US–China Cyberwar — The Unseen War

APT / CYBERCOM / MSS / PLA Unit 61398

Two Doctrines, One Digital Battlefield

The US and China are engaged in what intelligence officials describe as the most sustained and damaging state-on-state cyber conflict in history. It is not declared — there is no formal cyberwar resolution, no legal framework governing its conduct — but it is ongoing, escalating, and increasingly consequential for critical infrastructure on both sides.

The two powers approach cyber operations with fundamentally different doctrines:

United States

Signals intelligence (NSA) and covert offensive action (CYBERCOM)

"Defend Forward" — disrupt adversaries before they reach US networks

Targeted strikes on specific adversary infrastructure during crises

Legal constraint: Title 10 / Title 50 authorities, congressional oversight

Primary focus: espionage, deterrence, election security

People's Republic of China

Ministry of State Security (MSS) + PLA Strategic Support Force

"Pre-positioning" — embed in adversary infrastructure years in advance

Massive-scale intellectual property theft to accelerate economic development

No separation between intelligence, military, and commercial cyber actors

Primary focus: IP theft, long-term infrastructure access, political coercion

China's Major Operations — Documented

VOLT TYPHOON

PRC / MSS-affiliated — Active 2021–Present (publicly confirmed 2023)

Perhaps the most alarming Chinese cyber campaign ever publicly disclosed. Volt Typhoon did not steal data — it pre-positioned for sabotage. FBI and CISA confirmed in 2024 that Volt Typhoon had infiltrated US water utilities, power grids, ports, pipelines, and telecommunications providers across all 50 states. The operation used "living off the land" techniques — hijacking legitimate system administration tools to avoid detection — and established persistent access designed to survive network defenders' discovery attempts. The explicit stated purpose, per CISA: to be able to disrupt critical US infrastructure in the event of a military conflict over Taiwan.

Strategic significance: Not espionage. Pre-positioned sabotage capability. The cyber equivalent of planting explosives in infrastructure before a war begins. FBI Director Christopher Wray called it "the defining threat of our generation."

SALT TYPHOON

PRC / MSS — Active 2022–2024 (confirmed October 2024)

Chinese intelligence penetrated the network infrastructure of at least eight major US telecommunications carriers — including AT&T, Verizon, T-Mobile, and Lumen Technologies. Salt Typhoon accessed the backend systems carriers use to comply with US lawful intercept orders (CALEA systems) — meaning China gained access to the same wiretap infrastructure the US government uses for its own surveillance. Senior US government officials' calls and texts were intercepted. The operation also gave China insight into who US intelligence agencies were monitoring — a counterintelligence windfall.

Strategic significance: Described by Senate Intelligence Committee Chair Mark Warner as "the worst telecom hack in US history." China accessed the US government's own surveillance infrastructure. Duration of access: potentially years before discovery.

OPM BREACH

PRC / MSS (attributed) — 2014–2015

Chinese hackers breached the Office of Personnel Management and exfiltrated the personnel records of 22.1 million current and former federal employees — including SF-86 security clearance application forms, which contain extraordinarily sensitive personal data: foreign contacts, financial history, mental health disclosures, family members, and known vulnerabilities. The OPM database is effectively a comprehensive map of the US intelligence community's human terrain — who they are, who they know, and where they're vulnerable to recruitment or coercion.

Strategic significance: Called "the crown jewels of US counterintelligence" by some analysts. The data has likely been cross-referenced with other stolen datasets to identify CIA officers, undercover agents, and recruitment targets. The full scope of damage may never be known.

MICROSOFT EXCHANGE / HAFNIUM

PRC / MSS-linked (HAFNIUM group) — 2021

MSS-linked hackers exploited four zero-day vulnerabilities in Microsoft Exchange Server, compromising at least 30,000 organizations in the United States — and hundreds of thousands globally — within days of the exploit becoming known. Targets included defense contractors, law firms, infectious disease researchers (during COVID-19), and local government agencies. The speed of exploitation suggested China had prepared infrastructure in advance to maximize the window between exploit discovery and patch deployment.

