On 27 August 2025, CISA, the NSA, and the FBI issued a joint advisory describing one of the most consequential cyber espionage campaigns in modern memory. Salt Typhoon — a Chinese state-sponsored APT linked to the Ministry of State Security — had compromised 200+ organisations across 80 countries, with particular concentration in telecommunications, government, and critical infrastructure.
For Malaysian and regional security teams, the advisory was a marker. Nation-state activity is no longer a Western or US-centric concern. The same actors target Southeast Asian telecommunications, financial services, and government networks with similar tradecraft. Understanding nation-state threat hunting is now part of any serious defensive posture.
The cast of typhoons
Several Chinese APT campaigns have come to public attention since 2023, each with distinct objectives:
- Salt Typhoon (also tracked as OPERATOR PANDA, RedMike, UNC5807, GhostEmperor) — espionage and intelligence collection, particularly against telecommunications providers.
- Volt Typhoon — pre-positioning for disruption of US critical infrastructure (water, power, transportation). Less about data theft, more about establishing persistent access for future use. CISA's February 2024 advisory remains the canonical reference.
- Flax Typhoon — broad targeting of Taiwanese government, manufacturing, and education networks, with overlapping infrastructure to Salt Typhoon.
- Velvet Ant — operating with notable patience, with documented dwell times in some networks exceeding three years.
In January 2025, the US government sanctioned Sichuan Juxinhe Network Technology and Beijing Huanyu Tianqiong Information Technology — civilian-facing companies that, according to the sanctions, provide cyber-related services to China's intelligence services. Attribution at this level of granularity is recent and consequential.
Why nation-state TTPs matter for everyone
The argument that "we are not a target" no longer holds. Nation-state TTPs (tactics, techniques, and procedures) are routinely adopted by criminal groups within 12–18 months of public disclosure. The infrastructure, the obfuscation patterns, and the post-exploitation tradecraft become commoditised. If you defend against a typhoon-class campaign, you are simultaneously defending against most of the criminal threats that will follow.
The defining characteristics of nation-state campaigns that defenders must understand:
Long dwell times. Mandiant's M-Trends 2025 reports global median dwell time of 11 days for nation-state activity, but the right tail is much longer — months in many incidents, years in some.
Living off the land. Nation-state operators avoid bringing their own malware where possible. They use legitimate administrative tools (PowerShell, WMI, scheduled tasks, cloud APIs) that signature-based detection cannot catch.
Patient lateral movement. Movement is slow and deliberate. Privilege escalation often takes weeks rather than minutes. Anomaly detection tuned for criminal-pace movement misses this entirely.
Defensive evasion. Logs are altered or cleared. Endpoint protection is disabled selectively. Detection tooling is studied and worked around.
Threat hunting against nation-state activity
Hunting model for nation-state TTPs
Effective threat hunting is hypothesis-driven, not alert-driven. The question is not "what fired in my SIEM?" but "where would a sophisticated actor hide if they wanted to remain undetected for six months?"
The hunting model that consistently works against nation-state TTPs has four phases:
Phase 1: Hypothesis generation
Start with a specific, testable hypothesis grounded in MITRE ATT&CK. Example: "If Volt Typhoon-style actors are present in our network, they would establish persistence through scheduled tasks (T1053.005) on infrastructure servers, using accounts that have not authenticated interactively in 30+ days." This is far more productive than generic "look for anomalies."
Phase 2: Data hunting
Query the data sources where evidence of the hypothesis would appear. For the example above: Windows event logs (4698, 4702), endpoint task creation telemetry, and authentication logs filtered for inactive interactive sessions on the affected accounts.
Phase 3: Analysis and validation
Analyse anomalies in context. Most findings are benign administrative activity. The real signal is in the narrow set of activity that does not match any documented business process or authorised administrator pattern.
Phase 4: Remediation and detection engineering
Confirmed findings drive both incident response and the creation of new detection rules. Each successful hunt should produce at least one new continuous detection so the same TTP cannot recur unobserved.
The AI dimension
AI is reshaping threat hunting in two directions. Defenders are using LLM-based agents to draft hypotheses, query telemetry, and correlate findings — compressing what used to be week-long hunts into hours. Attackers are using AI to make their tradecraft harder to detect: better-tailored phishing, more convincing impersonation, and increasingly, agentic tooling that adapts to defensive controls in real time.
The implication for defenders is to invest in both: better instrumentation to give AI hunting tools the data they need, and threat intelligence integration that keeps your hypothesis library current as new typhoon-class campaigns are disclosed.
What Malaysian organisations should do
Three concrete actions for any organisation in regulated Malaysian sectors:
- Subscribe to and read CISA, NCSC, and Mandiant advisories monthly. Salt Typhoon-era TTPs are public knowledge; ignorance is no longer a defensible posture.
- Map your detection coverage to MITRE ATT&CK. Identify which techniques used by typhoon-class campaigns you cannot currently detect. Prioritise the gaps.
- Run a quarterly nation-state-themed threat hunt. Even if you find nothing, the hunt itself surfaces visibility gaps that need fixing.
For teams building this capability, our AI Agentic Security programme covers the threat hunting methodology end-to-end, with hands-on exercises against representative nation-state TTPs and full alignment with MITRE ATT&CK and BNM RMiT requirements.
