Nation-State Actor

Volt Typhoon

China • Active since 2021

Volt Typhoon is a Chinese government hacking group that's been quietly breaking into American power plants, water systems, and other critical infrastructure. They're not stealing data—they're setting up access they could use to cause disruption if there's ever a conflict with China. They're extremely stealthy and don't use malware, making them hard to detect.

Overview

Volt Typhoon is a Chinese state-sponsored threat actor that has been pre-positioning in US critical infrastructure since at least 2021. Unlike typical espionage groups, Volt Typhoon focuses on maintaining persistent access that could be used for disruption during a future crisis. They exclusively use living-off-the-land techniques to avoid detection.

Also Known As

BRONZE SILHOUETTE, DEV-0391, Vanguard Panda, INSIDIOUS TAURUS

Target Industries

Critical Infrastructure, Energy, Water, Transportation, Communications, Government

Target Regions

United States, Guam, Pacific Islands

Is your business exposed?

Tactics, Techniques & Procedures

  • Living-off-the-land techniques exclusively
  • Exploiting internet-facing devices (Fortinet, Ivanti)
  • Using compromised small office routers for C2
  • Credential harvesting and lateral movement
  • Long-term persistence without malware

Known Tools & Malware

Living-off-the-land binaries (LOLBins), Compromised SOHO routers, Legitimate admin tools only, FRP (Fast Reverse Proxy), No custom malware

Notable Campaigns

Critical Infrastructure Pre-positioning (2023)

CISA and FBI disclosed ongoing compromise of US critical infrastructure across multiple sectors.

Guam Infrastructure Targeting (2023)

Targeted communications infrastructure in Guam, a strategic military location.

MITRE ATT&CK Techniques

T1059.001, T1059.003, T1003, T1078, T1218

Defense Recommendations

  1. 1.

    Critical infrastructure: assume you may be compromised, hunt now

  2. 2.

    Patch all internet-facing devices (Fortinet, Ivanti, Citrix)

  3. 3.

    Replace or update SOHO routers to prevent botnet use

  4. 4.

    Implement command-line logging and PowerShell monitoring

  5. 5.

    Baseline normal admin tool usage to detect anomalies

Related Threat Actors

Apt41, Mustang Panda, Hafnium

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices