Source Packet Collections Source Packets docs/collections/source-packets/indo-pacific-adversary-posture/2026-06-14T1956Z-prc-cyber-critical-infrastructure-defensive-source-packet.md

PRC Cyber And Critical Infrastructure Defensive Source Packet

PRC cyber is now a dedicated defensive source lane rather than a broad "future cyber packet" queue item. ODNI 2026 provides the current public IC strategic frame: China is described as th...

Full Index

UNCLASSIFIED//OPEN SOURCE

Source Packet ID: WI-SOURCEPACKET-CHINA-CYBER-CI-2026-0001

Prepared UTC: 2026-06-14T19:56:06Z

Information cutoff UTC: 2026-06-14T19:56:06Z

Source base: ODNI 2026 Annual Threat Assessment; Department of Defense 2025 Annual Report to Congress: Military and Security Developments Involving the People's Republic of China; CISA cybersecurity advisory source family, including PRC state-sponsored cyber advisory routing; NSA cybersecurity advisory source family; FBI cyber and counterintelligence source families; Department of Justice January 31, 2024 Volt Typhoon / KV Botnet disruption press release and linked CISA advisory routing; State Council English / SCIO China's Law-Based Cyberspace Governance in the New Era issuer source; existing WARLOCK-INDEX global cyber and critical infrastructure baseline, China/PLA source baseline, DoD/DIA China extraction map, PRC issuer-language packet, PRC MND and PLA official-media dated capture packet, DoD-to-PRC issuer-language claim crosswalk, PLA services and arms packet, Taiwan pressure packet, South China Sea packet, official U.S. register, U.S. intelligence and law-enforcement register, foreign-government register, China actor profile, China/PLA tracker, coverage map, and global assimilation matrix.

Analytic confidence: High for ODNI 2026 cyber threat framing, DoD 2025 PLA cyber section identity, DOJ January 31, 2024 disruption source identity, State Council cyberspace-governance issuer-source identity, and existing WARLOCK-INDEX cyber baseline routing. Moderate for specific CISA, NSA, FBI, and allied advisory page-level extraction because some advisory URLs are captured through source-family routing and DOJ cross-links rather than full direct page content in this environment. Lower for actor tasking, intent, access persistence, sector-specific disruption severity, crisis timing, and private-sector victim completeness because public cyber sources are partial, defensive, dynamic, attribution-sensitive, and often deliberately non-exhaustive.

Purpose: Establish a safe reusable PRC cyber and critical-infrastructure source packet so future WARLOCK-INDEX products can separate public U.S. assessment, defensive cyber advisory material, DOJ/FBI disruption source events, PRC issuer cyber-governance claims, allied cyber-agency cross-checks, infrastructure-sector exposure, and derived analytic judgment without reproducing cyber methods or operational details.

Scope: Public strategic source organization for PRC state-sponsored cyber activity, PLA cyber modernization, critical-infrastructure risk, pre-positioning language, espionage, communications/energy/transportation/ water-sector risk categories, SOHO-router and botnet disruption source routing, advisory source-family routing, PRC cyberspace-governance issuer claims, allied/Five Eyes advisory cross-check lanes, Taiwan/Indo-Pacific crisis relevance, and homeland/defense-industrial cyber exposure.

Boundary: Strategic defensive source-provenance support only. This packet does not provide cyber operations guidance, exploit steps, vulnerability weaponization, scanning procedures, malware logic, command syntax, credential theft workflows, evasion methods, indicator tables for misuse, victim-specific guidance, infrastructure targeting, collection tasking, incident-response playbooks, intrusion replication, or tactical guidance.

Bottom Line

PRC cyber is now a dedicated defensive source lane rather than a broad "future cyber packet" queue item. ODNI 2026 provides the current public IC strategic frame: China is described as the most active and persistent cyber threat to U.S. government, private-sector, and critical-infrastructure networks, while multiple state and nonstate actors can pre-position or carry out disruptive activity against critical infrastructure. DoD 2025 provides the military-power frame: PLA cyber activity is tied to crisis and conflict relevance, defense and civilian critical-infrastructure disruption, and allied interoperability concerns.

CISA, NSA, FBI, and allied advisories are defensive public sources. They are useful for actor naming, sector exposure, source-family routing, mitigation themes, and official warning chronology. WARLOCK-INDEX should not reproduce technical procedures, exploit paths, malware operation, or indicator tables. DOJ disruption releases, including the January 31, 2024 Volt Typhoon / KV Botnet release, are law-enforcement source events: useful for what the U.S. government publicly says it disrupted and why, not complete visibility into actor access or intent.

PRC cyberspace-governance sources should be treated as issuer claims. The State Council / SCIO cyberspace-governance white-paper lane is useful for how Beijing publicly describes law, sovereignty, governance, and regulation in cyberspace. It is not independent evidence about PRC cyber operations, restraint, legality, or attribution.

Packet Use Rules

  1. Separate public U.S. assessment, defensive advisory material, law- enforcement disruption source events, PRC issuer claims, allied cyber agency material, private-sector reporting, and WARLOCK-INDEX judgment.
  2. Use ODNI 2026 for strategic cyber threat framing and DoD 2025 for PLA military-power and crisis-relevance framing.
  3. Use CISA, NSA, FBI, and allied advisories at defensive strategic level: actor, sector, warning chronology, source family, and mitigation theme.
  4. Do not reproduce exploit steps, command syntax, malware procedures, detection signatures, IOCs, vulnerable-product lists, scanning logic, or evasion detail.
  5. Use DOJ/FBI disruption releases as law-enforcement source events, not as complete actor maps, victim lists, or technical remediation playbooks.
  6. Treat PRC State Council, CAC, MND, MFA, China Military Online, and Xinhua cyber material as issuer perspective and claim material.
  7. Keep critical-infrastructure sectors strategic and non-technical: communications, energy, transportation, water, health, finance, defense industrial base, cloud/data centers, space services, and state/local government continuity.
  8. Cross-read U.S. sources with allied cyber agencies before strengthening Five Eyes, NATO, Japan, Australia, Canada, United Kingdom, or EU claims.

Source Ledger

Source familyPublisherSource classCurrent statusPrimary valueLimits
ODNI 2026 Annual Threat AssessmentOffice of the Director of National IntelligenceAPublic PDF accessibleCurrent public IC frame for China as a persistent cyber threat, critical-infrastructure risk, and pre-positioning/disruptive potentialSummary-level public IC product; no classified inference or technical detail
DoD 2025 PRC military-power reportU.S. Department of DefenseAPublic PDF accessiblePLA cyber modernization, crisis/conflict relevance, defense and civilian infrastructure risk, and Cyberspace Force source routingPublic U.S. defense assessment; no operational extraction
CISA cybersecurity advisoriesCybersecurity and Infrastructure Security AgencyA defensive cyberSource family active in USILE register; page-level PRC advisories need dated direct refreshDefensive advisory source family for PRC state-sponsored activity, critical-infrastructure risk, actor naming, and mitigation themesDo not reproduce exploit paths, IOCs, scanning logic, or technical procedures
NSA cybersecurity advisoriesNational Security AgencyA defensive cyberSource family active in USILE registerJoint advisory and cyber defense guidance lane, especially with CISA, FBI, and allied agenciesDefensive strategic extraction only
FBI cyber and counterintelligence pagesFederal Bureau of InvestigationASource family active in USILE registerFBI public cyber, foreign intelligence, cybercrime, and reporting source routingNo investigative direction, private-person dossiers, or technical methods
DOJ Volt Typhoon / KV Botnet disruption releaseU.S. Department of JusticeA law-enforcement source eventAccessible 2026-06-14; archived DOJ page updated 2025-02-06Court-authorized disruption source event, botnet routing, U.S. critical-infrastructure concern, and links to CISA defensive advisoriesLaw-enforcement source event; no botnet operation, remediation playbook, or victim identification
PRC cyberspace-governance white paperState Council English site / SCIO / XinhuaA issuer perspectiveAccessible 2026-06-14 as attachment-routing pagePRC issuer language for cyberspace governance, law, regulation, and sovereignty claimsNot a cyber-threat source or independent attribution source
Global cyber and critical infrastructure baselineWARLOCK-INDEXInternal derived plus official anchorsActiveExisting source-safe actor/domain/infrastructure frameDerived product; superseded by later dated source packets where applicable
Allied cyber-agency source familyNCSC/GCHQ, ASD/ACSC, Cyber Centre/CSE, NCSC-NZ, Japan NISC/NCO, NATO/EU agencies where capturedA/B depending on sourceRegistered across allied packets; China-specific page capture remains follow-onCross-check lane for PRC advisory coordination and regional critical-infrastructure relevanceNeeds country/source-specific refresh before claim-level use

Source Separation Matrix

Claim familyFirst source laneRequired cross-checkWARLOCK-INDEX treatment
China as persistent cyber threatODNI 2026; DoD 2025CISA/NSA/FBI advisories; allied cyber agenciesPublic U.S. assessment lane, not all-source completeness
PLA cyber modernizationDoD 2025; PLA services/arms packetPRC issuer taxonomy, ODNI, CISA/NSA/FBI, allied sourcesStrategic military-power source lane only
Critical-infrastructure pre-positioningODNI 2026; DOJ disruption release; CISA advisory source familyFBI/NSA/allied advisories, sector-source packetsDefensive warning/source-treatment lane; no technical procedure
SOHO-router and botnet disruptionDOJ January 31, 2024 releaseCISA advisory links, FBI source family, private-sector reports if source-classedLaw-enforcement source event; no botnet technical replication
Telecommunications and communications riskODNI/DoD/CISA source familyFBI/DOJ, sector agencies, allied advisoriesStrategic infrastructure-exposure lane; no provider-specific vulnerability mapping
Energy, transportation, water, and defense-industrial riskODNI/DoD/CISA source familySector risk-management agencies, allied advisories, DIB baselineSector exposure taxonomy; no target/vulnerability mapping
PRC cyber sovereignty/governance claimState Council cyberspace-governance white paper; future CAC/MFA sourcesODNI, DoD, CISA/NSA/FBI, allied statements, legal sourcesPRC issuer claim lane; no validation of legality or restraint
Taiwan or Indo-Pacific crisis cyber relevanceDoD 2025; Taiwan pressure packet; cyber baselineCISA/NSA/FBI, Taiwan/allied sources, Indo-Pacific packetsStrategic coupling lane only; no contingency planning
Defensive mitigation themesCISA/NSA/FBI advisory source familiesAllied advisories, sector agencies, baselineHigh-level themes only; no playbooks, signatures, or commands

Defensive Extraction Rules

  1. Extract advisory title, publisher, publication date, access date, joint agencies, actor label, sector category, and strategic warning theme.
  2. Summarize mitigation only at category level: patching, asset visibility, logging, identity hygiene, segmentation, secure-by-design procurement, end-of-life device replacement, and reporting pathways.
  3. Do not copy commands, queries, hashes, IPs, domains, file paths, vulnerability IDs, YARA/Sigma/Snort-like content, or malware behavior sequences into WARLOCK-INDEX.
  4. Do not identify victims, facilities, providers, routes, network diagrams, device inventories, or operational dependencies unless already public and essential at strategic level.
  5. Preserve attribution language exactly by source family: "PRC state-sponsored," "China-linked," "PLA," "MSS," "Volt Typhoon," "Flax Typhoon," "Salt Typhoon," "actor," "botnet," or "activity" should not be silently normalized.
  6. Treat private-sector threat reports as support material only after a separate source-classing pass.

Infrastructure-Sector Routing

Sector laneCyber-source roleCompanion sourceBoundary
Communications and telecommunicationsStrategic exposure and crisis-coupling source laneODNI, DoD, CISA/NSA/FBI, sector agencies, allied advisoriesNo provider vulnerability maps, lawful intercept detail, or network diagrams
EnergyInfrastructure-disruption exposure and homeland-defense contextODNI, CISA, DOE where later captured, cyber baselineNo facility mapping, control-system detail, or outage guidance
Transportation and logisticsMilitary mobility, port/rail/aviation/logistics exposure categoryODNI, CISA, DOT/TSA where later captured, DIB baselineNo route planning, chokepoint exploitation, or system diagrams
Water and wastewaterLocal public-health and continuity exposure categoryODNI, CISA, EPA where later capturedNo process-control instructions or plant-specific detail
Defense industrial baseSupplier, engineering, production, software, and continuity exposureDIB baseline, DoD, CISA, FBI, allied industrial sourcesNo supplier target mapping or technical vulnerability extraction
Cloud, identity, and data centersCross-sector platform dependency laneODNI, CISA, NIST, sector advisories where later capturedNo provider-specific attack path or configuration detail
Space servicesSatellite communications and ground-support dependency laneODNI, space baseline, CISA, Space Force where later capturedNo orbital, ground-station, or interference methods

Follow-On Queue

PacketPurposePrimary source families
PRC Cyber Advisory Page-Level RefreshCapture exact CISA, NSA, FBI, DOJ, and allied PRC advisory pages with dates and access notesCISA, NSA, FBI, DOJ, NCSC/GCHQ, ASD/ACSC, Cyber Centre/CSE
Salt Typhoon And Telecommunications Defensive Source NoteSeparate public telecom-sector risk, lawful-intercept reporting, and official source caveats without technical or provider-specific detailCISA, FBI, FCC/sector agencies, DOJ, allied advisories
PRC Cyber Governance Issuer-Language RefreshCapture PRC State Council/CAC/MFA cyber-governance source pages, Chinese originals, and translation notesState Council, CAC, MFA, Xinhua
Critical Infrastructure Sector Source CrosswalkPair PRC cyber advisory source families with sector risk-management agencies and existing infrastructure baselinesCISA, SRMAs, ODNI, DoD, DIB baseline
Allied PRC Cyber Cross-Check PacketAdd country-level allied cyber-agency source captures for PRC activity and critical-infrastructure warningsUK, Canada, Australia, New Zealand, Japan, NATO/EU agencies

Information Gaps

  • Direct page-level extraction for specific CISA/NSA/FBI PRC advisories still needs a dedicated advisory refresh pass, especially where pages expose technical detail that must be summarized safely rather than copied.
  • Public sources do not reveal classified tasking, all victim identities, actor access persistence, crisis timing, or disruption thresholds.
  • PRC issuer pages require Chinese-original capture and translation-status notes before legal/governance language is treated as stable.
  • Allied cyber agencies need a China-specific cross-check packet rather than being scattered across country defense packets.
  • Sector risk-management agencies need separate source-family capture before communications, energy, water, transportation, health, finance, cloud, and DIB claims are strengthened.

Cross References

Source Base

  • Office of the Director of National Intelligence, Annual Threat Assessment of the U.S. Intelligence Community 2026: https://www.dni.gov/files/ODNI/documents/assessments/ATA-2026-Unclassified-Report.pdf
  • U.S. Department of Defense, 2025 Annual Report to Congress: Military and Security Developments Involving the People's Republic of China: https://media.defense.gov/2025/Dec/23/2003849070/-1/-1/1/ANNUAL-REPORT-TO-CONGRESS-MILITARY-AND-SECURITY-DEVELOPMENTS-INVOLVING-THE-PEOPLES-REPUBLIC-OF-CHINA-2025.PDF
  • Cybersecurity and Infrastructure Security Agency, cybersecurity advisories source family: https://www.cisa.gov/news-events/cybersecurity-advisories
  • Cybersecurity and Infrastructure Security Agency, PRC state-sponsored critical infrastructure advisory route: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
  • Cybersecurity and Infrastructure Security Agency, PRC living-off-the-land advisory route: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
  • National Security Agency, cybersecurity advisories and guidance source family: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/
  • Federal Bureau of Investigation, cyber source family: https://www.fbi.gov/investigate/cyber
  • U.S. Department of Justice, U.S. Government Disrupts Botnet People's Republic of China Used to Conceal Hacking of Critical Infrastructure: https://www.justice.gov/archives/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical
  • State Council English site, Full text: China's Law-Based Cyberspace Governance in the New Era: https://english.www.gov.cn/archive/whitepaper/202303/16/content_WS6489542ec6d0868f4e8dcd56.html