They may not be looking to exfiltrate patient data for ransom and disruption. Instead, cybercrime groups sanctioned by the People’s Republic of China – including Silk Typhoon, which is thought to be targeting healthcare organizations – may be seeking hospital layouts and operational plans that could be used in physical attacks.
“Beijing is advancing its cyber capabilities for sophisticated operations aimed at stealing sensitive U.S. government and private sector information, and pre-positioning additional asymmetric attack options that may be deployed in a conflict,” said Director of National Intelligence Tulsi Gabbard in written testimony Tuesday.
She referred to the Salt Typhoon attack on U.S. telecom companies in 2024 that is known to have targeted senior government officials and other high-profile political figures.
“The PRC remains the most active and persistent cyber threat to U.S. government, private-sector and critical infrastructure networks,” according to the federal government in the 2025 Annual Threat Assessment of the U.S. Intelligence Community report that intelligence leaders presented to lawmakers Tuesday and Wednesday.
“The PRC’s campaign to preposition access on critical infrastructure for attacks during crisis or conflict, tracked publicly as Volt Typhoon, and its more recently identified compromise of U.S. telecommunications infrastructure, also referred to as Salt Typhoon, demonstrates the growing breadth and depth of the PRC’s capabilities to compromise U.S. infrastructure.”
Silk Typhoon’s threat to healthcare
Silk Typhoon is a Chinese state-sponsored hacking organization, according to the American Hospital Association. Targeting various sectors, including healthcare and hospitals, it exploits vulnerabilities in remote management tools and cloud applications to gain unauthorized access.
“Their actions have caused disruptions in supply chains and posed significant threats to critical infrastructure, including healthcare facilities,” AHA said in a statement on its website earlier this month.
Silk Typhoon abuses stolen API keys and credentials associated with privileged access management systems, cloud application providers and cloud data management companies, Forbes noted Tuesday in a story about making a case for “in-flight encryption” for enterprise applications.
“The group is known for the exploitation of zero-day vulnerabilities in edge devices, targeting a wide array of sectors globally, such as information technology, health, education and government,” the Health Information Sharing and Analysis Center warned in its Silk Typhoon threat bulletin earlier this month.
Investigating cyberterrorism from China
In January, the Biden administration released an Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. The Trump administration released the Cyber Security Review Board that order established, including those investigating Salt Typhoon.
A PRC-sponsored cyber hacking group had orchestrated attacks on eight telecommunications firms, including AT&T in 2024. FirstNet’s healthcare and other industry-specific dedicated broadband services were potentially compromised, but the company did not respond to previous requests for comment.
In December, AT&T and Verizon said they no longer detected the threat actor and that their networks were secure.
Meanwhile, former Federal Communications Commission Chair Jessica Rosenworcel proposed a Declaratory Ruling clarifying that Section 105 of the Communications Assistance for Law Enforcement Act obligates carriers to protect their networks against unauthorized access and interception, according to a December report in The Southern Maryland Chronicle.
Some members of Congress have recently asked for documentation on the U.S. Cybersecurity and Infrastructure Security Agency’s response to hacking campaigns by several cyber espionage groups from China that use the Typhoon moniker, including Volt Typhoon, an organization that breached a power company in the Bay State.
The threat actors were aiming to exfiltrate specific data related to operating procedures, spatial layout data relating to energy grid operations and facility layouts of a power plant in Littleton, Massachusetts, according to the cybersecurity firm Dragos. Such information can be used in a physical attack in the event of a conflict, according to the report in The Record.
Last week, AHA and Health-ISAC warned hospitals of a potential terrorist threat against U.S. hospitals in the coming weeks, calling it active planning of a coordinated, multicity terrorist attack on U.S. health sector organizations.
“It is recommended that organizations review and evaluate the coordination and capabilities of physical security, cybersecurity, and emergency management plans,” they said in a joint bulletin.
Last year, with contributions from Cisco Talos, NTT and Sophos, CISA and the FBI issued guidance warning critical infrastructure entities to take the threat of attacks by Chinese state-sponsored actors “seriously,” focusing on four specific actions to take.
Of note, the Department of Government Efficiency axed additional CISA employees and terminated 300 contracts on Feb. 14. A Maryland district court judge ordered the Trump administration to reinstate more than 130 probationary CISA employees who were fired, and the government is placing those who re-engage with the agency on paid administrative leave.
Sen. Angus King, I-Maine, questioned the panel about the administration dismissing CISA employees last month, including individuals tasked specifically with investigating the growing state-sponsored cyberterrorism threats detailed in the 2025 annual threat assessment.
“Why then is the administration deconstructing CISA?” King asked.
“President Trump is focused on effects,” Gabbard said as a response to his questions about CISA’s diminished capacity. “More people doesn’t always mean better effects.”
Collaboration key to cyber defense
Most of the energy of Tuesday’s Senate Intelligence Committee hearing for the scheduled annual World Threat Report featuring top national intelligence leadership went to a Signal chat debacle that may or may not have constituted a breach of classified information.
On Monday, the Atlantic published a story about several leaders of the United States and Department of Defense, including a journalist, in a chat on the commercial app about and in advance of an impending U.S. attack on Houthi insurgents in Yemen.
While the majority of the two-hour session featured frustrated lawmakers asking largely unanswered questions, Sen. Ted Budd, R-North Carolina, did ask about cyberterrorism coming from China and specifically about Volt and other Typhoon cyberterrorist organizations that have compromised power companies in his state and others.
“What have we learned, and what can I tell them?” he asked NSA’s Central Security Service director, Timothy Haugh.
Because 99% of critical infrastructure is controlled by private companies, partnership with commercial industry drives the pursuit of these threats, Haugh said.
“Volt Typhoon began when [power sector] industry came to the intelligence community and said, ‘We are seeing anomalous activity. Can you help us gain context?’ And we were able to bring context to that to be able to understand what the threat is and to ultimately be able to identify who was behind that threat,” he said.
Since that time, the NSA has worked closely with the industry to prevent cyber intrusions.
“It is a collaboration between the government and industry to be able to eradicate these threats, and we have continued to pursue them together since our first identification and notification that we did related to this particular threat.”
Offensively, U.S. defense agencies are taking an “aggressive” approach to deter the cyberterrorism threats from China, Haugh said, promising to go into further detail in the closed session that followed Tuesday’s Senate Intelligence hearing.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
