China’s Typhoon hackers have changed the rules of cybersecurity

COMMENTARY: Cybersecurity news feeds in recent years have included a lot of headlines that casual observers could mistake for weather reports: “China’s Salt Typhoon Hacked US National Guard,” “Volt Typhoon could enable China to wage ‘total war’ against US,” “Silk Typhoon targeting IT supply chain.”But those various typhoons refer to sophisticated hacking groups that China’s government has granted broad portfolios to hit targets such as data-rich commercial firms, universities, government agencies, and owners of critical infrastructure.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]While groups engaged in advanced persistent threats (APTs) are nothing new, China’s typhoon APTs show how cyber risks have evolved. In response, laws and regulations are evolving as well, and those that are now emerging are set to compel changes in the way software gets built, deployed, and managed.The APTs are talking — are we listening?China’s sophisticated typhoon APT groups included a high-profile campaign last year by the Salt Typhoon APT against telecommunications providers. That campaign exploited flaws in Cisco’s IOS XE software on widely deployed Catalyst 9000 switches, but in recent months, other attacks have been waged against gear manufactured by vendors including F5, Ivanti, Fortinet, Sonicwall, Netgear, Citrix, and Juniper.Sophistication aside, the campaigns’ success also came as much from weaknesses in the attacked infrastructure that attackers can exploit. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted last September in a Joint Cybersecurity Advisory with other national cyber agencies that the success of campaigns like those hinges on lateral movement through the exploitation of hidden software flaws and “other avoidable weaknesses” lurking in IT infrastructure such as routers, switches, firewalls, and wireless devices.Another factor exasperating threats has been the near universal embrace of cloud computing and SaaS applications, which has upended traditional security tools and architectures. As JPMorgan Chase CISO Patrick Opet noted in an open letter in April 2025, our growing reliance on cloud infrastructure, APIs, and “opaque fourth-party vendor dependencies” gives third-party firms “privileged access to customer systems without explicit consent or transparency.”Open-source and AI risks are growingThe open source software ecosystem has also emerged as a critical, but highly-vulnerable building block for all of our applications. Our latest annual Software Supply Chain Security Report for 2026 found a 73% increase in detections of malicious open-source packages in 2025. We also saw a jump in the scope of such attacks, with compromises of some of the most influential open source maintainer accounts and the widely-used packages they manage.These risks are set to explode with the embrace of artificial intelligence-powered coding agents, with malicious actors now adapting their techniques to target AI development pipelines and the growing popularity of vibe-coding tools.Organizations now need a comprehensive understanding of their IT inventory and the risks that lurk in both open-source and commercial software. They need new tools and capabilities to achieve that. One tool growing in acceptance is the software bill of materials (SBOM), which offers end-user organizations a critical software “list of ingredients” that teams can use to identify and isolate supply chain risks.SBOMs alone can’t plug all of our security holes. Technologies such as complex binary analysis, offered by RL Spectra Assure, can expose threats including evidence of tampering, malware hiding in commercial software binaries, critical security flaws, and outdated and end-of-life commercial and open-source modules.It’s time for software security mandatesAdopting these new technologies will require new investments in security by both software producers and end-user organizations. How can we motivate them all to do that? I’ve got a one-word answer: regulations.As I see it, we’re at the end of a three-decade-long hands-off approach to software security by governments, a time when countless private/public partnerships emerged, all heavy on promises, but lacking enforcement options and reliant on voluntary compliance. The predictable results of that are all around us.The shift began with the passage of regulations such as the European Union’s Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA), which contain explicit requirements for secure design, vulnerability, and lifecycle management.And there’s more to come: In May 2025, the U.S. Department of Defense unveiled a Software Fast Track (SWFT) Initiative to modernize and accelerate how secure software gets procured, tested, and authorized for use by the U.S. military.And already this year, the U.K. government proposed a Government Cyber Action Plan that will centralize oversight of the security of government IT systems and use procurement, contracts, and audit and review processes to ensure that supply chain organizations understand their accountability and responsibility for government cyber security and resilience.We’re seeing the emergence of an international regulatory landscape that (finally) prioritizes software security and technology resilience, making clear where the responsibility lies for insecurity and resulting breaches. Here’s hoping that 2026 sees these much-needed changes take root, bringing about a shift in the cyber weather, with fewer typhoons that leave chaos and destruction in their wake.Mario Vuksan, chief executive officer, ReversingLabs SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.