Earlier this year, China-linked threat group Salt Typhoon allegedly breached major telecommunications companies, potentially gaining access to US wiretap systems. The full scope of the breach remains unknown, and the hackers are potentially still lurking in telecommunications networks.This breach is hardly the first time a group associated with China targeted critical infrastructure in the US. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), and Christopher Wray, director of the FBI, have both been vocal about the threat China poses to US critical infrastructure.In a 2024 opening statement before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party, Easterly said, Specifically, Chinese cyber actors, including a group known as Volt Typhoon, are burrowing deep into our critical infrastructure to be ready to launch destructive cyber-attacks in the event of a major crisis or conflict with the United States.In April, Wray brought up this concern at the Vanderbilt Summit on Modern Conflict and Emerging Threats. The fact is, the PRCs targeting of our critical infrastructure is both broad and unrelenting.At the Cyberwarcon conference, Morgan Adamski, executive director of US Cyber Command, chimed in with a warning about how Chinas position in critical infrastructure could cause disruptive cyberattacks if the two countries enter into a major conflict, Reuters reports.Related:If conflict does erupt between China and the US, what could disruptive cyberattacks on critical infrastructure look like? What can the government and critical infrastructure leaders do to prepare?The Possibility of Disruptive CyberattacksThe US has 16 critical infrastructure sectors. All of them are called critical because they would impact society to some degree were they to be taken offline, says Eric Knapp, CTO of OT forOPSWAT, a company focused on critical infrastructure cybersecurity. And they're all susceptible to cyberattack to some degree.Telecommunications and power could be prime targets for China in a conflict. Back from the dawn of time when people would go to war, you would try to eliminate your opponents ability to communicate and their ability to power their systems, says Knapp.But other sectors, such as water, health care, food, and financial services, could be targeted as well.The intent of these kind of operations may be to provide a distraction in order to slow down a US response, if there was to be one, in any sort of conflict involving Taiwan, says Rafe Pilling, director of threat intelligence for the counter threat unit at cybersecurity company Secureworks.Related:While it is uncertain exactly how these attacks would play out, there are real-world examples of how adversaries can attack critical infrastructure to their advantage. Unfortunately, there's a roadmap that we can look at that's happening in the real world right now in the Russia-Ukraine conflict, says Knapp.Leading up to and following Russias invasion of Ukraine, Russia executed many cyberattacks on Ukrainian critical infrastructure, including its power grid.If China were to use its positioning in US critical infrastructure to carry out similarly disruptive attacks, they would be dealing with very distributed systems. It would be very unlikely to see something like a nationwide power outage, Knapp tells InformationWeek.What you'd likely see is a cascade of smaller localized disruptions, says Pilling.Those disruptions could still be very impactful, potentially causing chaos, physical harm, death, and financial loss. But they would not last forever.Many of these sectors, for reasons completely unrelated to cyberattacks, are used to being able to resolve issues, work around problems, and get services up and running quickly, says Pilling. Resiliency and quick restoration of services, particularly in the energy sector, [are] an important part of their day-to-day planning.Related:Threat ActorsSalt Typhoon and Volt Typhoon are two widely recognized, Chinese cyber threat groups that target US critical infrastructure.All [of] these different Chinese threat actor groups, they have different motivations, different goals, different countries that they're attacking, says Jonathan Braley, director of threat intelligence at nonprofit Information Technology-Information Sharing and Analysis Center (IT-ISAC).In addition to pre-positioning for disruptive cyberattacks, motivations could also include intellectual property theft and espionage.While Salt Typhoon is the suspected culprit behind the major breach in the US telecommunications sector, it actively targets victims in other sectors as well. For example, the group reportedly targeted hotels and government, according to FortiGuard Labs.Targeting hotels and targeting telcos is often to get information about people's movements and what they've been saying to each other and who they've been communicating with. So, it's part of a collection for a wider intelligence picture, says Pilling.Volt Typhoon has targeted systems in several critical infrastructure sectors, including communications, energy, transportation, and water, according to CISA.They combine a number of tactics that make them quite stealthy, says Pilling. For example, Volt Typhoon makes use of living off the land techniques and will move laterally through networks. It often gains initial access via known or zero-day vulnerabilities.In some cases, they would use malware but for the vast majority of cases they were using built-in tools and things that were already deployed on the network to achieve their aims of maintained persistence in those networks, Pilling shares.Salt Typhoon and Volt Typhoon are just two groups out of many China-backed threat actors. IT-ISAC has adversary playbooks for threat actors across many different countries of origin.We have about 50 different playbooks for different Chinese nation state actors, which is a lot, Braley tells InformationWeek. I think if we look at other countries there might be a dozen or so.While China-linked threat groups pose a risk to critical infrastructure, they are not alone.As we approach various global conflicts, we need to be prepared that not only we're going to have these nation states coming out, [but] we also [have] to watch some of these hacktivist groups that are aligned with these countries as well, says Braley.Preparing Critical InfrastructureThe government and critical infrastructure operators both have roles to play in preparing for the potential of disruptive cyberattacks. Information sharing is vital. Government agencies like CISA can continue to raise awareness. Critical infrastructure operators can share insight into any malicious activity they discover to help other organizations.Critical infrastructure operators also have a responsibility to harden their cybersecurity posture.A lot of the basic hygiene that organizations need to be doing is not expensive cutting-edge cybersecurity work. It's the basics of making sure things are patched, minimizing attack surfaces externally, making sure that there is good monitoring across the network to detect intrusions early when they occur, says Pilling. I think it's a culture and a mind shift as much as need for more budget.