analyst@nohacky:~/threat-actors$
cat/threat-actors/volt-typhoon
analyst@nohacky:~/volt-typhoon.html
active threatprofile
typeNation-State
threat_levelCritical
statusActive
originChina — PRC state-sponsored
last_updated2026-03-13
VT
volt-typhoon

Volt Typhoon

also known as: Bronze Silhouette Vanguard Panda Insidious Taurus DEV-0391

A Chinese state-sponsored threat actor that U.S. intelligence agencies assess is pre-positioned inside American critical infrastructure to enable disruptive or destructive cyberattacks in the event of a major crisis or military conflict with the United States. Active since at least mid-2021, Volt Typhoon has compromised organizations across communications, energy, transportation, and water systems — including facilities on the strategically critical island of Guam. The group's defining characteristic is its exclusive reliance on living-off-the-land (LOTL) techniques, using only built-in system tools and valid credentials to maintain access for five or more years without deploying detectable malware. CISA Director Jen Easterly called it "the defining cyber-threat of this era" and warned that what has been discovered so far "is likely the tip of the iceberg."

attributed originChina (PRC state-sponsored)
sponsorPRC government / military
first observedMid-2021
primary motivationPre-positioning for disruption / destruction
primary targetsCommunications, Energy, Water, Transportation
dwell time confirmed5+ years in victim networks
mitre att&ck groupG1017
target regionsUSA (incl. Guam), allied nations
threat levelCRITICAL

Overview

Volt Typhoon is not a conventional espionage operation. U.S. intelligence agencies have assessed with high confidence that the group's purpose is to pre-position on IT networks to enable lateral movement to operational technology (OT) assets and disrupt critical infrastructure functions during a future geopolitical crisis or military conflict between the United States and China. This assessment — publicly stated by CISA, NSA, and FBI in a joint advisory on February 7, 2024 — makes Volt Typhoon one of the clearest modern examples of cyber operations being used to prepare the battlefield before any shots are fired.

Microsoft first publicly identified the group in May 2023, reporting that it had been active since mid-2021 and had targeted organizations in communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education sectors — with specific focus on Guam, a strategically critical U.S. military hub in the Pacific. Any conflict involving Taiwan or broader regional escalation would make Guam's communications and logistics infrastructure a primary strategic target.

What distinguishes Volt Typhoon from other Chinese APTs is its total commitment to stealth. The group uses no custom malware. Instead, it relies entirely on living-off-the-land techniques — using built-in operating system commands (PowerShell, WMI, netsh, cmd), legitimate administrative tools, and valid compromised credentials to move through victim networks. This approach generates activity that looks identical to normal system administration, making detection extremely difficult without behavioral analytics and anomaly detection. The group even constrains its activity to normal business hours to avoid triggering alerts.

To further obscure its operations, Volt Typhoon built the KV Botnet — a network of hundreds of compromised end-of-life SOHO routers (primarily Cisco and Netgear devices) that served as a covert relay layer to hide the Chinese origin of intrusions. The FBI disrupted this botnet in January 2024 through a court-authorized operation, but by late 2024 the group had already begun rebuilding it, compromising roughly 30% of all internet-exposed Cisco RV320/325 devices within just 37 days.

critical

Volt Typhoon's target selection and behavior are not consistent with traditional espionage. The U.S. government has stated publicly that the PRC "is positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans." This assessment reframes Volt Typhoon from a cybersecurity issue to a national security and public safety concern.

Target Profile

Volt Typhoon's targets are selected for their strategic value during a military crisis, not for intelligence collection.

  • Communications: Telecommunications providers and communications infrastructure that would be essential for military coordination, civilian emergency response, and government continuity during a conflict scenario.
  • Energy: Electric utilities and energy-sector companies whose disruption would cascade across other critical infrastructure sectors and civilian populations.
  • Water and wastewater systems: Water treatment and distribution infrastructure whose compromise could threaten public health and safety.
  • Transportation systems: Transportation infrastructure including maritime, aviation, and ground transportation networks that support military logistics and civilian mobility.
  • Guam and Pacific territories: Specific focus on infrastructure in Guam and other U.S. Pacific territories, reflecting the strategic importance of these locations in any Taiwan-related military scenario.
  • Additional sectors: Manufacturing, construction, maritime, government agencies, IT services, and education have all been confirmed as targets, likely as either direct strategic assets or as pivot points into higher-value networks.

Tactics, Techniques & Procedures

mitre idtechniquedescription
T1190Exploit Public-Facing ApplicationGains initial access by exploiting known vulnerabilities in internet-facing network appliances including Fortinet FortiGuard, Zoho ManageEngine, and other perimeter devices. Targets devices that organizations have failed to patch.
T1078Valid AccountsCore persistence mechanism. Uses compromised legitimate credentials to maintain access, often constraining activity to normal business hours to blend with legitimate administrator behavior.
T1059.001PowerShellUses PowerShell for discovery, lateral movement, and data collection. Commands are designed to look identical to routine administrative activity.
T1047Windows Management InstrumentationWMI commands used for remote execution and system enumeration across victim networks, another standard LOTL technique that blends with normal operations.
T1018Remote System DiscoveryExtensive pre-compromise and post-compromise reconnaissance to map network architecture, identify security measures, catalog user behaviors, and identify key IT staff. Intelligence used to tailor subsequent operations.
T1090Proxy (KV Botnet)Routes all operational traffic through the KV Botnet — hundreds of compromised end-of-life SOHO routers acting as a covert relay network to obscure the Chinese origin of intrusions.
T1136Create AccountCreates accounts on compromised systems for persistent access. Accounts are used sparingly and credentials rotated to avoid detection through standard monitoring.
T1570Lateral Tool TransferPositions for lateral movement from IT networks to OT assets that control physical infrastructure. The stated goal is enabling disruption of operational technology functions during a crisis.

