Volt Typhoon: Inside China's Silent War on U.S. Infrastructure

In the world of cybersecurity, the threats that generate the biggest headlines are usually the loudest ones. Ransomware gangs locking down hospitals. Criminal syndicates draining bank accounts. Hacktivists defacing government websites. But the threat that has kept U.S. national security officials up at night for the past three years is one that has been almost entirely silent. It is called Volt Typhoon, and it represents a fundamental shift in how the People's Republic of China approaches cyber conflict — not as espionage, but as preparation for war.

Unlike traditional cyber campaigns that focus on stealing intellectual property or gathering intelligence, Volt Typhoon's operators have been systematically embedding themselves inside the operational networks of American utilities, water systems, energy grids, and transportation hubs. Their objective, according to every major U.S. intelligence and cybersecurity agency, is not to collect information. It is to position China to disrupt or destroy critical services in the event of a military conflict — particularly one involving Taiwan.

This article examines the full scope of the Volt Typhoon campaign: where it came from, how it operates, what the U.S. government has done about it, why it keeps getting worse, and what it means for the cybersecurity posture of every organization that touches critical infrastructure.

Origin and Discovery: How Volt Typhoon Came to Light

Volt Typhoon was first publicly identified by Microsoft's Threat Intelligence team in May 2023, though the group's activity dates back to at least mid-2021. Microsoft reported that a China-based threat actor had been targeting critical infrastructure organizations in Guam and other locations throughout the United States. The sectors affected included communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education.

The significance of Guam cannot be overstated. It is the closest U.S. territory to Taiwan and hosts critical military installations, including Andersen Air Force Base and Naval Base Guam. Any U.S. military response to a Chinese invasion of Taiwan would rely heavily on assets staged there. By targeting infrastructure on and around Guam, Volt Typhoon signaled that its objectives were not economic but strategic.

Following Microsoft's disclosure, a joint advisory from the NSA, CISA, FBI, and the cybersecurity agencies of all Five Eyes nations (the U.S., U.K., Canada, Australia, and New Zealand) confirmed and expanded on these findings. The advisory assessed that Volt Typhoon actors had successfully infiltrated networks across multiple critical infrastructure sectors in the continental United States and its territories. The agencies stated that the group's targeting and behavior were inconsistent with traditional espionage, and instead assessed with high confidence that the operators were pre-positioning for potential disruption of operational technology assets.

Living Off the Land: How They Stay Invisible

What makes Volt Typhoon exceptionally dangerous — and exceptionally difficult to detect — is not cutting-edge malware. It is the near-total absence of it. The group's signature tradecraft revolves around a technique known as living off the land (LOTL), which means using legitimate, built-in tools that already exist on victim systems rather than introducing foreign software that could trigger security alerts.

According to the joint Five Eyes advisory published in February 2024, Volt Typhoon's operators use native Windows utilities including wmic, ntdsutil, netsh, and PowerShell to carry out their objectives. They issue commands through the standard command line to collect credentials, discover network architecture, stage data for exfiltration, and maintain persistence. Because these are the same tools that legitimate system administrators use every day, the activity blends seamlessly into normal network traffic.

This approach deliberately evades endpoint detection and response (EDR) solutions, which are designed to flag the introduction of unfamiliar executables. It also minimizes forensic evidence. As the CISA advisory noted, conventional indicators of compromise are generally absent from Volt Typhoon intrusions, making it extraordinarily difficult for network defenders to distinguish malicious behavior from routine administration.

The PRC has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic. — FBI Director Christopher Wray, Vanderbilt Summit on Modern Conflict, April 2024 (Source: FBI.gov)

The initial access vector typically involves exploiting vulnerabilities in internet-facing devices — particularly small office and home office (SOHO) routers that have reached end of life and no longer receive security patches. Once inside a network, Volt Typhoon operators conduct extensive reconnaissance of the target environment before taking any further action. The CISA advisory described how the group would tailor its techniques to each victim, sometimes abstaining from using compromised credentials outside of normal business hours to avoid triggering anomaly-based detection.

Rather than deploying traditional command-and-control infrastructure, the group routes its traffic through compromised SOHO routers, firewalls, and VPN appliances. This creates a distributed proxy network that obscures the Chinese origin of the traffic and makes attribution significantly harder for investigators.

