In February 2024, a joint advisory from CISA, the FBI, NSA, and their Five Eyes counterparts described something that intelligence professionals had suspected for years but struggled to articulate in a form suitable for public release: a Chinese state-sponsored threat actor had spent years quietly embedding itself inside the operational technology networks of American critical infrastructure, not to steal data, not to cause immediate disruption, but to wait.
Volt Typhoon — also tracked as Bronze Silhouette, Vanguard Panda, and Dev-0391 — is the most clearly documented expression of a Chinese strategic doctrine that treats cyber operations as a form of strategic reserve: capability pre-positioned today to be activated under conditions that may arise years from now.
Understanding Volt Typhoon requires stepping back from the incident-response mindset that dominates most cybersecurity discourse and thinking instead in terms of geopolitical strategy, deterrence theory, and the long-term calculus of great power competition.
Who Volt Typhoon Is
Volt Typhoon is assessed by Western intelligence agencies as a unit operating under the direction of China’s People’s Liberation Army or State Security apparatus — the specific attribution has not been formally published in open source, though the PLA Strategic Support Force’s Network Systems Department (known as PLA Unit 61419 and related units) has been associated with this activity class.
The group has been active since at least 2021, and intelligence assessments suggest precursor activity going back further. Its primary theatre of operation is the critical infrastructure of the United States and its Five Eyes partners — the UK, Australia, Canada, and New Zealand.
What distinguishes Volt Typhoon from most other APT groups is not its technical sophistication, though it is a capable operation. It is its restraint. The group does not steal intellectual property. It does not conduct ransomware operations. It does not publish embarrassing data to influence political narratives. It gets in, establishes persistence, learns the environment, and stays quiet.
The Living-off-the-Land Doctrine
The defining technical characteristic of Volt Typhoon is its near-exclusive reliance on living-off-the-land (LOTL) techniques: using tools, scripts, and capabilities that are already present in the target environment rather than deploying custom malware.
This is a deliberate defensive posture. Custom malware can be detected by endpoint security tools. A Windows Management Instrumentation (WMI) command run by a legitimate-looking account, using legitimate Windows tools, generating legitimate-looking network traffic, is dramatically harder to detect.
In documented Volt Typhoon intrusions, the group used:
- WMIC (Windows Management Instrumentation Command-line) for system enumeration
- Netsh to manipulate firewall rules and set up port proxies
- PowerShell scripts that were obfuscated but used no custom executables
- Ntdsutil for Active Directory database manipulation
- MiniDump techniques against LSASS to harvest credentials
- Living-off-the-land binaries (LOLBins) throughout — native Windows executables that perform legitimate functions but can be abused
The consequence is that standard antivirus and endpoint detection tools generate almost no signals for this activity class. Detecting it requires behavioural analytics, comprehensive command-line logging, and threat hunting by analysts who know what to look for.
The Entry Points
Volt Typhoon has consistently exploited three categories of entry point:
SOHO router compromise. Small office/home office routers — from vendors including Cisco, NETGEAR, and Fortinet — are used as staging infrastructure. Volt Typhoon compromises these devices and routes its traffic through them, making attribution and detection more difficult. The routers are owned by unsuspecting businesses and individuals whose devices are being used as relay nodes.
Internet-facing operational technology systems. Engineering workstations, SCADA interfaces, historian servers, and remote access points into OT environments that are internet-facing and not adequately protected have been the primary targets for establishing initial footholds in CNI networks.
IT/OT boundary exploitation. In most CNI environments, there are pathways between the IT corporate network and the OT operational network — jump servers, historian connections, data diode implementations that turned out to have management interfaces. Volt Typhoon has demonstrated a systematic ability to cross these boundaries once it has established an IT foothold.
The Targets
Five Eyes advisories have confirmed Volt Typhoon activity in the following critical infrastructure sectors:
Communications. Internet Exchange Points (IXPs) and telecommunications providers, where access could enable traffic manipulation or intelligence collection on a massive scale.
