Volt Typhoon, Flax Typhoon, and Salt Typhoon are the US government's names for three distinct Chinese state-sponsored cyberattack campaigns. They're called "Typhoon" campaigns because US intelligence uses weather-related codenames for Chinese state-backed threat actors. They are documented operations, not speculation - disclosed publicly by the FBI, NSA, CISA, and the Five Eyes intelligence alliance.
All three campaigns used compromised home and small-business routers as part of their attack infrastructure. The logic: home routers are ubiquitous, largely unmonitored, rarely updated, and their traffic is difficult to distinguish from normal consumer internet usage - making them ideal for building covert attack networks.
Volt Typhoon is a Chinese state-sponsored threat actor that focused on pre-positioning inside US critical infrastructure - power grids, water systems, transportation, and military networks - for potential future disruption during a geopolitical crisis.
Their method involved building a covert proxy network out of compromised consumer routers and network devices, called the KV-botnet. By routing their attacks through legitimate US internet infrastructure (your router), they could make their traffic appear to originate from normal US residential internet users rather than from China.
TP-Link routers were the primary device type compromised in the KV-botnet. The FBI has described Volt Typhoon's router botnet as being used to attack "communications, energy, transportation, and water sectors" and "the defense industrial base." In January 2024, the FBI obtained a court order to disrupt the KV-botnet and removed malware from hundreds of compromised US routers.
The CISA advisory (AA23-144A) and follow-up disclosures specifically identified TP-Link routers, Cisco routers, Netgear routers, and Fortinet devices as the primary device types compromised. Home TP-Link routers were the most commonly reported consumer-grade devices in the KV-botnet.
Critically: the routers were compromised because they had unpatched vulnerabilities, not because they had malicious firmware installed at the factory. This distinction matters - the threat from Chinese-manufactured routers includes both the supply chain concern (potential deliberate backdoors) and the practical concern (poor patch support leaving exploitable vulnerabilities).
Flax Typhoon targeted Taiwanese organizations primarily, but its techniques are directly relevant to US home network security. Flax Typhoon was notable for achieving firmware-level persistence on compromised routers - meaning the malware survived factory resets.
Once a router was compromised by Flax Typhoon, the attackers could maintain access even after the user rebooted or reset the device. This technique exploits the fact that most consumer routers don't verify the integrity of their firmware components at boot time.
Flax Typhoon also operated through a legitimate Chinese cybersecurity company called Integrity Technology Group (Integrity Tech), which the US Treasury later sanctioned.
The Flax Typhoon campaigns revealed that the conventional advice "factory reset your router if you think it's compromised" may not be sufficient for sophisticated attackers. This is one reason security researchers recommend replacing compromised routers rather than attempting to clean them.
Salt Typhoon represents the largest telecommunications breach in US history. Chinese state hackers infiltrated multiple major US telecom providers including AT&T, Verizon, and T-Mobile, gaining access to call metadata for millions of Americans and in some cases the actual content of calls and texts from high-value targets including presidential campaign staff.
Salt Typhoon used home and small-office networking equipment - including consumer routers - as stepping stones in its infiltration of telecom infrastructure. The attackers exploited the fact that telecom companies' networks connect to millions of consumer-grade routers, creating an enormous attack surface.
CISA issued an advisory in December 2024 urging Americans to use end-to-end encrypted communications. The US Senate Intelligence Committee called it "the worst telecom hack in our nation's history."
The honest answer is: it depends on your model, your patch status, and your threat model.
The Typhoon campaigns primarily targeted two types of devices: Chinese-manufactured routers with exploitable vulnerabilities, and any router - regardless of manufacturer - that was running outdated, unpatched firmware.
If your router is:
These campaigns sound alarming, but most home users are not the primary targets of state-sponsored attacks. The concern is more systemic: your router may be used as a stepping stone to attack someone else, and if it's compromised, your own network traffic is also at risk.