# Example LOTL commands observed in Volt Typhoon intrusions (per CISA AA24-038A)
$ wmic process list brief                    # Process enumeration
$ ntdsutil "ac i ntds" "ifm" "create full"   # Active Directory credential harvesting
$ netsh interface portproxy add v4tov4       # Traffic redirection via PortProxy
$ powershell -c "Get-NetIPConfiguration"     # Network discovery

The KV Botnet Takedown — and Why It Was Not Enough

On January 31, 2024, the U.S. Department of Justice announced that the FBI had conducted a court-authorized operation to disrupt a botnet used by Volt Typhoon to conceal its activities. The botnet, known as KV Botnet, consisted of hundreds of compromised SOHO routers — primarily end-of-life Cisco and Netgear devices — that served as relay nodes for the group's intrusion traffic.

FBI Director Christopher Wray testified before the House Select Committee on the Chinese Communist Party on the same day, warning that Chinese state-backed hackers were targeting water treatment plants, electrical grids, and transportation systems. Wray stated that the PRC's hacking program is larger than that of every other major nation combined, and noted that even if all FBI cyber agents focused exclusively on the China threat, they would still be outnumbered at least 50 to one.

Within months of the takedown, security researchers reported that the KV Botnet had been reconstituted. The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) noted in its ongoing threat assessment that despite being dismantled in late 2023, the botnet was revived and was once again being leveraged by Volt Typhoon to continue its campaigns. This demonstrated a fundamental challenge: disrupting infrastructure used by a persistent state actor is not the same as removing the actor from victim networks.

2025: The Shift from IT Networks to Industrial Control Systems

The Dragos 2026 OT/ICS Cybersecurity Year in Review report, published in February 2026, confirmed what many in the industry feared. Throughout 2025, Volt Typhoon's operations evolved beyond traditional IT network infiltration into direct interaction with operational technology (OT) systems — the physical hardware and software that controls industrial processes like power generation, water treatment, and pipeline operations.

Dragos, which tracks the group under the name VOLTZITE, elevated the group to Stage 2 of the ICS Cyber Kill Chain. This designation means the group has moved beyond initial access and reconnaissance into actively manipulating industrial systems. Dragos researchers observed VOLTZITE compromising Sierra Wireless Airlink cellular gateways to access U.S. midstream pipeline operations, then pivoting from those devices to engineering workstations. The group was seen extracting configuration files, alarm data, and investigating the specific conditions that would trigger process shutdowns.

They're still very active, and they're still absolutely mapping out and getting into embedding in U.S. infrastructure, as well as across our allies. — Rob Lee, CEO, Dragos Inc., February 2026 (Source: Recorded Future News)

Perhaps the most alarming finding was the identification of a new support group called SYLVANITE that operates as an initial access broker for Volt Typhoon. According to Dragos, SYLVANITE rapidly weaponizes vulnerabilities — including bugs in Ivanti remote access products and Trimble Cityworks GIS asset management software — to establish footholds in target organizations, then hands that access off to VOLTZITE for deeper penetration into OT environments. SYLVANITE was observed targeting oil and gas, water, power generation, transmission, and manufacturing organizations across North America, Europe, South Korea, Guam, the Philippines, and Saudi Arabia.

When asked by Recorded Future News whether Volt Typhoon could ever be fully removed from all compromised U.S. utilities, Dragos CEO Rob Lee gave a blunt assessment: there are compromised sites in the United States and in NATO countries that investigators will never find. The total number of victims remains unknown, and U.S. officials have acknowledged that any figure given is likely an underestimate.

Lee went further, drawing a stark line between large electricity companies — which currently have the capability to detect and remove Volt Typhoon operators — and smaller public utilities, particularly in the water sector. He stated that many of these organizations will likely never reach the level of cybersecurity sophistication needed to find and eliminate the group's footholds. His conclusion was sobering: the United States may need to accept that a portion of its infrastructure is currently compromised and will remain that way for the foreseeable future, given the current trajectory of the cybersecurity community's capabilities.

