China Admits Volt Typhoon Cyberattacks on US Critical Infrastructure in Secret Meeting

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Chinese government officials acknowledged their country's role in the Volt Typhoon cyberattacks targeting American critical infrastructure during a secret diplomatic meeting with US counterparts, according to an exclusive report published by the Wall Street Journal on April 10, 2025. The admission represents the first known instance of China directly acknowledging responsibility for the sophisticated hacking campaign that has targeted US water systems, power grids, telecommunications networks, and transportation infrastructure since at least 2021.

The meeting, which took place in Geneva in December 2024, involved senior officials from both nations discussing cybersecurity concerns. According to sources familiar with the discussions, Chinese officials linked the Volt Typhoon operations to US support for Taiwan, framing the cyberattacks as a response to American policy in the region. US officials interpreted the acknowledgment as a veiled warning about potential escalation should tensions over Taiwan increase.

The Volt Typhoon campaign has been attributed to Chinese state-sponsored hackers by US intelligence agencies, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) since early 2024. The group has been characterized as a pre-positioning operation designed to enable disruptive or destructive cyberattacks against US infrastructure in the event of a military conflict. Targets have included water treatment facilities, electrical utilities, ports, and telecommunications providers across the continental United States and its territories, including Guam.

The disclosure comes amid heightened concerns about the vulnerability of American critical infrastructure to foreign cyberattacks. A separate study released on April 10, 2025 by Semperis found that 62% of water and electricity operators reported being targeted by cyberattacks in the past year.

The Wall Street Journal reported on April 10, 2025 that Chinese officials made the acknowledgment during a secret meeting held in Geneva, Switzerland in December 2024. The meeting was part of ongoing diplomatic discussions between the two nations regarding cybersecurity issues.

According to the Journal's sources, the Chinese delegation did not explicitly use the term "Volt Typhoon" but acknowledged conducting cyber operations against US infrastructure. The officials reportedly connected these activities to American policy regarding Taiwan, suggesting the operations were a form of signaling or deterrence.

US officials who participated in the meeting interpreted the Chinese statements as confirmation of what American intelligence agencies had long suspected. The acknowledgment was described as indirect but unmistakable in its meaning.

The Volt Typhoon campaign was first publicly disclosed by Microsoft in May 2023, when the company identified a Chinese state-sponsored actor targeting critical infrastructure organizations in Guam and elsewhere in the United States. Subsequent investigations by US government agencies expanded the known scope of the campaign significantly.

In January 2024, the FBI and CISA issued a joint advisory warning that Volt Typhoon had maintained access to some US critical infrastructure networks for at least five years. The agencies described the campaign as focused on pre-positioning for potential future disruptive operations rather than immediate espionage or data theft.

Figure 2: How the authentication bypass vulnerability works

The Wall Street Journal report, citing multiple sources familiar with the Geneva meeting, stated that Chinese officials acknowledged conducting cyber operations against US infrastructure. The sources described the acknowledgment as implicit rather than a formal admission.

US intelligence assessments have consistently attributed Volt Typhoon to the People's Republic of China. The FBI, CISA, and National Security Agency have issued multiple joint advisories detailing the group's tactics, techniques, and procedures.

According to US government assessments, Volt Typhoon has targeted the following sectors:

• Water and wastewater systems
• Electric utilities and power generation
• Telecommunications networks
• Transportation systems including ports
• Oil and natural gas pipelines

The Semperis study released on April 10, 2025 provided independent data on the scope of attacks against critical infrastructure. The research found that 62% of water and electricity operators surveyed had experienced cyberattacks in the previous 12 months.

Chinese government officials have previously denied involvement in Volt Typhoon operations. In February 2024, Chinese Foreign Ministry spokesperson Mao Ning called the US accusations "groundless" and accused Washington of spreading disinformation.

The acknowledgment, if accurately reported, provides several potential benefits for US cybersecurity efforts:

Diplomatic clarity may enable more direct discussions about acceptable behavior in cyberspace. Previous US-China cyber agreements, such as the 2015 accord on commercial espionage, required both parties to acknowledge the existence of state-sponsored cyber activities.

Confirmation of attribution strengthens the case for defensive measures and resource allocation. Critical infrastructure operators can prioritize defenses against known Chinese tactics and techniques.

The disclosure may prompt increased investment in infrastructure security. Congressional appropriations for critical infrastructure protection have faced competing priorities, and clear evidence of foreign targeting could shift budget discussions.

International partners may be more willing to coordinate defensive measures with confirmed attribution. Allied nations have been cautious about publicly attributing cyberattacks to China without US leadership.

