Southeast Asia serves as Beijing’s operational testing ground for cyberattacks. It’s time the U.S. started paying attention.
China-linked hackers known as “Salt Typhoon” were detected attempting to infiltrate yet another European telecommunications provider, deploying sophisticated techniques and exploiting Citrix NetScaler Gateway vulnerabilities. The intrusion marks the latest expansion of a campaign that has already compromised telecommunications infrastructure across more than 80 countries.
The pattern is consistent: Operations first tested against ASEAN targets eventually appear in attacks against Western infrastructure, often with marginal adjustments. Yet despite mounting evidence from regional security firms and governments, Western intelligence agencies have treated Southeast Asian cyber incidents as peripheral concerns rather than early warning indicators of threats that would later target their own critical systems.
China’s Laboratory for Cyberattacks
Southeast Asia serves as Beijing’s operational testing ground, offering a diverse technology landscape ideal for stress-testing intrusion methods as well as lower risks of attribution and retaliation. Southeast Asian governments are often reluctant to publicly attribute attacks to China given economic dependencies. From Vietnam’s government networks to the Philippines’ energy sector, China’s state-linked actors exploited a region characterized by hybrid technology ecosystems to refine what would later become their most sophisticated intrusion techniques.
For Beijing, Southeast Asia has proven an ideal laboratory. For the West, it’s a missed opportunity to prepare.
The sophistication of advanced persistent threat (APT) groups like Volt Typhoon and Salt Typhoon, their ability to persist in networks for years and evade detection, is not a fluke. It represents the culmination of iterative, low-risk research and development. This capability refinement follows clear strategic logic.
Western analysis often miscategorizes these activities as originating from distinct, sector-specific APT groups (Volt Typhoon for operational technology/military, Salt Typhoon for signals intelligence/telecoms). This sectoral approach fundamentally misses the reality of Beijing’s operation: there is no such thing as a sector-by-sector “typhoon” or a separate, financially motivated China-linked APT. They are, in fact, variants of a single, centrally directed, whole-of-government campaign.
For 30 years, Beijing has executed a comprehensive, calculated, and centrally controlled national strategy to integrate cyber warfare into its military-political objectives. The APT names used by security firms (Salt, Volt, Flax, Brass) reflect technical clusters of activity, not independent strategic entities. As FBI Director Christopher Wray testified to Congress in January 2024, “The PRC cyber threat is made vastly more dangerous by the way they knit cyber into a whole-of-government campaign against us.” This unified strategic framework means an access point gained by an espionage unit into a telecommunications provider can be seamlessly handed to a pre-positioning unit for future disruptive use. The strategy emphasizes long-term strategic positioning, technical stealth, and comprehensive intelligence collection, with persistent access aimed at achieving strategic leverage during a geopolitical crisis.
These campaigns were forged in the digital networks of ASEAN critical infrastructure, revealing a clear pattern of testing and refinement.
Pivotal Case Studies: From Saigon to Singapore
The Salt Typhoon campaign, which made headlines for breaching major U.S. telecoms in 2024, was preceded by years of reconnaissance across Southeast Asia. Although the telecommunications sector drew the spotlight, it’s clear now that the first intrusions happened in the government services and facilities sector. Public reporting ties the same operators to espionage campaigns that began in ASEAN as early as 2019.
Regional governments were sounding the alarm years before Western intelligence agencies took notice. In 2018, then-Vietnamese Prime Minister Nguyen Xuan Phuc warned that “some cyberattacks using malicious codes seriously affected agencies and organizations in Vietnam,” noting that “the current situation of transmitting malicious codes in Vietnam is at an alarming rate.”
Furthermore, precursor campaigns like Operation Soft Cell (2018 to 2020), targeted telecommunications providers across Malaysia, Vietnam, and Thailand, testing router exploitation and the compromise of lawful intercept capabilities that reappeared later in the Salt Typhoon campaign.
The APT40/Leviathan group conducted extensive operations against port authorities and maritime communication networks in Malaysia and other ASEAN members between 2017 and 2019. This focused testing of techniques to compromise operational technology in the South China Sea region established the clear precursor to Volt Typhoon’s later focus on ports and maritime logistics across the United States and Guam.
Perhaps most concerning were the edge device exploitation techniques – targeting network perimeter devices like routers, VPNs, and firewalls – that were honed in regional networks. Early Typhoon precursors targeted telecommunications providers in Vietnam, Malaysia, and the Philippines as early as 2021, refining the router exploitation capabilities that were deployed against high-value Western targets months later.
When Victims Become Targets: The Reporting Paradox
When Salt Typhoon breaches became public, affected companies faced immediate regulatory probes rather than collaborative support. This hostility created a chilling effect: other critical infrastructure sectors detecting similar intrusions now feared coming forward. The results undermined a holistic defense and gave attackers more time to embed themselves deeper into critical systems.
The purpose of these multi-year, multi-billion-dollar infiltration campaigns extends beyond intelligence gathering. Beijing seeks to pre-position disruptive capabilities within the infrastructure of geopolitical rivals, creating strategic leverage that enables graduated response options during crises and deters adversary actions by presenting credible threats of disruption.
The infiltration of all 16 critical infrastructure sectors means the entire system is vulnerable to a coordinated “Day One” strike. A Taiwan contingency would likely trigger Beijing’s activation of this pre-positioned access, targeting societal disruption rather than traditional military objectives. Such a coordinated strike would cascade across critical systems: communications networks going dark, traffic control and port management systems failing, and essential services from water treatment to hospital databases becoming inaccessible. These disruptions would simultaneously degrade U.S. military readiness while Beijing’s pre-positioned telecommunications access would enable mass surveillance and decisive intelligence advantages during the crisis.
INDOPACOM and the New Deterrence Architecture
For three decades, Washington has responded to Chinese cyber campaigns with classified countermeasures and quiet protests while Beijing refined its capabilities across Southeast Asia. Salt Typhoon alone inflicted over $15 billion in long term damages. As Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly warned in February 2024, “The PRC cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg.”
The recent CISA-Vietnam MOU signed in November 2024 and Enhanced Defense Cooperation Agreement (EDCA) with the Philippines provide an opportunity to transform U.S. Indo-Pacific Command (INDOPACOM) into the operational center for a new deterrence approach that links cyber intrusions to tangible regional consequences.
By establishing more active intelligence-sharing mechanisms with Vietnam and the Philippines, INDOPACOM could create a framework where detected intrusions trigger calibrated maritime capability transfers and infrastructure hardening across the region. This would transform the months-to-years intelligence advantage Southeast Asia provides into graduated deterrence, forcing Beijing to calculate whether each cyber operation is worth accelerating the militarization of its periphery.
For example, detected intrusions into Philippine telecommunications infrastructure could trigger expedited transfer of specific coastal radar systems or information retrieval systems capabilities under existing EDCA frameworks. Compromises of Vietnamese critical infrastructure could accelerate joint cyber defense center establishment timelines by predetermined intervals, creating tangible costs for Beijing’s intelligence operations
The strategic logic is compelling: cyber espionage becomes self-defeating when each intrusion strengthens the very regional architecture designed to contain Chinese expansion. As the sophistication of these campaigns continues to evolve, the window to leverage Southeast Asia’s early warning advantage is narrowing. The question is no longer whether Beijing will activate its pre-positioned access, but whether Washington will recognize and act on the intelligence gift that Southeast Asia provides before the next campaign moves from testing ground to target.
About the Author
