Overview

Volt Typhoon, a People’s Republic of China (PRC)-sponsored cyber actor, has maintained persistent access to US and UK critical infrastructure networks since at least mid-2021. Unlike financially motivated threat groups that seek rapid monetization, Volt Typhoon is assessed to be pre-positioning for potential disruptive or destructive cyberattacks timed to coincide with geopolitical crises—particularly any kinetic conflict involving Taiwan.

Joint advisories from CISA, the FBI, NSA, and their UK counterparts NCSC have confirmed successful compromises in water utilities, electric cooperatives, and telecommunications providers. The common thread across all identified intrusions is the actor’s deliberate focus on operational technology environments and persistence mechanisms that survive network redesigns.

Tactics, Techniques, and Procedures

Living-Off-the-Land

Volt Typhoon is distinguished by its near-exclusive use of legitimate system tools—what the intelligence community calls “living-off-the-land” binaries (LOLBins). In OT environments, the group has been observed using:

  • netsh for port forwarding from OT subnets back to IT pivot hosts
  • wmic for lateral movement and process enumeration on historian and SCADA workstations
  • ntdsutil for credential extraction from Active Directory instances shared between IT and OT zones
  • PowerShell with AMSI bypass techniques for in-memory payload staging

This approach minimizes the group’s footprint and confounds signature-based detection tools commonly deployed on OT DMZ hosts.

VPN and Edge Device Exploitation

Initial access in documented Volt Typhoon incidents consistently involved exploitation of internet-facing network appliances: Fortinet FortiOS SSL-VPN vulnerabilities, Ivanti Connect Secure flaws, and legacy Cisco ASA configurations with weak authentication. Once inside, the group leveraged the trusted network position of these devices to pivot directly into industrial DMZ segments.

Several water and wastewater system operators confirmed that their remote-access VPNs authenticated directly into process historian networks with no intermediate inspection. The actors exploited this architectural weakness to reach human-machine interface (HMI) systems without traversing any IT security controls.

OT-Specific Enumeration

Post-compromise activity showed deliberate OT reconnaissance: the actors enumerated industrial protocols in use (Modbus, DNP3, IEC 61850), identified vendor-specific engineering workstations by hostname patterns, and catalogued the installed firmware versions of safety controllers and programmable logic controllers (PLCs). This intelligence collection is consistent with the preparation phase of a future sabotage campaign—building the operational picture needed to identify where disruption would have maximum effect.

Sector-Specific Findings

Energy

In US electric utilities, Volt Typhoon established persistent access to operational technology systems supporting generation dispatch and substation automation. In several cases, the actors maintained domain administrator credentials on Windows-based energy management systems (EMS) for over 300 days before detection. The UK National Grid and several distribution network operators received private notifications of potential compromise in late 2025.

Water and Wastewater

Water sector intrusions are particularly concerning given the sector’s notoriously weak cyber posture. Volt Typhoon accessed supervisory control systems at multiple US water utilities, where HMIs controlling chemical dosing—chlorine, fluoride, and pH adjustment—were directly reachable from compromised engineer workstations. The actors did not manipulate any process parameters during the observed intrusion windows, consistent with a reconnaissance and pre-positioning objective.

Communications

In the telecommunications sector, the group targeted operational infrastructure supporting industrial customers: private networks serving port authorities, pipelines, and grid operators. Compromising carrier infrastructure gives the actors a secondary channel—they can potentially intercept or disrupt OT communications transported over leased circuits during a crisis.

Detection Guidance

Defenders should focus on:

  1. Anomalous LOLBin execution on OT-adjacent hosts — netsh, ntdsutil, and wmic are rarely legitimate in process historian or EWS contexts; alert on any execution with unusual parent processes or arguments
  2. Unusual outbound connections from OT DMZ hosts — Volt Typhoon extensively uses protocol tunneling (DNS-over-HTTPS, SMB-over-HTTPS) to blend C2 traffic with legitimate communications
  3. Unexpected authentication events on OT accounts — privileged account reuse across IT/OT boundaries is a reliable lateral movement indicator
  4. Engineering workstation file access patterns — access to PLC project files, historian configuration backups, and network topology documents outside normal maintenance windows
  • Immediately audit all remote access paths into OT environments; eliminate any VPN or jump-host that provides unauthenticated or single-factor access to process networks
  • Implement network monitoring specifically on OT DMZ traffic; deploy passive protocol-aware sensors (Claroty, Dragos, Nozomi) if not already present
  • Enforce privileged access workstations (PAWs) for all OT engineering and administration; no internet browsing, email, or general IT use on these systems
  • Apply all available patches to internet-facing appliances; treat unpatched VPN devices as compromised and rotate all credentials accessible from them
  • Coordinate with CISA’s Hunt and Incident Response (HIRT) team for proactive threat hunting if operating in a sector identified as targeted
Tags
volt-typhoonchinaaptliving-off-the-landcritical-infrastructure