Volt Typhoon

Executive Summary

Intelligence Cut-off Date: 12-May-2026

Volt Typhoon is a People’s Republic of China state-sponsored cyber actor distinguished not by what it has done but by where it has positioned itself. Since at least 2021 the group has compromised IT networks across US communications, energy, water, and transportation operators, maintaining footholds for as long as five years without conducting espionage in the traditional sense [Source: CISA AA24-038A, Rating: A1]. The strategic logic, assessed by CISA, NSA, and FBI, is pre-positioning for “disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict” — read as a Taiwan-contingency option [Source: CISA AA24-038A, Rating: A1]. Capability is rated HIGH on the basis of confirmed multi-year dwell, near-exclusive living-off-the-land tradecraft, and the demonstrated ability to rebuild operational infrastructure within months of the January 2024 FBI takedown of the KV Botnet [Source: The Record / Recorded Future News, Rating: B2].

Overall Assessment: Active and operationally dangerous. The April 2026 CISA AA26-113A advisory and the 2025 pivot toward direct OT/ICS device interaction indicate the threat is escalating in scope and depth, not contracting [Confidence: HIGH].

Identity and Attribution

The canonical Microsoft name is Volt Typhoon, applied to activity first publicly disclosed in May 2023 but observed by Microsoft since at least mid-2021 [Source: Microsoft Security Blog, Rating: B2]. The group tracks across vendors as BRONZE SILHOUETTE (Secureworks), Vanguard Panda (CrowdStrike), Voltzite (Dragos, used principally for the group’s OT-facing operations), DEV-0391 (Microsoft pre-naming), Insidious Taurus (Palo Alto Unit 42), and UNC3236 (Mandiant) [Source: MITRE ATT&CK G1017, Rating: B1]. MITRE catalogs the group as G1017.

Attribution to the People’s Republic of China is assessed at HIGH confidence by CISA, NSA, FBI, and Five Eyes partners [Source: CISA AA24-038A, Rating: A1]. The specific sponsoring organization has not been publicly named in unclassified reporting; open-source analysis assesses a PLA or MSS nexus consistent with strategic-disruption mission framing [Confidence: MODERATE] [Single-source: IISS analysis, Rating: B2]. Dragos tracks the OT-facing dimension of this activity under the Voltzite designation and assesses it as an adjacent or sub-group operation rather than a distinct actor [Source: Dragos public reporting, Rating: B2].

Motive and Objective

The primary motive is disruption / pre-positioning, not espionage. The group’s observed tradecraft — minimal data exfiltration, long dwell times, persistent access in operationally significant networks — is consistent with establishing pre-attack footholds rather than collecting intelligence [Source: CISA AA24-038A, Rating: A1]. Specific objectives include: (1) establishing persistent footholds in US critical infrastructure IT networks usable for destructive cyberattacks during a Taiwan-related contingency [Confidence: HIGH]; (2) mapping operational and control-system topology to enable pivot from IT to OT [Confidence: HIGH] [Source: Industrial Cyber 2025 reporting, Rating: B2]; (3) maintaining covert ORB infrastructure on end-of-life edge devices to support both Volt Typhoon and other PRC operations [Confidence: HIGH] [Source: CISA AA26-113A, Rating: A1]. The motive set has evolved measurably since 2023: the group has shifted from IT-only reconnaissance toward direct interaction with OT-connected devices and theft of sensor and operational data, indicating preparation for actuation rather than passive observation [Source: Industrial Cyber 2025, Rating: B2].

Victimology

Targeted sectors, in order of confirmed compromise volume, are communications, energy, water and wastewater systems, transportation systems, and government facilities [Source: CISA AA24-038A, Rating: A1]. Geographic focus is primarily the continental United States and Guam, with Guam representing strategically significant DoD communications infrastructure on the western Pacific perimeter [Source: CISA AA24-038A, Rating: A1]. The Australian Security Intelligence Organisation Director-General publicly attributed attempts against Australian critical infrastructure to Volt Typhoon in November 2025 [Source: ASIO public statement, Rating: A2]. Adjacent Five Eyes partner targeting (UK, Canada, New Zealand) is referenced in joint advisories. Sector targeting in 2025 reporting extends into maritime and port infrastructure as an adjunct to transportation [Source: Industrial Cyber, Rating: B2].