Figure 3: Privilege escalation from user to SYSTEM level

The reported acknowledgment raises significant concerns:

The framing of cyberattacks as linked to Taiwan policy suggests China views critical infrastructure targeting as a legitimate tool of statecraft. This interpretation could normalize attacks on civilian infrastructure during geopolitical disputes.

Pre-positioned access to critical infrastructure represents an ongoing threat. Even with the acknowledgment, Chinese hackers may retain access to compromised networks. Remediation of Volt Typhoon intrusions has proven difficult due to the group's use of legitimate system tools and "living off the land" techniques.

The secret nature of the meeting means the acknowledgment cannot be used for public accountability. China has not made any public statement confirming the Journal's report.

Escalation risks remain significant. If China views infrastructure attacks as a deterrent tool, future tensions over Taiwan or other issues could prompt additional operations.

The Semperis study highlighted that many critical infrastructure operators lack adequate defenses. The 62% attack rate suggests widespread vulnerability regardless of attribution.

Volt Typhoon operations differ from traditional cyber espionage campaigns in their focus on access and persistence rather than data exfiltration. The group employs several distinctive techniques:

Living off the land: Rather than deploying custom malware, Volt Typhoon operators use legitimate system administration tools already present on target networks. Tools like PowerShell, Windows Management Instrumentation (WMI), and command-line utilities allow attackers to blend in with normal administrative activity.

Small office/home office (SOHO) router compromise: The group has compromised thousands of end-of-life routers and network devices to create a distributed proxy network. This infrastructure obscures the origin of attacks and provides resilient command-and-control capabilities.

Credential harvesting: Volt Typhoon operators focus on obtaining valid credentials rather than exploiting software vulnerabilities. Once inside a network, they move laterally using legitimate authentication.

Long-term persistence: Unlike ransomware operators who seek immediate financial gain, Volt Typhoon maintains quiet access for extended periods. Some compromises have persisted for years without detection.

Technical context (optional): The group's operational security practices make detection challenging. Traditional indicators of compromise such as malware signatures or unusual network traffic are largely absent. Detection requires behavioral analysis and careful monitoring of administrative tool usage.

The reported acknowledgment represents a significant shift in the dynamics of state-sponsored cyber operations. Several broader implications emerge:

Deterrence doctrine: China's apparent willingness to link cyberattacks to geopolitical disputes suggests an emerging doctrine of cyber deterrence. The United States has maintained ambiguity about its own offensive cyber capabilities, but China's acknowledgment may force a more explicit discussion of red lines and consequences.

Critical infrastructure vulnerability: The Volt Typhoon campaign has exposed systemic weaknesses in how the United States protects essential services. Many water utilities, power companies, and transportation systems operate with limited cybersecurity resources and aging technology.

International norms: The acknowledgment complicates ongoing efforts to establish international norms for state behavior in cyberspace. If major powers view infrastructure attacks as acceptable tools of statecraft, multilateral agreements become more difficult to achieve.

Private sector responsibility: Critical infrastructure in the United States is predominantly owned and operated by private companies. The Volt Typhoon campaign raises questions about the appropriate division of responsibility between government and industry for defending against state-sponsored threats.

Confirmed:

• The Wall Street Journal reported that Chinese officials acknowledged Volt Typhoon operations during a December 2024 meeting in Geneva
• US government agencies have attributed Volt Typhoon to China since early 2024
• The campaign has targeted water, power, telecommunications, and transportation infrastructure
• Volt Typhoon has maintained access to some networks for multiple years
• 62% of water and electricity operators reported cyberattacks in the past year, according to Semperis

Remains unclear:

• The exact language used by Chinese officials during the Geneva meeting
• Whether China has made any formal diplomatic communication acknowledging the operations
• The current extent of Volt Typhoon access to US infrastructure
• Whether remediation efforts have successfully removed all Chinese access
• How the acknowledgment will affect US-China diplomatic relations
• Whether China will make any public statement regarding the report

Several indicators will signal how this story develops:

Chinese government response: Any official statement from Beijing regarding the Wall Street Journal report would clarify China's position. Previous denials have been categorical.

Congressional action: The report may prompt hearings or legislation regarding critical infrastructure protection. The House and Senate homeland security committees have jurisdiction over CISA.

CISA advisories: Additional technical guidance from US cybersecurity agencies would indicate ongoing concern about Volt Typhoon access.

Diplomatic developments: The next scheduled US-China dialogue on cybersecurity issues will reveal whether the acknowledgment changes the tenor of discussions.

Critical infrastructure incidents: Any disruptions to US water, power, or telecommunications systems will face scrutiny for potential connections to state-sponsored actors.

Allied nation statements: Partners in the Five Eyes intelligence alliance and other allied nations may issue their own assessments or warnings.