The 113% Surge in Chinese Cyber Operations: Lessons for Global Critical Infrastructure Security

Taiwan’s National Security Bureau released sobering data in early 2026: China’s cyber army launched an average of 2.63 million intrusion attempts per day against the island’s critical infrastructure throughout 2025. That represents a 113% increase from 2023 levels.

The hardest-hit sectors—energy, emergency services, and hospitals—saw the sharpest year-over-year increases. The NSB identified four major tactics: exploitation of hardware and software vulnerabilities, distributed denial-of-service attacks, social engineering, and supply chain infiltration.

For critical infrastructure operators worldwide, Taiwan’s experience offers a warning. Chinese state-sponsored operators have been documented targeting critical infrastructure networks globally—including telecommunications, government, transportation, and military systems across North America, Europe, and the Indo-Pacific region.

Understanding the Typhoons: Two Distinct Threat Models

Two Chinese cyber campaigns have dominated headlines: Salt Typhoon and Volt Typhoon. While both involve unauthorized access to critical systems, they represent fundamentally different threat models.

Salt Typhoon is an espionage operation. In late 2024, U.S. officials confirmed that hackers affiliated with the group had compromised at least nine American telecommunications companies, including Verizon, AT&T, and T-Mobile. More alarming: the attackers accessed systems used to fulfill CALEA wiretap requests—the same systems law enforcement and intelligence agencies use for court-authorized surveillance.

Volt Typhoon operates differently. Active since at least 2021 and publicly identified in 2023, this group has targeted energy utilities, water systems, communications networks, transportation infrastructure, and maritime facilities in the United States. But unlike Salt Typhoon, Volt Typhoon isn’t extracting intelligence for immediate use. According to a joint advisory from CISA, NSA, and FBI, the group is “seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks” against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. The U.S. government has observed Volt Typhoon actors maintaining access in some victim environments for years.

The distinction matters: Salt Typhoon exploits access immediately for intelligence value. Volt Typhoon holds capability in reserve, waiting for a moment when disruption would have strategic impact.

The Living-off-the-Land Challenge

Because Volt Typhoon represents a direct threat to operational continuity, understanding their tradecraft is essential for infrastructure defenders.

What makes this group particularly difficult to detect is their signature approach: living off the land. Rather than deploying custom malware that might trigger security alerts, these actors use legitimate tools already present in victim environments: native operating system commands, valid credentials, and compromised network devices to route their traffic.

Their initial access often comes through overlooked assets: internet-facing Fortinet devices, unpatched VPN appliances, compromised small office/home office routers, and network equipment past its end-of-life date. As one analysis noted, “Their real weapon is trust—misplaced trust in systems, vendors, and everyday software tools.”

For defenders, this creates a fundamental challenge. Signature-based detection fails against attackers using legitimate tools. Identifying Volt Typhoon activity requires understanding what normal looks like in your environment—and recognizing subtle deviations that indicate unauthorized access.

Water and Energy Remain Prime Targets

The sectors at greatest risk share common characteristics: aging infrastructure, limited cybersecurity resources, and environments where operational technology wasn’t designed with security in mind.

Cybersecurity expert Josh Corman has described small and medium utilities as “target rich but cyber poor.” Many lack dedicated cybersecurity staff, cybersecurity budgets, or even IT staff capable of protecting industrial control systems. Meanwhile, Chinese-manufactured IoT devices in U.S. critical infrastructure networks grew by over 40% between 2023 and 2024 despite government restrictions—expanding the attack surface even in organizations that believe they’ve hardened their perimeters.

The consequences of inadequate defenses are real. In October 2024, American Water—the largest regulated water utility in the United States, serving more than 14 million people—detected a cyberattack that forced the company to disconnect customer portals and pause billing systems. While core operations weren’t affected in that incident, the vulnerability was exposed.

Corman’s assessment is blunt: “These are military hackers, prepositioning on civilian, non-combatant infrastructure so that they can target it as a precursor to armed conflict.”

Building Detection Capability

Security leaders in energy, water, telecommunications, and transportation should assume they are targets. The defensive imperative is clear: develop the ability to detect and respond to living-off-the-land intrusions before they become entrenched. That means investing in behavioral detection capabilities, training teams to hunt proactively, and validating that defenses work against realistic adversary emulation.

There is reason for cautious optimism. NSA officials have indicated that Volt Typhoon “was not successful” at maintaining quiet, long-term persistence in all cases. Kristina Walter, director of the NSA’s Cybersecurity Collaboration Center, stated, “We, with private sector, with FBI, found them, understood how they were using the operating systems, how they’re using legitimate credentials to maintain persistence, and frankly, we equipped the entire private sector and U.S. government to hunt for them and detect them.”

The implication is clear: detection requires proactive hunting, behavioral analysis, and defenders who understand their own environments well enough to spot anomalies. Passive monitoring and signature-based tools aren’t sufficient.

This is where a realistic, intelligent cyber range proves essential. Defenders need environments where they can:

• train against adversary emulation that mirrors documented Volt Typhoon TTPs,
• test whether their monitoring tools actually catch the subtle indicators that characterize living-off-the-land techniques, and 
• validate that their response processes work under realistic conditions. 

Tabletop exercises can introduce teams to the concepts, but they can’t build the hands-on skills required to identify subtle intrusions in real time.

Organizations that invest in realistic adversary emulation gain quantifiable metrics on time-to-detect for stealthy intrusions—data that reveals gaps and drives improvement before a real incident occurs. 

To learn how SimSpace helps critical infrastructure organizations train their teams to detect nation-state threats, schedule a demo.