Known Campaigns

U.S. Critical Infrastructure Pre-Positioning2021 – present

Ongoing campaign to establish and maintain persistent access inside U.S. critical infrastructure across communications, energy, transportation, and water sectors. CISA confirmed five+ years of dwell time in victim environments. Behavior assessed as pre-positioning for disruptive or destructive attacks during a future geopolitical crisis, not traditional espionage. February 2024 joint advisory from CISA, NSA, FBI, and Five Eyes partners.

KV Botnet Operations2022 – present

Built and operated the KV Botnet using hundreds of compromised end-of-life Cisco and Netgear SOHO routers as a covert relay network. FBI disrupted the botnet in January 2024 through a court-authorized remote operation. By late 2024, Volt Typhoon had already begun rebuilding, compromising 30% of internet-exposed Cisco RV320/325 devices in 37 days. Used a compromised VPN device in New Caledonia as a Pacific-region traffic bridge.

Guam and Pacific Territory Targeting2021 – present

Specific targeting of communications and infrastructure organizations on Guam and other U.S. Pacific territories. Guam hosts major U.S. military installations including Andersen Air Force Base and Naval Base Guam, making its civilian infrastructure strategically significant in any Taiwan-related conflict scenario.

Tools & Malware

Volt Typhoon's deliberate avoidance of custom malware is itself a defining tactical choice. The group's toolkit consists almost entirely of legitimate system utilities.

  • Living-off-the-land binaries (LOLBins): PowerShell, WMI, cmd.exe, netsh, certutil, and other built-in Windows utilities used for all phases of operations from discovery through lateral movement and data collection. No custom executables deployed on victim systems.
  • KV Botnet malware: The sole known custom malware — deployed on SOHO routers (not on victim infrastructure directly). Infects end-of-life Cisco and Netgear routers to create a covert relay network. Memory-resident only; does not survive router reboots. FBI remotely removed this malware from hundreds of devices in January 2024.
  • Valid credentials: Compromised legitimate credentials used for initial access, persistence, and lateral movement. Credentials used only during normal business hours to blend with legitimate activity.
  • NTDS.dit extraction: Uses ntdsutil.exe to extract Active Directory database for offline credential harvesting — a legitimate Windows tool being used for credential access.
  • Network reconnaissance tools: Standard networking commands (ipconfig, ping, net, systeminfo, tasklist) used to map victim environments. The intelligence gathered is used to tailor subsequent operations to each specific network.

Mitigation & Defense

Detecting Volt Typhoon requires fundamentally different approaches than traditional malware-based threat hunting, because there is no malware to find on victim systems.

  • Behavioral analytics over signature detection: Traditional IOC-based detection will not find Volt Typhoon. Invest in behavioral analytics that baseline normal administrator activity and alert on anomalies — unusual login times, atypical command sequences, and credential use from unexpected systems.
  • Extend logging retention and coverage: Volt Typhoon exploits short log retention periods and gaps in logging of routine administrative activity. CISA recommends enabling application, access, and security logs and storing them in a centralized SIEM with retention sufficient to detect multi-year dwell times.
  • Patch internet-facing appliances: Initial access relies on known vulnerabilities in perimeter devices (Fortinet, Zoho, and others). Maintain aggressive patch cadence on all internet-facing infrastructure.
  • Replace end-of-life SOHO routers: The KV Botnet was built on end-of-life Cisco and Netgear devices that no longer receive security updates. Replace EOL networking equipment and place SOHO routers behind firewalls with remote administration disabled.
  • Implement phishing-resistant MFA: CISA specifically recommends phishing-resistant multi-factor authentication to prevent credential compromise from being leveraged for persistent access.
  • Segment IT from OT networks: Volt Typhoon's goal is lateral movement from IT to OT systems. Strict network segmentation, DMZs, and jump boxes between IT and OT environments are essential to prevent the actor from reaching operational technology that controls physical infrastructure.
  • Plan for end-of-life technology: CISA emphasizes proactive planning for technology beyond the manufacturer's supported lifecycle. EOL devices are both initial access vectors and botnet targets.
analyst note

Volt Typhoon represents a strategic shift in Chinese cyber operations — from espionage and intelligence collection to battlefield preparation. The group does not need to launch an attack to be strategically significant. Long-term access inside infrastructure creates coercive leverage before a crisis even begins. The fact that CISA Director Easterly testified before Congress that "what we've found to date is likely the tip of the iceberg," that FBI Director Wray called it "the defining cyber-threat of this era," and that the group successfully rebuilt its botnet within months of an FBI takedown all indicate that Volt Typhoon is an ongoing, persistent strategic threat that will not be resolved through individual disruptions. It requires a fundamental shift in how critical infrastructure organizations approach detection, assuming that living-off-the-land adversaries may already be present and hunting accordingly.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile