubtle, brute-force cyberactivity of earlier years and brought new attention to the issue.

The shift on the regime’s part was not sudden, but rather the natural outgrowth of some 30 years of heavy investment in the cybersector.

The United States has also undergone a shift in its understanding of the regime and is now intent on pushing back.

CCP Builds Up Cybersector

In 1996, Kevin Mandia was a special agent at the Air Force Office of Special Investigations when he saw his first Chinese state-sponsored cybercampaign infiltrate “27 or 37 military bases” unencumbered.

It is a story that the cybersecurity executive has shared in many public talks, including one at the RSA Conference in April.

Mandia saw the Marine Corps, Army, Air Force, and Department of Energy breached on day one of the CCP-backed campaign as remote actors gained access via a West Coast university, with legitimate credentials belonging to several former Chinese international students whose accounts were never closed.

It showed the systemic nature of a state-backed campaign, according to Mandia, as division of labor was evident in the hack: One person or team was tasked with the testing of credentials, and another with the exfiltration of data.

The CCP People’s Liberation Army has had cyberunits since the 1990s, whereas it was not until 2009 that the United States established U.S. Cyber Command, or Cybercom, to unify cyberoperations.

The CCP has long considered cyberspace a theater of war, much like land, air, and sea, but early Chinese state-backed cyberactivity against the United States was better understood as economic espionage, something done to bolster Chinese companies with stolen trade secrets.

Staff and visitors walk past the lobby at the Huawei office in Wuhan, Hubei Province, China, on Oct. 8, 2012. Lawmakers, officials, and experts around the world had raised national security concerns about Chinese telecom services, including Huawei, by the early 2000s. STR/AFP/GettyImages

Even so, it was not until a groundbreaking report published by cybersecurity company Mandiant in 2013 exposed a Chinese hacking group as the People’s Liberation Army’s Unit 61398 that the U.S. private sector took seriously the threat of a foreign nation state at its door. The report, identifying the exact buildings the hackers worked out of and the identities of some members of the unit, detailed how the group had stolen data from 141 companies across 20 industries since 2006.

“We did it to genuinely push the agenda of ‘China’s literally hacking everybody and nobody knows it,'” Mandia, former CEO of Mandiant, said at the RSA Conference.

CCP leader Xi Jinping, whose tenure has been characterized by openly aggressive competition against the United States, stated his intention to have the regime become a superpower in cyberspace a few years after he came to power in 2015. Official speeches and documents outlined the need to secure cyberpower as a pillar of economic, national, and military security.

The same year, Xi stated the regime’s renewed focus on the CCP’s strategy of “military-civil fusion,” which blurs the lines between technologies for commercial use and for military use, emphasizing the lack of a true private sector in communist China.

In the decade since, the CCP’s investment in cybercapabilities has been unmatched.

One example is the hacking competition landscape in China, which provides hands-on experience, knowledge sharing, and career paths for an ever-growing industry of hackers.

An Atlantic Council analysis of Chinese capture-the-flag hacking competitions, which do not include competitions focused on vulnerability exploits, describes the ecosystem as “unparalleled in size and scope—something akin to four overlapping National Collegiate Athletic Associations, each with their own primary government sponsor, just for cybersecurity students to exercise their skills.”

The regime is also a major buyer in the cyberoffensive industry, which ensures that it has a steady pipeline of software exploits to acquire, according to another Atlantic Council report. It is an environment in which even local branches of the regime have cyberunits carrying out operations.

Paul Rosenzweig, cybersecurity expert and former deputy assistant secretary for policy in the Department of Homeland Security, said the time and money that the Chinese regime has poured into cyber has put it very much on an equal footing with the United States in that sector. The two nations’ approaches also differ drastically, he said, pointing to recruitment techniques wherein a hacker arrested in China may be given a government job instead of a prison sentence.

“The best 10,000 [cyberoperatives] in the United States are better than the best 10,000 in China,” Rosenzweig told The Epoch Times. “But if the United States has 100,000 [cyberoperatives], China has 1 million.”

Cybersecurity researchers say Chinese state-backed cyberactivity has been more difficult to detect as of late, which indicates not only a fine-tuning of techniques, but also an increased emphasis on operational security and infrastructure management in these organized campaigns.

Deputy Attorney General Jeffery Rosen speaks to the media about charges and arrests related to a computer intrusion campaign tied to the Chinese regime, at the Department of Justice in Washington on Sept. 16, 2020. Tasos Katopodis-Pool/Getty Images

US Changes Posture

David Stehlin, CEO of Telecommunications Industry Association (TIA), was running a venture-backed company in 2002 when he had his first encounter with Huawei. The Chinese telecom giant had stolen some of his company’s technology.

Years later, when Stehlin was CEO of a publicly traded company, Huawei would outbid his company for contracts around the world by 40 percent or 50 percent, selling below cost and making it impossible to compete.

It is not the case that the U.S. public or private sector had no awareness of the CCP’s malicious cyberactivity until recently. Rather, for many years, there was simply no recourse for hacked businesses or officials. The work to shore up cyberdefenses largely falls on the private sector, which bears the brunt of the hacks. Industry is rising to the challenge, but looks to the government to take the lead on an issue that has risen to the level of national security.

Lawmakers, officials, and experts around the world had raised national security concerns about Chinese telecom services, including Huawei, by the early 2000s. But it was during the first Trump administration, which named Huawei/ZTE telecom equipment as a threat to national security, that Stehlin said he saw a real shift begin.

At the time, one-third of the world was using Huawei/ZTE technology, one-third of the world was using trusted technologies, and another third had not yet made up its mind, Stehlin told The Epoch Times. The Trump administration not only made the choice for trusted technologies at home, but also engaged countries around the world to “number one, tell them about the risks, and number two, show them a path to a more secure network,” Stehlin said.

“The [first Trump administration] recognized that we need more trusted technology in the communications infrastructure around the world,” Stehlin said. In today’s connected world, where nearly all internet traffic travels through subsea cables, breaches in other countries can result in vulnerabilities to systems at home, as well.

Defense experts and critical infrastructure industry veterans broadly credit President Donald Trump in his first administration for the nation’s recognition of the CCP as a cyberadversary. This finally opened a path for a coordinated solution.

In 2018, Trump issued the nation’s first cybersecurity strategy since 2003, to “make America cyber secure.” Since then, the United States’ risk surface had only grown. As the world became increasingly connected, persistent adversaries scouring for an unguarded entry point had ever more options.

Telecommunications networks are especially high-value targets, being subject to both cyberespionage and potential cyberattacks, and there had already been well-documented cases of Chinese state-owned telecom companies rerouting U.S. or European data to China. As the United States committed millions in taxpayer dollars to spend the next decade ripping out these untrusted technologies, the industry also began to overhaul its approach to security.

President Donald Trump speaks after signing the Cybersecurity and Infrastructure Security Agency Act in the Oval Office on Nov. 16, 2018. Since his first term, Trump has emphasized the need to strengthen national cybersecurity. Saul Loeb/AFP via Getty Images

TIA, which views itself as the trusted association for the industry, set about preparing measurable standards with which to certify products and services in the telecommunications sector. With the expertise of volunteers in its 400-plus member companies and with buy-in from the United States and other governments, TIA published the first Cybersecurity and Supply Chain Security Standard in 2022. It issued an update in 2023.

“Organizations have started to shift from being reactive to being proactive,” Stehlin said. “Security needs to be embedded into this digital transformation that’s been going on for some time, and will continue for some time, starting with a deep understanding of how companies make products, and the subsystems that they use, and the chips that they use.”

Terms such as “zero trust architecture,” “defense in depth,” and “secure by design” reflect this shift in approach. Best practices dictate that a company build security into the product or service development process from the beginning and prepare for the event of a breach. The approach incorporates multiple layers of security to contain any potential breach and employs continuous monitoring and threat hunting within the system.

“Can you trace the software all the way back to its source?” Stehlin said. “How quickly do you fix a problem when you have a problem? How do you know that the chips you’re using are not counterfeit chips? Are you, as a company, a trusted supplier?

“We’re not just throwing it up in the air and saying, ‘Trusted or not trusted?’ No, these are measurable elements that we use to evaluate trust.”

But this defensive posture shows that the CCP has put the United States on the back foot, experts repeatedly told The Epoch Times. Given enough time and resources, which the CCP’s cyberoperatives had in spades, any system can be penetrated. Beijing hit hard as U.S. networks began their transition in security strategy.

Series of ‘Typhoons’

Ten years after the Mandiant report sparked recognition that China-based hacking campaigns against the United States were in fact state-sponsored, Microsoft disclosed a “stealthy and targeted malicious” CCP-backed cybercampaign aimed at U.S. critical infrastructure, which it dubbed “Volt Typhoon.”

In a May 2023 report, Microsoft detailed how Volt Typhoon had been active since mid-2021 and affected organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, IT, and educational sectors. It highlighted the campaign’s emphasis on stealth, with techniques that mimic legitimate activity so as to avoid detection for as long as possible.

Microsoft assessed with moderate confidence that Volt Typhoon was also pursuing capabilities to disrupt the critical infrastructure in the event of conflict. The need for increased protection that came with heightened awareness had prompted the disclosure. A year later, FBI head Christopher Wray told lawmakers that Volt Typhoon was pre-positioned for disruption.

The fuel shortages caused by a 2021 ransomware attack on Colonial Pipeline had already alerted the nation to what a cyberenabled disruption of critical infrastructure could mean.

A sign for Microsoft at an event booth in Washington on June 2, 2025. In 2023, the company revealed a “stealthy and targeted” CCP-backed cyber campaign against U.S. critical infrastructure, which it dubbed “Volt Typhoon.” Madalina Vasiliu/The Epoch Times

Volt Typhoon’s stealthy approach and its potential goal of disrupting critical infrastructure were markedly different from what CCP-backed hackers had previously demonstrated, and it was only one of several new campaigns.

Salt Typhoon targeted telecommunications networks and made away with government communications. Flax Typhoon alerted the world to the risk of Chinese-manufactured consumer electronics when some 200,000 devices including cameras and Wi-Fi routers were hijacked to create a network, or “botnet,” with which to carry out cyberespionage operations.

Silk Typhoon’s breach of Microsoft Exchange servers was so pervasive that it prompted the United States, the UK, and the European Union to issue their first joint statement condemning the Chinese regime’s cyberactivities. The U.S. Justice Department requested a court order to allow the FBI to remove malware from tens of thousands of civilian servers.

In July, Microsoft named two more CCP-backed campaigns involved in stealing data from SharePoint servers.

The “Typhoon” designations are what Microsoft uses to track CCP-backed campaigns, but different security researchers use other names.

“Salt Typhoon, Volt Typhoon—there’s just a legion of possible avenues here,” Rosenzweig said about the campaigns’ potential for disruption. It is “reasonably apparent” that the Chinese regime may be looking for something to hold as surety against potential U.S. action, he said.

Jeff Hoffmann, senior cyber fellow at The Gold Institute for International Strategy, told The Epoch Times that with these various new campaigns, the CCP is “really on the move in terms of exploring where there may be vulnerabilities and to show that [it has] a presence.”

“How is this different from nuclear weapons to show that they have deterrence?” he said.

Imposing ‘Costs’

Stakeholders began to ask whether the United States would hit back.

“I don’t think the American people realize ... the extent to which our telecom systems have been deeply compromised,” Sen. Josh Hawley (R-Mo.) said at a June congressional hearing. “What are we going to do to get them out of there and protect the American people, who right now are sitting ducks?”

At the same hearing, Sen. Elissa Slotkin (D-Mich.) said, “I want to do offensive cyber, I want to make them feel pain, for the Russians and the Chinese that are launching these attacks.”

Sanctions are no longer a deterrent, and it is imperative for the United States to show that it has a response, Hoffmann said.

“If China does go beyond pre-positioning and [does] what Iran has done in Israel to actually have an impact on industrial control systems—say, in a water treatment plant—if that does come to a disruptive level, what is our response?” he said. “We need to develop that policy.

(L–R) British Conservative MP Tim Loughton, former Conservative leader Iain Duncan Smith, and SNP’s former defense spokesman Stewart McDonald from the Inter-Parliamentary Alliance on China, hold a press conference in central London on March 25, 2024. Daniel Leal/AFP via Getty Images

“We need to thank President Donald J. Trump on his leadership—immediately when he was inaugurated, he renewed the national emergency to mitigate, deter, and defeat foreign adversaries in cyber, and that includes China.”

Hoffmann said he sees a likely Trump–Xi meeting as a prime opportunity for this administration to make its position clear.

The president has said that although a trade deal with China is “not imperative,” he expects to strike a good one and is likely to meet with Xi before the end of the year.

The Trump administration’s new cyberofficials have also committed to showing adversaries that cyberactivity against the United States is unacceptable.

Alexei Bulazel, senior director for cyber at the White House National Security Council, said at the RSA Conference in May that while deterrence as defined during the Cold War does not work in cyberspace, there are ways to degrade adversary capabilities and impose costs on intrusion attempts.

“Not responding is, I think, escalatory in its own right,” Bulazel said. “If you continually let the adversary walk all over you—they hack you and you do nothing, and they hack you—that in itself sets a norm.

“We need to find some way to communicate that this is not acceptable.”

Longtime FBI agent Brett Leatherman, promoted in June to lead the agency’s cybercrime division, stated in the announcement that his charge was to make malicious cyberactivity against the United States “unsustainable.”

Incoming National Cyber Director Sean Cairncross said during his Senate confirmation hearing that the dilemma the United States faces in cyber needs to change.

“Our enemies do not see a cost in engaging in this behavior, so they impose strategic dilemmas on us now, and they have for a long period of time,” he said.

“It’s time that we impose those dilemmas on them. I look forward to working, to do everything that I can, to make sure that our adversaries, our enemies, and criminals operating in this space know that this is not a cost-free endeavor.”