Global Expansion: From Guam to Singapore to Australia

Volt Typhoon's operations have not been confined to U.S. soil. In June 2024, Singapore Telecommunications (Singtel), the city-state's largest mobile carrier, detected suspicious data traffic in a core back-end router. The investigation revealed sophisticated malware linked to Volt Typhoon. According to Bloomberg's reporting, investigators assessed that the Singtel breach served as a test run for further attacks against U.S. telecommunications companies. Singtel stated that it detected and eradicated the malware, with no data exfiltration or service disruption.

The breach was notable because it used a web shell — a technique previously documented by Lumen Technologies' Black Lotus Labs. In August 2024, those researchers had warned about Volt Typhoon's exploitation of a vulnerability in Versa SD-WAN software (CVE-2024-39717) to deploy custom web shells for credential harvesting. Black Lotus Labs had also observed an anonymous Singaporean entity being compromised as a stepping stone to infiltrate organizations in the United States and India. This pattern of using international telecommunications providers as staging grounds for attacks against Western targets represents a sophisticated supply chain approach to cyber pre-positioning.

In November 2025, Australian Security Intelligence Organisation (ASIO) Director-General Mike Burgess publicly confirmed that hackers linked to the Chinese government and military had attempted to access Australia's critical infrastructure, including telecommunications networks. Burgess specifically named both Salt Typhoon and Volt Typhoon, warning that the same probing that had penetrated U.S. systems was occurring in Australia. This marked one of the first times a senior Five Eyes intelligence official outside the United States publicly identified Volt Typhoon as a direct threat to their own national infrastructure.

China's Response: Denial and Counter-Narrative

The Chinese government has consistently denied any involvement in Volt Typhoon. State media outlet Xinhua News Agency and China's National Computer Virus Emergency Response Center (CVERC) have published reports claiming that Volt Typhoon is itself a disinformation campaign fabricated by U.S. intelligence agencies. CVERC's reports allege that the entire narrative was constructed to justify the renewal of Section 702 of the Foreign Intelligence Surveillance Act and to secure increased cybersecurity budgets.

However, these denials have been undermined by a revealing moment reported by the Wall Street Journal. During a 2024 meeting between senior U.S. and Chinese officials, Chinese representatives made remarks that, while indirect and somewhat ambiguous, were interpreted by the American delegation as a tacit acknowledgment of China's involvement in Volt Typhoon — and a warning to the United States about Taiwan. A former U.S. official familiar with the meeting described the Chinese officials' statements as an implicit admission that the campaign was linked to the Taiwan question.

This dynamic — official denial coupled with private signaling — is consistent with how nation-states have historically managed offensive cyber programs. Public attribution creates diplomatic complications, while ambiguity preserves deterrence value. China benefits from the strategic uncertainty: if the U.S. believes that a military confrontation over Taiwan would be accompanied by disruptive cyberattacks on American civilian infrastructure, that belief itself functions as a form of deterrence.

The Military Dimension: Why This Is Not Just a Cybersecurity Story

U.S. Air Force cyber leaders have been among the most direct voices in articulating what Volt Typhoon means in military terms. At a September 2025 briefing, Air Force officials described a scenario in which Volt Typhoon's persistent access could enable China to wage what amounts to total war against civilian targets while simultaneously engaging military forces in the Pacific. The logic is straightforward: if China can degrade U.S. water systems, energy grids, and transportation networks at the onset of a conflict, the resulting domestic crisis would divert attention and resources away from military mobilization.

Volt Typhoon — persistent access in our critical infrastructure for five years. They haven't done anything with it. Salt Typhoon — persistent access in our telecommunications. They haven't done anything with it. Why? They're probably setting the conditions to execute destructive cyberattacks. — U.S. Air Force cyber official, September 2025 (Source: DefenseScoop)

PLA strategists have openly discussed coordinating missile strikes with cyberattacks as part of offensive military operations. Volt Typhoon represents the infrastructure preparation for exactly this kind of combined arms doctrine. The group is not stealing secrets. It is not conducting espionage in any traditional sense. It is building the capability to turn off the lights in American cities during a conflict that may or may not ever happen — and that latent capability, once established, serves China's strategic interests whether or not it is ever activated.

