China’s cyber campaign targets U.S. infrastructure, officials warn of crisis risk

Chinese government-linked cyber actors are no longer being described as simple thieves of secrets. U.S. officials say they have gained persistent access to networks that support telecommunications, government, transportation, lodging and military infrastructure, a foothold that could be used to disrupt critical services if relations with Beijing deteriorate.

The Office of the Director of National Intelligence said in its 2026 Annual Threat Assessment that Chinese government-linked cyber actors pose persistent threats to U.S. government, private sector and critical infrastructure networks. That warning reflects a shift in the way Washington is framing the problem: not just espionage, but prepositioning inside systems that matter in a blackout, a transport shutdown or a wider national emergency.

Former National Security Agency and U.S. Cyber Command chief Tim Haugh said in October 2025 that China had targeted water systems, electrical power infrastructure, transportation, telecommunications and even Americans in their homes. He pointed to Littleton, Massachusetts, where the FBI notified town officials in November 2023 that the municipal utility network had been compromised. CBS News later reported that Littleton was one of about 200 utilities found to have been compromised or of interest, a reminder that even a small water provider can become part of a national security problem.

The FBI said on April 24, 2025, that the activity tied to Salt Typhoon had stolen call data logs, a limited number of private communications and select information subject to court-ordered law-enforcement requests. CISA later said the campaign overlapped with several publicly tracked clusters, including Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807 and GhostEmperor. On August 27, 2025, CISA, the NSA, the FBI and foreign partners issued a joint advisory on Chinese state-sponsored actors maintaining persistent access in critical infrastructure. A revised CISA advisory on September 3 sharpened the warning and urged defenders to hunt for malicious activity and harden communications infrastructure before intruders could be used in a future crisis.

That is the practical stress test now facing Washington. The playbook officials are proposing is not a rhetorical escalation, but a defensive one: find intruders sooner, kick them out, and deny them long-term access to the systems that carry calls, power, water and transport. For telecoms and utilities, that means more aggressive monitoring and faster incident response. For ordinary Americans, it means the federal government is treating disruption risk, not just stolen data, as the central threat.

The Biden-era focus on exposure is colliding with a more durable reality: China denies sponsoring the attacks and dismisses the accusations as politically motivated, while Washington is moving resources toward detection, expulsion and prevention. The FBI said the State Department’s Rewards for Justice program was offering up to $10 million for information on foreign-government-linked individuals involved in malicious cyber activity against U.S. critical infrastructure.