Artboard 1 copy 11

Nihon Cyber Defence

Menu
get in touch
/ Threat Intelligence / By

China’s APT Threats to Japan’s Critical Infrastructure: Salt, Volt, and Silk Typhoon

What Japan’s defenders must know about China’s cyber espionage and infrastructure sabotage campaigns

Chinese flag overlays a computer keyboard and economic graph, with Japan highlighted — symbolising cyber and financial influence targeting Japanese infrastructure.
Cyber espionage and economic influence converge as China targets Japan’s infrastructure and markets. A visual metaphor for digital-era geopolitical conflict.

China’s Cyber Warfare Strategy and APT Evolution

Cyber warfare is evolving rapidly, with Advanced Persistent Threats (APTs) becoming more sophisticated, stealthy, and destructive. Among the most concerning in recent years are three China-linked APT groups: Salt Typhoon, Volt Typhoon, and Silk Typhoon. Each works with distinct tactics and goals, yet collectively, these groups signal a broader shift in how nation-states conduct cyber operations.

In this post, we’ll analyse how these groups operate, what the activities reveal about China’s long-term cyber strategy, and how defenders can prepare for the next wave of cyber warfare.

APT Group Profiles: Salt, Volt, and Silk Typhoon Explained

Salt Typhoon: China’s Cyber Espionage Specialist

Salt Typhoon focuses on cyber espionage, targeting Western enterprises such as technology, defence, and telecommunications. It specialises in exploiting enterprise software vulnerabilities to gain long-term access to sensitive intellectual property and corporate secrets.

Volt Typhoon: The Stealthy Infrastructure Saboteur

Volt Typhoon, on the other hand, has a different mission – covertly infiltrating critical infrastructure to pre-position themselves for disruptive or destructive attacks. Unlike traditional APTs that rely on malware, Volt Typhoon utilises living-off-the-land (LOL) techniques, making detection much harder.

Silk Typhoon: APT Meets Cyber Crime

Silk Typhoon is a unique hybrid. It blends state-sponsored cyber espionage with financially motivated cybercrime. While it conducts traditional nation-state intelligence gathering operations, it also engages in financially motivated attacks and targets organisations within the global IT supply chain.

Strategic Implications for Japan’s National Cyber Defence

For cyber threat practitioners, these groups illustrate the shift from espionage to an integrated model of cybercrime, intelligence collection, and operational disruption. Silk Typhoon exemplifies this evolution, seamlessly pivoting between data theft and financially motivated attacks. An attack today may be aimed at intelligence gathering, tomorrow financial extortion or market manipulation. Defenders must break out of siloed thinking—cyber threats are interconnected across economic, corporate, and national security landscapes.

“Stealth is now the norm. Sophisticated threat actors are employing living-off-the-land techniques, utilising built-in system tools to evade detection.”

Volt Typhoon’s operations reinforce that cyber warfare is very active. These adversaries are embedding within critical infrastructure, staying undetected for years, pre-positioning themselves for future sabotage. The implications are severe: power grids, logistics, and communications could be compromised long before an attack is detected. Threat intelligence teams must transition from reactive defence to proactive hunting, with the goal of finding persistent, stealthy intrusions before they escalate.

“The notion of a secure perimeter is obsolete—the real threat may already be inside, hidden in plain sight.”

Supply chain exploitation is another growing challenge. Silk Typhoon has refined indirect compromise, targeting third-party vendors to gain access to high-value targets. Even organisations with strong internal security may find themselves breached through a compromised software update or trusted vendor. Robust cyber defence must extend beyond internal networks, focusing also on the threat from supply chain exploitation. Security teams must enforce strict vendor assessments, enhance supply chain security, and demand transparency in software dependencies. 

Explore how Japan is shifting from compliance to capability in our post on Active Cyber Defence in Japan.

How to Detect and Defend Against APTs from China

Salt, Volt, and Silk Typhoon are not just isolated APTs—they are a coordinated, long-term strategy by China to blend espionage, infrastructure pre-positioning, and cybercrime for strategic advantage. Their operations signal a shift: cyber-attacks are no longer episodic—they’re part of a sustained influence campaign.

Proactive Defence: Turning Intelligence into Action

As threat analysts, we need to move past reactive posture. Relying on perimeter defences is no longer sufficient—assume compromise and operate accordingly.