Energy. Electricity generation and distribution operators, including specific confirmed intrusions at US power utilities. Access here represents the ability to cause physical outages.
Water and wastewater. Municipal water systems are typically resource-constrained operations with significant legacy IT/OT infrastructure. Multiple intrusions have been confirmed.
Transportation. Aviation systems and port operations have been identified as targets, representing both strategic value and potential for physical disruption.
IT and managed services. Managed service providers and IT companies whose infrastructure provides access to multiple downstream customers — a force multiplier for an adversary seeking broad positioning.
The pattern across these sectors is consistent: organisations that control physical processes on which Western populations depend.
What Pre-Positioning Means Strategically
The question that this campaign most clearly raises is: pre-positioned for what?
The intelligence community assessment, expressed in formal advisory language that is deliberately careful, is that this activity is “seeking to pre-position itself on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States.”
In plain terms: China is building the ability to switch off the lights, disrupt water supplies, and interfere with transport and communications in the event of a confrontation — most plausibly a Taiwan Strait crisis — as part of a deterrence and escalation management strategy.
This is not a novel concept. The US and its allies have been developing similar capabilities. What is notable about the Volt Typhoon campaign is its scale, its patience, and the degree to which it has been documented and disclosed.
The strategic logic is coherent: if China believes that the US would intervene militarily in a Taiwan conflict, having credible ability to impose significant domestic disruption on the US mainland creates a deterrent calculation. The cost of intervention — in terms of civilian disruption, infrastructure failure, and political consequences — becomes harder to accept.
The Intelligence Challenge
Volt Typhoon’s living-off-the-land approach creates a fundamental intelligence challenge that goes beyond the technical difficulty of detection.
If an adversary is using only native tools, logging behaviour that looks like legitimate administration, and taking no actions that trigger standard detection rules — how do you know it’s there?
The honest answer is that in many environments, you don’t. And that’s the point.
The indicators of compromise published in Five Eyes advisories are useful for checking whether specific infrastructure associated with known Volt Typhoon operations is present in your environment. But the group’s effectiveness depends on the fact that a cautious, patient operator using LOTL techniques in an environment with incomplete logging and no threat hunting programme can maintain persistent access indefinitely without triggering detection.
The implication for defenders is uncomfortable: the absence of detection is not evidence of the absence of compromise. This is particularly true in OT environments, where logging is often minimal and behavioural baselines have never been established.
Recommendations for CNI Operators
The February 2024 advisory and subsequent guidance from NCSC, CISA, and sector regulators contains detailed technical recommendations. For leaders, the strategic priorities are:
1. Mandate OT logging. If your OT environment is not generating logs that would allow you to reconstruct system activity retrospectively, you cannot detect this class of threat. This is a precondition for everything else.
2. Hunt, don’t just monitor. Passive monitoring with automated alerting will not catch LOTL activity. Scheduled threat hunting exercises, using the IOCs and behavioural indicators published in Five Eyes advisories, are necessary.
3. Validate your IT/OT segmentation. Commission an independent technical assessment of every pathway between your IT and OT environments. Do not accept self-assessment from the teams responsible for those pathways.
4. SOHO router hygiene. If your organisation uses consumer-grade routers anywhere in its infrastructure — at remote sites, in operational buildings, for out-of-band management — these need to be in scope for your security programme.
5. Engage your sector regulator and NCSC. The confidential briefings available through sector engagement programmes contain information that cannot be published in open advisories. If you haven’t requested them, you should.
The Volt Typhoon campaign is not a story with a clear resolution. The access that has been discovered has been partially remediated. Access that has not been discovered remains. New access is likely being established. The appropriate response is not a one-time remediation project — it is a permanent elevation of the security posture in OT environments and a sustained commitment to threat intelligence and hunting.
For organisations that have not yet treated OT security as a board-level priority, the window for getting ahead of this problem is closing. The adversary has been patient. It can afford to be.