PRC Infrastructure Intrusions
Salt Typhoon-class operations have compromised US and allied telecom carriers and lawful-intercept systems, exposing call records and surveillance targeting. Volt Typhoon-class actors have burrowed into energy, water, and transport OT networks using living-off-the-land tradecraft to enable wartime disruption. Attribution is contested and slow; defensive posture centers on CISA advisories, KEV additions, and vendor threat intel.
Why it matters — This matters because PRC hackers are already sitting inside the phone networks, power grids, and water systems Americans rely on, positioned to shut off or spy on critical services the moment a Taiwan or South China Sea crisis turns hot.
Why now — Salt Typhoon's compromise of US telecom lawful-intercept systems and Volt Typhoon's OT footholds remain unevicted, with attribution still contested and defense limited to slow CISA advisories rather than removal.
WHAT CHANGED · LAST 72H
- —Salt Typhoon confirmed inside multiple US telecom carriers, reaching lawful-intercept and call-record systems.
- —Volt Typhoon pre-positioning persists in US energy, water, and transport OT networks.
- —CISA and allied CERTs escalate advisories and KEV entries; full eviction unconfirmed.
KEY CLAIMS ON THE RECORD · 10 TOTAL
| Symantec attributes Daxin to China, describing it as the most advanced Chinese malware observed, with activity dating to 2013. | ASSESSED · 0.70 · 1 EVID |
| Daxin is a Windows kernel-level rootkit that hijacks legitimate inbound TCP connections to exfiltrate encrypted C2 commands, evading traditional network monitoring. | ASSESSED · 0.68 · 1 EVID |
| CISA on 16 July 2026 added FortiSandbox flaws CVE-2026-39808 and CVE-2026-25089 to its KEV catalog, ordering federal agencies to patch by 19 July. | ASSESSED · 0.62 · 1 EVID |
| CVE-2026-39808 and CVE-2026-25089 are OS command injection flaws rated CVSS 9.1; Fortinet issued patches in April and June 2026. | ASSESSED · 0.60 · 1 EVID |
| Investigators identified a second backdoor, Stupig, on the same infected hosts as Daxin at the Taiwan manufacturer. | ASSESSED · 0.58 · 1 EVID |
| Symantec disclosed the Daxin backdoor four years ago, attributing it to China with activity traceable to 2013. | ASSESSED · 0.58 · 1 EVID |
| Symantec and Carbon Black threat hunters found Daxin backdoor activity in May 2026 at a Taiwan subsidiary of a multinational high-tech manufacturer. | ASSESSED · 0.58 · 1 EVID |
| Defused Cyber reported exploitation activity a month prior, with attackers also using CVE-2026-39813 to bypass authentication and escalate privileges. | ASSESSED · 0.55 · 1 EVID |
DOWNSTREAM EFFECTS · WATCH INDICATORS
- Global chip supply anchored in Taiwan — Pre-positioned homeland-disruption capability raises the expected cost of US intervention, which strengthens Beijing's Taiwan Strait pressure and threatens the TSMC advanced-node output the world depends on. Watch: INDOPACOM/DoD statements citing homeland cyber risk in Taiwan contingency planning; TSMC overseas fab or contingency announcements.
- US federal cyber posture and budgets — Unevicted Salt and Volt Typhoon footholds plus slow attribution pressure Congress and CISA to shift from advisories toward defend-forward operations and mandatory OT breach reporting. Watch: New CISA binding operational directives, cyber-offense authorizations, or appropriations line items funding grid/telecom eviction.
- Southeast Asian claimants' deterrence confidence — Homeland-disruption leverage tempers US escalation appetite, which erodes deterrence in the South China Sea and pressures Manila's reliance on US security guarantees. Watch: Frequency of PRC coast-guard incidents at Second Thomas Shoal; Philippine officials' statements questioning US commitment credibility.
- US telecom carriers' costs and customer trust — Salt Typhoon's carrier and lawful-intercept compromise forces costly equipment replacement and network re-architecture while exposing call records and surveillance targeting. Watch: Carrier 8-K breach disclosures; FCC lawful-intercept security rulemaking; measurable spikes in encrypted-messaging adoption.