China, Inside The Wire: Part IV

The Daily Raptor
Newsletter Signup: dailyraptor.com

Thursday, August 7, 2025 Edition

Last week, we asked: "They've Mapped Every Dependency. Have You?" The answer, for most organizations, is no. While you're managing your piece of the infrastructure puzzle, China's cyber forces have mapped the entire board—every connection, every dependency, every cascading failure point.

Today, we're going to demonstrate what happens when they flip the switch.

In Part 4 of our series, we walk through the first 72 hours of a coordinated infrastructure attack—not as fiction, but as operational planning based on PLA doctrine and observed adversary capabilities. You'll see how a targeted cyber strike becomes a national crisis in hours, not days. How psychological operations amplify physical disruption. And why recovering from cascade failure is exponentially harder than preventing it.

This isn't a war game. It's their game plan. And the clock starts at Hour Zero.

T-0 Hours (2:00 AM EST, Tuesday)

The attack begins when America sleeps. Not with explosions, but with electrons. Dormant implants in power generation facilities across the Eastern Interconnection activate simultaneously. It's not a blackout—that would be too obvious. Instead, frequency disruptions cascade through the grid. Protective relays trip. Generators desynchronize. The grid doesn't fail—it tears itself apart.

Threat Motion: Modified protection relay firmware injects false frequency readings, causing legitimate safety systems to disconnect generation assets. Volt Typhoon's patient mapping of relay logic pays off—they're using our safety systems against us.

T+2 Hours

As grid operators scramble to understand the frequency instability, telecom networks begin degrading. It starts with intermittent outages in 5G towers—blamed initially on power fluctuations. But it's Salt Typhoon, using pre-positioned access to corrupt routing tables and overflow buffers in telecom switching centers. Emergency coordination channels fail first.

Threat Motion: BGP hijacking reroutes critical infrastructure communications through adversary-controlled nodes. Encrypted command channels for SCADA systems suddenly route through Beijing before going dark.

T+4 Hours

Financial networks detect anomalies. High-frequency trading algorithms react to power grid instability, triggering automated sell-offs. But the real attack is subtler—transaction timestamps are being manipulated. Trades execute out of sequence. Account balances flicker between values. Institutional trust in transaction integrity evaporates.

Threat Motion: Database timestamp manipulation using compromised NTP servers and direct database access. Not destroying data—corrupting its timeline, making reconciliation impossible.

T+6 Hours (8:00 AM EST)

Morning arrives to partial power, degraded cell service, and ATMs displaying error messages. Social media still works—barely. That's intentional. Chaos chaos witnesses.

Transportation networks begin failing in sequence. It starts with rail—signal systems report conflicting track occupancy. Automatic safety protocols halt all trains. Then aviation—flight management systems receive corrupted GPS data. Planes can fly, but they can't navigate precisely. The FAA grounds all flights.

Threat Motion: GPS spoofing combined with compromised Automatic Dependent Surveillance systems. Every plane appears to be somewhere it's not. Safety demands shutdown.

T+12 Hours

The psychological operation begins in earnest. Coordinated bot networks flood social media with conflicting reports:

Real information becomes impossible to distinguish from fabrication. Local panic triggers actual in-person bank runs. Grocery stores are overwhelmed. Gas stations run dry—not from shortage, but from panic buying.

Threat Motion: Multi-platform information flooding using AI-generated content, amplified by compromised verified accounts and coordinated bot networks. Each false report contains enough truth to seem credible.

T+18 Hours

Water treatment facilities detect chemical imbalances. Chlorine levels spike in some cities, drop to zero in others. It's not real—the sensors are lying, their data corrupted. But municipalities can't risk it. Boil water advisories cascade across regions. Some cities shut off water entirely.

Healthcare networks simultaneously detect ransomware signatures. It's a false flag—the files aren't encrypted, but IT teams can't be sure. Hospitals initiate downtime procedures. Electronic health records go offline. Emergency departments revert to paper.

T+24 Hours (2:00 AM EST, Wednesday)

One day in: Power operates at 40% capacity. Internet backbone carriers report 60% packet loss. Financial markets remain closed—unable to ensure transaction integrity. Supply chains freeze as logistics systems can't track shipments. Fuel distribution stops—not from shortage, but from payment system failures.

The psychological campaign shifts to despair:

Local hoarding intensifies. Community trust fractures. Amateur radio becomes the only reliable communication—exactly as planned. The adversary monitors every transmission.

T+48 Hours

Federal emergency response activates, but coordination is nearly impossible. Secure communications are compromised or nonfunctional. Military networks remain intact but isolated—designed to survive nuclear war, not public infrastructure collapse. State and local authorities operate blind, making decisions on rumors and fragmented information inputs.

International markets panic. Allied nations detect similar intrusions—dormant but ready. The message is clear: intervene in Taiwan, and you're next. NATO's Article 5 becomes deeply questionable when the attack is non-kinetic - simply ones and zeros.

T+72 Hours

Three days later, the immediate attack ends. But recovery hasn't begun. This is the cruelest revelation—the attack was just the setup. The real weapon is the Recovery Gap.

Picture a zipper on a jacket. Unzipping takes seconds—one swift motion. Re-zipping after the teeth are bent? That's the Recovery Gap.

Sequential Dependencies Illustration:

China's information operations doctrine treats human cognition as critical infrastructure—and it's the least protected.

Modern psychological operations don't need to convince—they need only to confuse. When citizens can't distinguish truth from fiction, social cohesion collapses.

Executing through cyber means:

Amplification Cascades: One fake incident triggers real responses. False reports of bank failures cause actual bank runs. Fake chemical spills trigger real evacuations. The simulation becomes reality.

Targeted Fragmentation: AI-driven operations deliver different narratives to different communities:

Every group receives a customized threat narrative. Division prevents coordinated response.

Deepfake Acceleration: By Hour 12, deepfake videos of leaders announcing martial law, nuclear strikes, or surrender flood social platforms. Technical analysis proving they're fake takes hours—viral spread takes seconds. Even debunked deepfakes leave psychological residue: "But what if...?"

Trusted Voice Compromise: Verified social media accounts of emergency services, government officials, and news organizations—compromised months ago—activate to spread false emergency instructions. The verified checkmark becomes a weapon.

The attack on U.S. infrastructure sends immediate shockwaves globally:

Financial Contagion: Asian markets open as U.S. markets freeze. Algorithmic trading systems, unable to price U.S. asset risk, trigger massive sell-offs. European banks with U.S. exposure face liquidity crises. Cryptocurrency networks—promoted as "safe havens"—suffer coordinated attacks, wiping out billions in perceived value.

Supply Chain Seizure: Pacific shipping routes freeze as ports can't process payments or confirm cargo. Just-in-time manufacturing across Asia and Europe halts within 48 hours. Critical component shortages cascade globally.

Alliance Paralysis: NATO allies detect similar dormant intrusions. The implicit threat: support U.S. response and face your own infrastructure collapse. Alliance decision-making slows to diplomatic channels while infrastructure burns.

Information Vacuum: International media can't verify U.S. sources. Information voids fill with speculation and propaganda. Global perception of U.S. instability becomes self-fulfilling as markets and allies hedge their bets.

Why does China prioritize cyber over kinetic attack? Because bytes move faster than bullets, attribution takes longer than impact, and recovery is harder than destruction.

Pre-Kinetic Shaping: In PLA doctrine, cyber effects create the conditions for conventional victory. A Taiwan invasion doesn't start with amphibious assault—it starts with American infrastructure in chaos, unable to generate the political will or logistics capacity for Pacific intervention.

Escalation Ambiguity: Is infrastructure failure an act of war? Where's the smoking gun? By the time attribution is certain, the strategic objective—Taiwan—is achieved. International law struggles with electrons.

Asymmetric Return: The investment is minimal—years of patient access development by operators who never leave Beijing. The impact is total—trillions in economic damage, social trust destroyed, response capacity paralyzed. No weapon system offers comparable return on investment.

Reversibility Theater: Unlike nuclear weapons, cyber attacks can theoretically be "turned off." This fiction provides diplomatic space: "Cease opposition to reunification and infrastructure will be restored." The damage, however, is irreversible—trust, once broken, requires generations to rebuild.

If you've read this far, you understand: traditional DR/BC planning assumes too much. Your response playbooks assume communications work, staff can reach facilities, and upstream dependencies function. Those assumptions are fatal. Here's what changes today:

Assume Zero: Plan for zero external power, zero telecom, zero internet, zero functioning supply chain. How does your organization operate in true isolation? If the answer is "it doesn't," you're planning for the wrong war.

Establish Out-of-Band Everything: Satellite phones aren't enough—adversaries have those numbers. Ham radio isn't secure—assume monitored. Develop multiple, diverse communication channels. Test them under degraded conditions.

Create Decision Triggers: When communications fail, your team needs pre-authorized actions. If X happens, do Y—no phone call required. Ambiguity in crisis leads to paralysis.

Map Hidden Dependencies: That cloud service your critical system uses? It runs on infrastructure you don't control. The API your application calls? It routes through networks you can't see. Surface every external dependency. Plan for its failure.

Psychological Preparation: Remember, your staff will be citizens in crisis before they're employees. How do you maintain operations when your team is managing family emergencies? Remote work isn't possible when residential power and internet fail.

Micro-Grid Your Operations: Can your critical facilities operate independently? Generator fuel for 72 hours isn't enough—plan for 30 days. Water for cooling systems? Food for essential staff? Medical supplies when hospitals are offline? Your facility becomes a fortress.

Trust Architecture: How do you verify a system is clean after compromise? How do you authenticate communications when channels are compromised? Build trust mechanisms that survive infrastructure failure.

Hour Zero starts at night: Attacks begin when response is slowest—2 AM allows maximum cascade before detection

It's not destruction, it's corruption: Timestamps, sensor data, and routing tables—small lies that break everything

The grid doesn't fail, it tears itself apart: Safety systems become weapons when relay logic is compromised

Social media stays up on purpose: Panic needs witnesses and amplification—controlled channels remain functional

Deepfakes aren't the story—velocity is: Truth takes effort and hours to verify, lies take seconds to spread

Recovery Gap is the real weapon: Circular dependencies mean weeks to restore what took hours to break

Attribution delay is strategic: By the time you prove it was China, Taiwan is already taken

Your DR plan assumes too much: Power, telecom, mobility, available & cooperative staff—none guaranteed in cascading failure

Infrastructure is now defense infrastructure: Every civilian system is a military target in modern conflict

We built our infrastructure for efficiency. They built their strategy for exploitation.

The cascading failure isn't a bug—it's the feature China has been patiently programming for years. Every efficiency we celebrated—just-in-time delivery, cloud consolidation, interdependent systems—becomes a vulnerability when the cascade begins.

Here's what keeps me awake: on this August 7th, 2025 morning, we're watching China rehearse. Every ransomware attack that takes down a critical service, a pipeline, every telecom outage that grounds flights, every software update that crashes global airline systems—they're taking notes. Our failures are now theirs to study.

The 72-hour scenario isn't their only plan—it's their conservative plan. The one that uses existing access, proven techniques, and tested dependencies. The experimental options? Those involve capabilities we haven't seen yet.

But here's the thing about cascades—they can be broken. Not easily, not cheaply, but broken nonetheless. It requires accepting that efficiency must yield to resilience. That redundancy isn't waste. That manual overrides aren't outdated.

The attack ends in 72 hours. The recovery takes months. But the psychological damage—the knowledge that infrastructure is forever vulnerable, that safety systems can become weapons, that truth itself can be manipulated at scale—that stays forever.

They've mapped our dependencies and found us wanting. The question isn't whether the cascade comes, but whether we'll be islands of resilience or links in the chain of failure.

Right now, these services and systems are deeply dependent & linked. Tomorrow, we could each become a breaker in the process.

The time is short, though. How will we collectively prepare and respond to this threat? It’s up to each of us and the organizations we represent.

The DR Team /smb

//

Want The Entire Daily Raptor Early? Email Newsletter Signup: dailyraptor.com

Next Week: Part V reveals the 90-day, 1-year, and 3-year mobilization playbook—practical steps from immediate triage to long-term resilience. Because knowing the threat without knowing the response is just sophisticated panic.

Ivy’s Back Hat Field Report