Chinese Cyber Espionage Campaigns Target Critical Infrastructure
December 10, 2025
The FBI and CISA advisories about Chinese state-sponsored groups, particularly Volt Typhoon and Salt Typhoon, have generated a lot of headlines. But for organizations outside the federal government, the natural question is: does this affect us?
The short answer: more than you might think.
Beyond the headlines
Volt Typhoon's approach is notable because they're not deploying custom malware. They're using legitimate system tools like PowerShell, WMI, and command-line utilities to move through networks. This "living off the land" technique makes detection significantly harder because the tools themselves aren't malicious.
Salt Typhoon's targeting of telecommunications providers has broader implications. When a threat actor compromises a telecom, they potentially gain visibility into the communications of every organization using that provider.
Why mid-market and public sector organizations should care
State-sponsored actors don't only target Fortune 500 companies. Their campaigns frequently involve:
- Supply chain compromise : Your managed service provider, your SaaS vendors, and your telecom provider are all potential vectors. If a state actor compromises your MSP, they have a path into your environment.
- Pre-positioning in critical infrastructure : Utilities, water systems, and transportation are often managed by smaller organizations with limited security budgets. Utah has a growing number of small utilities and municipal systems that fit this profile.
- Targeting of state and local government : Government contractors, even small ones, may hold information of interest to state-sponsored groups. CMMC requirements exist for a reason.
Practical defensive steps
You don't need a nation-state-level security budget to defend against these techniques. The fundamentals matter most:
1. Implement robust logging and monitoring. Living-off-the-land techniques are hard to detect without good telemetry. At minimum, enable PowerShell script block logging, command-line process auditing, and Windows event forwarding. If you have an EDR solution, verify it's configured to detect suspicious use of built-in tools.
2. Segment your network. The reason these campaigns succeed at scale is lateral movement. If an attacker compromises one system, can they reach everything? Network segmentation, even basic VLAN separation between workstations, servers, and critical systems, limits the blast radius.
3. Audit privileged access. Know who has administrative access to your systems, and whether that access is necessary. Implement just-in-time administrative access where possible. Reduce the number of standing admin accounts.
4. Review your supply chain. Ask your managed service providers about their security practices. Review the access your vendors have to your systems. The weakest link in your security chain might be someone else's network.
Perspective
Not every organization is a direct target of Chinese cyber espionage. But every organization is a potential stepping stone. The defensive measures that protect against state-sponsored actors are the same ones that protect against ransomware groups and opportunistic attackers.
Good security fundamentals don't care about the attacker's motivation. They work regardless.