Technology stack targeting is the defining tradecraft signature. Volt Typhoon emphasizes end-of-life small office / home office (SOHO) routers — Cisco RV320/RV325, NETGEAR ProSAFE, AXIS, and similar — for ORB substrate, and enterprise edge devices from Fortinet, Ivanti, Cisco, and others for initial access into target enterprises [Source: CISA AA24-038A, Rating: A1]. Inside Windows environments the group targets Active Directory infrastructure, particularly via NTDS extraction. The 2025 shift adds operational technology and ICS-connected devices to the target stack [Source: Industrial Cyber / Dragos, Rating: B2].

Named victims in public reporting include long-term compromises across multiple US energy, water, and communications operators (specific organization names are referenced but not aggregated here per disclosure norms). Researchers assess that an unknown share of compromises remain undetected and may never be found [Source: The Record / Recorded Future News, Rating: B2] [Single-source].

Sector Proximity Assessment:

• Global telecommunications: Direct — communications is the #1 confirmed target sector and the primary pivot surface for the group’s ORB infrastructure. Any global carrier sits inside the attack graph.
• Defense technology / high-tech startups: Adjacent — the defense industrial base is a named secondary target set, but the group’s emphasis is pre-positioning in operational networks rather than IP theft from DIB suppliers.
• Venture capital / investment: Low — no direct targeting of VC firms observed in public reporting. Exposure is indirect, via portfolio companies in telecom, energy, transportation, and water.
• Government / think tanks: Direct — US government facilities, DoD communications infrastructure (especially Guam), and allied government partner networks are core target sets.
• Higher education / research institutions: Adjacent — not a primary target set, but research organizations supporting critical infrastructure or DoD-affiliated programs fall within scope, particularly where they share infrastructure with named target sectors.

Capability Assessment

Rating: High [Confidence: HIGH]

Volt Typhoon meets the High threshold on every diagnostic indicator. Dwell time is the dispositive evidence: CISA, NSA, and FBI confirm intrusions in which the actor has maintained access “for at least five years” [Source: CISA AA24-038A, Rating: A1]. Operational security is exceptional — the group’s near-exclusive reliance on living-off-the-land binaries (PowerShell, WMI, ntdsutil, netsh port-proxy, native admin tools) defeats signature-based endpoint detection and produces minimal forensic footprint [Source: CISA AA23-144A, Rating: A1]. Infrastructure discipline is demonstrated by the KV Botnet — a purpose-built ORB network of end-of-life SOHO routers used to obscure operator-to-victim traffic — and by the group’s rapid reconstitution of equivalent infrastructure (JDY-class botnets and similar) within months of the January 2024 FBI takedown [Source: The Record, Rating: B2].

Custom-malware breadth is moderate rather than high — the group’s tradecraft deliberately minimizes malware in favor of native tooling. Zero-day capability is assessed as moderate: the group leverages a mix of confirmed N-day exploitation of edge devices (Fortinet, Ivanti, Cisco, ManageEngine) and reserves zero-days for specific high-value access, though confirmed unique zero-days attributed solely to Volt Typhoon are limited in public reporting [Confidence: MODERATE]. The defining capability is not exotic tooling — it is patience over payload, executed at nation-state scale and discipline.

Modus Operandi

Key Campaigns

• KV Botnet (2022 – Jan 2024). Purpose-built ORB network of compromised end-of-life SOHO routers (Cisco RV-series, NETGEAR, AXIS, Fortinet) used to relay Volt Typhoon operator traffic to and from victim networks in US critical infrastructure. Disrupted in January 2024 by FBI court-authorized operation [Source: FBI / DOJ press release, Rating: A1].
• AA23-144A “Living off the Land” disclosure (May 2023). Microsoft and Five Eyes joint disclosure describing Volt Typhoon’s LOTL tradecraft against US critical infrastructure including Guam-based assets [Source: CISA AA23-144A, Rating: A1].
• AA24-038A “Five-year dwell” (Feb 2024). Joint advisory confirming multi-year persistence in US energy, water, communications, and transportation operators [Source: CISA AA24-038A, Rating: A1].
• OT pivot (2025). Reporting documents shift toward direct interaction with OT-connected devices and theft of sensor and operational data, tracked by Dragos as Voltzite activity [Source: Industrial Cyber / Dragos, Rating: B2].
• AA26-113A “Covert networks of compromised devices” (April 2026). CISA-led advisory addressing the post-KV maturation of PRC ORB infrastructure used by Volt Typhoon and adjacent groups [Source: CISA AA26-113A, Rating: A1].

MITRE ATT&CK TTPs

Phase	Technique ID	Technique Name	Notes
Initial Access	T1190	Exploit Public-Facing Application	Fortinet, Ivanti, Cisco edge devices, ManageEngine; mix of N-day and zero-day
Initial Access	T1133	External Remote Services	VPN gateways using compromised credentials
Execution	T1059.001	PowerShell	Encoded commands; minimal scripting footprint
Execution	T1059.003	Windows Command Shell	Native cmd.exe LOLBin usage
Execution	T1047	Windows Management Instrumentation	wmic, wmiprvse for remote execution
Persistence	T1078	Valid Accounts	Long-term use of stolen domain credentials
Persistence	T1505.003	Server Software Component: Web Shell	On compromised edge devices
Privilege Escalation	T1078	Valid Accounts	Reuse of high-privilege stolen credentials
Defense Evasion	T1070	Indicator Removal	wevtutil clear-log; log tampering
Defense Evasion	T1036	Masquerading	Renamed/relocated system binaries
Defense Evasion	T1027	Obfuscated Files or Information	Selective; LOLBins reduce need
Credential Access	T1003.003	OS Credential Dumping: NTDS	ntdsutil “ifm” install media technique
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory	Read-only LSASS access where possible
Credential Access	T1555	Credentials from Password Stores	Browsers, credential managers
Discovery	T1018	Remote System Discovery	net group, ping sweeps
Discovery	T1087	Account Discovery	net user, net group
Discovery	T1082	System Information Discovery	systeminfo, wmic
Discovery	T1016	System Network Configuration Discovery	ipconfig, route, arp
Lateral Movement	T1021.001	Remote Services: Remote Desktop Protocol	Post credential theft
Lateral Movement	T1021.002	Remote Services: SMB / Windows Admin Shares	net use, admin$
Collection	T1005	Data from Local System	Targeted file collection; selective
Command and Control	T1090.003	Proxy: Multi-hop Proxy	KV / JDY botnet ORB relays
Command and Control	T1071.001	Application Layer Protocol: Web Protocols	HTTPS over ORBs
Exfiltration	T1041	Exfiltration Over C2 Channel	Low-and-slow, minimal payload
Impact	T1485	Data Destruction	Latent capability; not observed in unclassified reporting [Inference]
Impact	T0831	Manipulation of Control (ICS)	Potential per 2025 OT pivot [Confidence: MODERATE]

Tools and Malware

The group’s hallmark is sparse use of bespoke malware in favor of native binaries and widely available open-source tooling [Source: CISA AA23-144A, Rating: A1].

• Earthworm — open-source SOCKS proxy used for internal pivoting.
• Fast Reverse Proxy (FRP) — open-source reverse-proxy used for tunneling.
• Impacket — open-source Python suite used for SMB / WMI operations.
• ntdsutil — native Windows utility abused for AD database extraction via the “install from media” technique.
• KV Botnet implant — custom firmware-resident implant on compromised SOHO routers, disrupted January 2024.
• JDY Botnet (and successor classes) — post-disruption replacement ORB networks; tracked under multiple names since 2024 [Source: The Record, Rating: B2].

Infrastructure Patterns

The group’s defining infrastructure feature is the operational relay box (ORB) network built on end-of-life consumer and small-business routers — Cisco RV320/RV325, NETGEAR ProSAFE, AXIS, Fortinet devices — that no longer receive vendor patches [Source: CISA AA26-113A, Rating: A1]. Operator traffic from PRC-origin infrastructure is routed through these ORBs so that connections to victim networks originate from residential or small-business IP space inside the victim’s own country. C2 protocols favor HTTPS over compromised infrastructure rather than dedicated attacker-controlled domains, reducing IOC value for defenders. Post-January-2024 reporting documents the rebuild of equivalent infrastructure within months [Source: The Record, Rating: B2].

