Volt Typhoon
Chinese state-sponsored · Pre-positioning / espionage
Tactics, Techniques & Procedures (TTPs)
- Living off the land (LOTL) — avoids custom malware
- SOHO/edge device compromise (routers, firewalls)
- Operational Relay Box (ORB) networks for traffic obfuscation
- Credential harvesting via built-in OS tools
- OT/ICS network access via IT pivot
- Long-duration, stealthy persistence (months to years)
Known Targets
Analyst Notes
Assessed by CISA, NSA, NCSC, and Five Eyes partners as focused on pre-positioning for potential disruptive attacks on CNI rather than immediate intelligence collection.
Also Known As
Intelligence Reports
Volt Typhoon Activity Confirmed Across UK Water and Energy OT Networks
NCSC and Five Eyes partners have confirmed Volt Typhoon intrusions at operational technology networks in UK water treatment and regional energy distribution. The group is not causing disruption — it is waiting.
Volt Typhoon: The Long Game in Western Critical Infrastructure
A deep analysis of Volt Typhoon's objectives, methods, and targets — and what the sustained Chinese pre-positioning campaign in Western CNI means for how operators, regulators, and governments need to respond.