In March 2025, the U.S. House Committee on Homeland Security took the additional step of requesting that the Department of Homeland Security turn over documents related to the federal government's response to the Volt Typhoon campaign, signaling that Congressional oversight of the threat was intensifying.

What Organizations Should Be Doing Right Now

The February 2024 joint advisory from CISA, NSA, and FBI included a comprehensive set of mitigation recommendations that remain the baseline for any organization connected to critical infrastructure. The challenge is that defending against living-off-the-land techniques requires a fundamentally different approach than defending against traditional malware.

Immediate Priorities

• Patch internet-facing systems aggressively. Volt Typhoon's initial access frequently exploits known vulnerabilities in edge devices, including routers, VPN appliances, and firewalls. Prioritize patching for products known to be targeted, including Ivanti, Fortinet, and Cisco devices.
• Replace end-of-life network equipment. The KV Botnet relied almost entirely on SOHO routers that no longer receive security updates. If a device is past its manufacturer's support window, it is a potential relay node for Volt Typhoon.
• Implement phishing-resistant multi-factor authentication. Credential theft is central to Volt Typhoon's persistence strategy. Hardware security keys or FIDO2-based authentication significantly raise the bar.
• Enable and centralize logging. Because LOTL techniques use legitimate tools, detection depends on behavioral analysis of log data. Ensure that PowerShell logging, command-line auditing, and Windows event forwarding are configured and that logs are stored in a centralized, write-once repository that attackers cannot modify.

Longer-Term Posture

• Establish behavioral baselines. You cannot detect anomalous use of netsh or wmic if you do not know what normal use looks like. Invest in network behavior analytics that can flag unusual patterns in legitimate tool usage.
• Segment IT and OT environments. The Dragos findings demonstrate that Volt Typhoon is crossing from IT networks into operational technology. Air-gapping or strict segmentation between corporate IT and industrial control systems is essential.
• Conduct tabletop exercises specifically for this scenario. CISA has recommended that critical infrastructure leaders develop and test incident response plans that account for a state-sponsored actor with long-term persistent access. This is not a ransomware scenario — it is a pre-positioning scenario with different timelines and different objectives.
• Engage with CISA and sector-specific ISACs. The government has published detailed indicators, detection guidance, and hunting playbooks. Organizations that are not actively consuming and operationalizing this intelligence are at a significant disadvantage.

Key Takeaways

1. Volt Typhoon is not espionage — it is pre-positioning for conflict. Every major U.S. intelligence agency has assessed that the group's objective is to prepare for disruptive or destructive attacks on American civilian infrastructure in the event of a military crisis with China, particularly over Taiwan.
2. The threat is still active and growing. Despite the FBI's 2024 botnet takedown and sustained public attention, Dragos confirmed in February 2026 that the group remained embedded in U.S. utilities throughout 2025 and has expanded its operations into OT environments, with a newly identified support group (SYLVANITE) feeding it access to critical targets.
3. Living off the land makes this uniquely hard to detect. Traditional signature-based defenses are largely ineffective. Detection requires behavioral analytics, comprehensive logging, and proactive threat hunting — capabilities that many smaller utilities and infrastructure operators lack.
4. This is a global campaign, not a U.S.-only problem. The Singtel breach in Singapore, ASIO's warnings in Australia, and SYLVANITE activity across Europe and Asia-Pacific demonstrate that Volt Typhoon targets the infrastructure of U.S. allies with equal determination.
5. Many compromises will never be found. Dragos CEO Rob Lee stated plainly that there are Volt Typhoon footholds in U.S. and NATO infrastructure that investigators will never discover. The scale of the problem exceeds current detection and response capacity.

Volt Typhoon represents a turning point in the history of state-sponsored cyber operations. It is not about stealing data or making money. It is about one nation quietly building the ability to paralyze another's critical services at a moment of its choosing. The challenge for defenders is that the tools are legitimate, the techniques are subtle, and the adversary is patient enough to wait years for an activation order that may never come — or that could come tomorrow.

Sources: CISA Advisory AA24-038A | FBI.gov | Recorded Future News | Dragos 2026 OT/ICS Report | DefenseScoop | MITRE ATT&CK G1017 | IISS Cyber Power Matrix | FortiGuard Threat Actor Profile