Activity Timeline

Date	Event	Source	Rating
2026-04	CISA AA26-113A: joint advisory on covert networks of compromised devices used by PRC actors including Volt Typhoon	CISA	A1
2025-11	ASIO Director-General publicly attributes Australian critical infrastructure targeting attempts to Volt Typhoon	ASIO	A2
2025-09	US Air Force cyber leader publicly warns Volt Typhoon access could enable Chinese preparation for “total war”	DefenseScoop	C2
2025-Q3	Open-source reporting documents 2025 shift toward direct OT/ICS device interaction and operational/sensor data theft	Industrial Cyber / Dragos	B2
2024-Q3	Researchers document replacement ORB infrastructure (JDY-class) and rebuild within months of takedown	The Record / Recorded Future News	B2
2024-03	CISA / NSA / FBI joint fact sheet for leaders on PRC-sponsored Volt Typhoon activity	CISA	A1
2024-02	CISA AA24-038A confirms 5+ year dwell times in some victim networks	CISA / NSA / FBI	A1
2024-01	FBI disrupts KV Botnet via court-authorized operation	FBI / DOJ	A1
2023-05	Microsoft and Five Eyes joint disclosure (AA23-144A): Living off the Land tradecraft against US critical infrastructure	Microsoft / CISA / NSA	A1
~2021	First Microsoft observation of activity later named Volt Typhoon	Microsoft Threat Intelligence	B2

Forecast, Implications, and Recommendations

What Next (Forecast)

The most consequential observed trend is deepening OT footholds. The 2025 pivot from IT-only access to direct interaction with ICS-connected devices and operational/sensor data signals movement from staging toward actuation preparation [Confidence: HIGH] [Source: Industrial Cyber, Rating: B2]. Expect further OT/ICS tooling development specific to electric-sector and water-sector control protocols over the next 6–12 months.

Second, ORB substrate diversification is virtually certain. The post-KV reconstitution demonstrates that the group regards ORB infrastructure as a renewable resource; expect parallel networks across multiple EoL device classes and IoT-class endpoints to limit the impact of any single takedown [Confidence: HIGH] [Source: CISA AA26-113A, Rating: A1].

Third, allied expansion will continue. ASIO’s November 2025 attribution confirms operational scope beyond US borders; given Taiwan-contingency planning logic, expect emphasis on Japan, the Philippines, and South Korea as priority follow-on targets [Confidence: MODERATE] [Inference based on geopolitical context].

A condition that would change the forecast: a Taiwan-related military crisis would shift the group’s posture from pre-positioning to actuation, at which point latent destructive capability becomes the operational risk.

So What (Implications)

Telecommunications is target number one. Edge networking, transit infrastructure, and customer-premise routers are the pivot surface for both initial access and ORB substrate. Any organization operating in global telecommunications sits inside this group’s attack graph, whether or not it has been confirmed as a victim [Confidence: HIGH].

Discovery beats detection. Living-off-the-land tradecraft defeats signature-based EDR by design. For organizations in named target sectors, the operating assumption should be that compromise has already happened — the question is finding it. Long-window threat hunting on AD, edge authentication, and admin-tool telemetry is the dominant defensive investment.

Access is the attack. Volt Typhoon has not executed destructive operations in public reporting. The strategic implication is that the group is a fuse, not a bomb — destructive capability is held in reserve as a political/military option. Disruption risk to communications, energy, water, and transportation customers is therefore a function of geopolitical state more than malware activity in any given quarter.

Now What (Recommendations)

1. Hunt for living-off-the-land behavior at enterprise scale. Baseline normal usage of PowerShell, WMI, ntdsutil, netsh port-proxy, and wevtutil across the environment, then alert on anomalies rather than signatures. The CISA LOTL guidance (supplemental to AA24-038A) is the floor, not the ceiling. Detection logic must accept higher false-positive rates than commodity-malware hunting tolerates.
2. Inventory and aggressively retire end-of-life edge devices. Any unsupported SOHO router, edge appliance, or perimeter device on a network you depend on is a candidate ORB node. Build a 90-day retirement plan for EoL Cisco, NETGEAR, Fortinet, and Ivanti devices on operationally significant network paths. Where retirement is infeasible, isolate and instrument.
3. Segment IT from OT and instrument the boundary. Assume the IT side has been or will be compromised. Design the IT/OT boundary so that lateral movement into operational or control-system networks generates high-signal alerts. The 2025 OT pivot makes this the highest-leverage architectural investment.
4. Plan and resource for 12-to-24-month retrospective threat hunts. Five-year dwell is a confirmed reality, not a worst-case estimate. Retention horizons for AD authentication logs, edge device logs, EDR telemetry, and proxy data must be extended accordingly, and budget must be allocated for periodic deep-retro hunts on a multi-quarter cycle.
5. Run a Taiwan-contingency degradation tabletop. Stress-test crisis playbooks against simultaneous disruption of communications, energy, and water dependencies. This is not a compliance box-check — it is the scenario the group has spent five years preparing for, and it is the scenario for which their access has been reserved.