Strategic significance: One of the broadest single cyber operations in history by victim count. Demonstrated China's willingness to conduct mass-exploitation rather than only targeted precision operations.

PLA UNIT 61398 — "COMMENT CREW"

PLA 3rd Department / Shanghai — 2006–2013 (indicted 2014)

The first publicly named PLA cyber unit, exposed by cybersecurity firm Mandiant in 2013. Unit 61398 systematically targeted 141 companies across 20 industries over seven years, stealing terabytes of intellectual property including aerospace designs, energy infrastructure blueprints, pharmaceutical research, and advanced manufacturing processes. The unit operated from a 12-story building in Pudong, Shanghai, with hundreds of staff working regular business hours — confirming cyber espionage as a state-organized, systematized program, not opportunistic hacking.

Strategic significance: The 2014 DOJ indictment of five named PLA officers was the first criminal indictment of foreign state actors for cyber espionage. China recalled its cyber attaché and suspended a bilateral working group — then resumed operations.

US Operations Against China — Documented

BYZANTINE HADES / NSA TAO CHINA OPS

NSA Tailored Access Operations — 2000s–present (partially revealed via Snowden)

Snowden documents confirmed NSA TAO conducted extensive operations against Chinese targets including Tsinghua University (a major internet exchange node), Pacnet (a major Asia-Pacific fiber operator), and Huawei's internal networks. The Huawei operation — codenamed SHOTGIANT — aimed to exploit Huawei equipment's backdoors to conduct surveillance through the equipment Huawei sold to foreign governments, and to understand Huawei's relationships with the PLA.

Strategic significance: China used Snowden's revelations to justify its own mass surveillance programs domestically and to argue that US accusations of Chinese hacking were hypocritical.

CYBERCOM OPERATIONS — DEFEND FORWARD

US Cyber Command — 2018–Present

Under the 2018 Defend Forward doctrine, CYBERCOM has conducted acknowledged and unacknowledged operations inside Chinese networks to identify pre-positioned malware, map MSS and PLA cyber infrastructure, and develop counter-options. Specific operations remain classified, but officials have confirmed CYBERCOM teams operate "left of launch" — disrupting adversary cyber capabilities before they can be used — in both Chinese and Russian networks.

Strategic significance: Marks a shift from reactive defense to persistent offensive presence in adversary networks — matching China's own pre-positioning doctrine.

Critical Infrastructure: The Pre-War Battlefield

The most alarming dimension of the US-China cyber conflict is the systematic infiltration of critical infrastructure — operations designed not to collect intelligence now, but to enable physical sabotage later.

Threat Actor	Infrastructure Targeted	Confirmed Access?	Purpose
Volt Typhoon (CN)	Water utilities, power grid, ports, pipelines, telecom	Yes — CISA/FBI confirmed 2024	Pre-positioned sabotage; Taiwan conflict trigger
Salt Typhoon (CN)	Major US telecom carriers (AT&T, Verizon, T-Mobile)	Yes — confirmed Oct 2024	Surveillance of officials; access to US wiretap systems
MSS / PLA (CN)	Defense industrial base, universities, labs	Yes — multiple DOJ indictments	IP theft; military technology transfer
NSA / CYBERCOM (US)	Chinese telecom (Huawei), military networks	Partially — Snowden docs	Intelligence collection; counter-option development

CISA Emergency Advisory — 2024

Following Volt Typhoon confirmation, CISA issued guidance stating Chinese actors had achieved "persistent access" to "multiple" critical infrastructure sectors and that network defenders should assume compromise. The advisory noted the activity was "not focused on espionage" but on pre-positioning for "potential future disruptive or destructive cyberattacks."

Key Events Timeline

2006–2013 — CHINA

PLA Unit 61398 — systematic IP theft

141 companies across 20 industries. Aerospace, energy, pharma, manufacturing. Terabytes exfiltrated from Shanghai government building.

2010 — US + ISRAEL

Stuxnet destroys Iranian centrifuges

First cyberweapon to cause physical destruction. Demonstrates US willingness to use offensive cyber for kinetic effects. China takes extensive notes.