  • Operationalise threat intelligence—Map IOCs and TTPs from these groups directly to your environment.
  • Hunt continuously—Focus on persistence mechanisms, LOLBins, and lateral movement activity.
  • Test your IR playbooks—Simulate long-term intrusions and stealthy C2 scenarios in red/blue team exercises.
  • Push for visibility—Across endpoints, network, and third-party supply chains. You can’t defend what you can’t see.

The threat is already embedded. The mission now is to detect, contain, and outpace the adversary before they activate.

Explore how AI is transforming security strategies in an earlier post, The Rise of AI-Driven Warfare: Securing Nations and Critical Infrastructure from Emerging Threats.

Is Your Organisation Resilient Enough to Withstand

NCD is uniquely positioned to help governments, critical infrastructure providers, and enterprises prepare for, detect, and respond to these threats before they escalate.

Contact Us Let’s talk about your current level of cyber resilience.

Andrew Turner, Threat Intelligence Analyst @ Nihon Cyber Defence
Andrew Turner

Threat Intelligence Analyst @ Nihon Cyber Defence

Turner brings years of experience with the UK Ministry of Defence and NATO-aligned operations and is an expert in high-stakes operational intelligence.

Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.

Cyber Security Framework (NIST)

National Institute of Standards and Technology

NIST Framework Graphic

Cyber Assessment Framework (CAF)

National Cyber Security Centre

CAF Framework Graphic

Explore more of the NCD suite: Cyber Security Consultancy, Protective Services, Network Monitoring & Security Operations, SIEM, Incident Management

Edit Template

More from NCD​

Leadership & Cyber Resilience | Vol. II

Leadership & Cyber Resilience | Vol. II

March 7, 2025 Cyber Security Leadership
North Korean hackers from Lazarus stole $1.4B in crypto from Bybit, exploiting cold wallet security flaws. Learn how the attack happened & what it means...
Read More
Japan’s Growing Cyber Security Talent Gap and Its Impacts

Japan’s Growing Cyber Security Talent Gap and Its Impacts

February 20, 2025 Cyber Security Leadership
Japan faces a cyber security talent shortage of 110,000 experts. Explore the challenges, impacts, and solutions to bridge this critical skills gap...
Read More
Preparing for Active Cyber Defense (ACD)

Preparing for Active Cyber Defense (ACD)

January 31, 2025 Risk Management
Japan’s Active Cyber Defense (ACD) policy is set to transform cyber security, requiring critical infrastructure operators to comply with new reporting mandates. Ret. Adm. Akira Ichida explores the...
Read More
NCD and Fivecast Partnership

Nihon Cyber Defence and Fivecast Partner to Enhance Cyber Threat Intelligence for Japan

January 17, 2025 Press Release
The collaboration combines Fivecast’s advanced AI-powered OSINT technology with NCD’s expertise in cyber threat intelligence and Japanese cyber security needs, delivering actionable intelligence...
Read More
Navigating Cyber Incident Response 

Navigating Cyber Incident Response 

January 12, 2025 Risk Management
Unprepared cyber incident response can lead to prolonged damage. Learn practical strategies to strengthen resilience, improve decision-making speed, and build a proactive response framework in this...
Read More
Safeguarding Japan’s Critical Infrastructure 

Safeguarding Japan’s Critical Infrastructure 

January 6, 2025 Critical Infrastructure Security
Japan's energy and food security depend on resilient supply chains, but cyber threats to critical infrastructure are rising. Discover strategies to safeguard OT systems and protect vital industries in...
Read More
A Strategic Guide for Building Cyber Resilience

A Strategic Guide for Building Cyber Resilience

January 2, 2025 Cyber Resilience
Cyber resilience is a strategic necessity. Discover five key strategies to minimize cyber incident impacts and strengthen long-term security, based on insights from Dr. Jamie Saunders and the World...
Read More
Leadership & Cyber Resilience | Vol. l

Leadership & Cyber Resilience | Vol. l

December 18, 2024 Cyber Security Leadership
Cyber security is a boardroom issue. John Noble shares essential non-technical questions that leaders must ask to strengthen cyber resilience and governance in today’s digital landscape...
Read More
NCD Cyber Threat Intelligence: Gelsemium APT Group

NCD Cyber Threat Intelligence: Gelsemium APT Group

December 16, 2024 Threat Intelligence
The China-linked Gelsemium APT group poses a growing cyber threat to Japanese organizations, targeting sensitive data through advanced malware. Learn how to protect your business from espionage...
Read More
Edit Template
NCDLogoWhite@1x_1

Cyber Future Today

Company

Services

Associated sites

Social Link

Linkedin