Technical Evidence

Type	Value	First Seen	Last Seen	Confidence
CVE	CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus)	2021-09	2023	HIGH
CVE	CVE-2021-27860 (FatPipe WARP/IPVPN/MPVPN)	2021	2023	HIGH
CVE	CVE-2023-27997 (Fortinet FortiOS SSL-VPN)	2023-06	2024	MODERATE
Tool	Earthworm (open-source SOCKS proxy)	2021	2024	HIGH
Tool	Fast Reverse Proxy (FRP)	2022	2025	HIGH
Tool	ntdsutil “install from media” abuse	2021	2025	HIGH
Tool	Impacket (open-source)	2022	2025	HIGH
Technique	netsh portproxy lateral pivot	2021	2025	HIGH
Infrastructure	KV Botnet (EoL Cisco RV320/RV325, NETGEAR ProSAFE, AXIS, Fortinet SOHO devices)	2022	2024-01	HIGH
Infrastructure	JDY Botnet (post-disruption successor ORB network)	2024	2025	MODERATE

[Data Gap: specific domain and IP IOCs are voluminous across multiple CISA advisories and update frequently; consult the linked AA23-144A, AA24-038A, and AA26-113A advisories for current technical indicator sets. No high-confidence unique-to-Volt-Typhoon domain IOCs are aggregated here because the group’s ORB-based C2 reuses victim-country residential infrastructure with low IOC durability.]

References

1. CISA AA26-113A — “Defending Against China-Nexus Covert Networks of Compromised Devices” (April 2026). https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a. Rating: A1
2. CISA AA24-038A — “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure” (February 2024). https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a. Rating: A1
3. CISA AA23-144A — “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection” (May 2023). https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a. Rating: A1
4. CISA — Joint Fact Sheet for Leaders on PRC-sponsored Volt Typhoon Cyber Activity (March 2024). https://www.cisa.gov/news-events/alerts/2024/03/19/cisa-and-partners-release-joint-fact-sheet-leaders-prc-sponsored-volt-typhoon-cyber-activity. Rating: A1
5. Australian Security Intelligence Organisation — public statements by Director-General Mike Burgess attributing critical infrastructure targeting to Volt Typhoon (November 2025). Rating: A2
6. MITRE ATT&CK — Volt Typhoon group page G1017. https://attack.mitre.org/groups/G1017/. Rating: B1
7. Microsoft Threat Intelligence — “Volt Typhoon targets US critical infrastructure with living-off-the-land techniques” (May 2023). https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/. Rating: B2
8. Dragos — public reporting on Voltzite (the OT-facing dimension of Volt Typhoon activity), 2024–2025. Rating: B2
9. International Institute for Strategic Studies (IISS) — analysis of Volt Typhoon’s disruptive intent beyond espionage (2025). Rating: B2
10. Industrial Cyber — reporting on China’s “Typhoon” operations and 2025 OT/ICS pivot. https://industrialcyber.co/reports/chinas-typhoon-cyber-operations-target-us-critical-infrastructure-sectors-in-move-toward-large-scale-disruption/. Rating: B2
11. The Record / Recorded Future News — “Researchers warn Volt Typhoon still embedded in US utilities and some breaches may never be found.” https://therecord.media/researchers-warn-volt-typhoon-still-active-critical-infrastructure. Rating: B2
12. DefenseScoop — “Air Force cyber leader warns threats like Volt Typhoon could enable China to wage ‘total war’ against US” (September 2025). https://defensescoop.com/2025/09/23/volt-typhoon-china-us-air-force-cyber-defensive-operations/. Rating: C2
13. NJCCIC — Volt Typhoon threat analysis. https://www.cyber.nj.gov/threat-landscape/nation-state-threat-analysis-reports/china-linked-cyber-operations-targeting-us-critical-infrastructure/volt-typhoon. Rating: C2
14. Congressional Research Service — Volt Typhoon (IF12798). https://www.congress.gov/crs_external_products/IF/HTML/IF12798.web.html. Rating: B1