2014–2015 — CHINA

OPM breach — 22.1M records stolen

Crown jewels of US intelligence community HR data. SF-86 files, fingerprints, foreign contacts. Counterintelligence damage still unfolding.

2015 — OBAMA–XI SUMMIT

Xi pledges to stop commercial cyber theft

Temporary reduction in Chinese IP theft operations. Formal "cyber norms" agreement. Operations resume at scale within two years as MSS replaces PLA as primary cyber actor.

2021 — CHINA

HAFNIUM — 30,000+ Exchange servers compromised

Mass exploitation of Microsoft Exchange zero-days. Speed of compromise suggests pre-staged infrastructure. Defense contractors, law firms, health researchers targeted.

2021–2023 — US

CYBERCOM Hunt Forward missions expand

US teams deployed to Ukraine, Baltic states, and Asia-Pacific partners to hunt adversary malware on allied networks. China named as primary threat in classified mission briefs.

2021–2024 — CHINA

Volt Typhoon infiltrates US critical infrastructure

Water, power, ports, pipelines — all 50 states. Pre-positioned sabotage capability. Designed to activate in event of Taiwan military conflict. "Living off the land" evasion.

2022–2024 — CHINA

Salt Typhoon penetrates US telecom backbone

AT&T, Verizon, T-Mobile, Lumen compromised. Access to CALEA lawful intercept systems. Senior government officials' communications intercepted. Worst telecom hack in US history.

2025–Present

Escalating posture on both sides

CYBERCOM budget increases. China expands MSS cyber units. Taiwan Strait tensions drive both sides toward more aggressive pre-positioning and counter-positioning operations.

Where This Is Going

Several trends define the near-term trajectory of the US-China cyber conflict:

AI-accelerated operations: Both sides are integrating large language models and AI into offensive cyber toolchains — for automated vulnerability discovery, phishing at scale, and adaptive malware that modifies itself to evade detection
Satellite and space systems: The next frontier — GPS spoofing, satellite communication jamming, and hacking of space-based ISR (intelligence, surveillance, reconnaissance) assets
Supply chain attacks: Targeting hardware and software vendors who supply both governments and private sector — SolarWinds (Russia) showed the template; China has pursued analogous supply chain positioning
Taiwan as trigger: Both US and Chinese planners treat a Taiwan conflict scenario as the point at which dormant infrastructure access gets activated for kinetic-effect cyber operations — Volt Typhoon is explicitly framed this way
No rules of engagement: Unlike nuclear weapons, there is no arms control framework, no red phone, and no agreed-upon threshold for what constitutes an act of war in cyberspace

"China has burrowed into our critical infrastructure. They're not stealing data now — they're waiting. They're pre-positioning for the day they decide to pull the trigger."

— FBI Director Christopher Wray, testimony before the House Select Committee on the Chinese Communist Party, January 2024

The Deterrence Gap

The US has never publicly acknowledged conducting offensive cyber operations against Chinese critical infrastructure, though it almost certainly has done so. This asymmetric disclosure creates a deterrence gap: China's cyber aggression is publicly documented and condemned, but the US cannot credibly threaten equivalent retaliation without acknowledging capabilities and operations it prefers to keep covert. This gap emboldens continued Chinese operations below the threshold that would trigger a declared US response.

Primary Sources & Further Reading

CISA / FBI Joint Advisory: "People's Republic of China State-Sponsored Cyber Activity" (2024)
CISA Advisory: "Volt Typhoon — Living Off the Land" (May 2023, updated 2024)
FBI Director Christopher Wray, HPSCI testimony on Chinese cyber threats (January 2024)
Mandiant / Google, "APT1: Exposing One of China's Cyber Espionage Units" (2013)
DOJ, Indictment of Five PLA Officers (US v. Wang Dong et al., 2014)
Senate Intelligence Committee, Salt Typhoon briefings and public statements (2024)
Andy Greenberg, Sandworm (2019) — cyber conflict doctrine
Nicole Perlroth, This Is How They Tell Me the World Ends (2021) — zero-day market and state arsenals
US Cyber Command, "Achieve and Maintain Cyberspace Superiority" (2018)
The Intercept / Snowden Archive — NSA China operations (2013–2015)