US critical infrastructure — Volt Typhoon pre-positioning

What happened

On 24 May 2023, Microsoft published a threat intelligence report identifying a Chinese state-sponsored actor it designated Volt Typhoon — simultaneously, CISA, NSA, the FBI and Five Eyes partner agencies in the UK, Australia, Canada and New Zealand published a joint advisory expanding on the same campaign. The disclosure described a campaign that had been running since at least mid-2021, targeting networks across US critical infrastructure sectors: communications, energy, transportation systems, and water and wastewater. The actor had also been active in Guam, where US military infrastructure supporting Pacific operations is concentrated.

The assessed objective was categorically different from the dominant model of state-sponsored intrusion. Volt Typhoon was not collecting intelligence. The group showed unusual restraint from data exfiltration — in most intrusions, little or no data was removed. Instead, the tradecraft, the target selection, and the persistence techniques were assessed as consistent with pre-positioning: establishing footholds that could be activated to cause disruption in the event of a crisis in the Taiwan Strait. Director of National Intelligence Avril Haines, FBI Director Christopher Wray, and NSA Director General Paul Nakasone all testified publicly to Congress that Volt Typhoon was pre-positioning in critical infrastructure for potential disruptive operations rather than for espionage.

The group had been active in some target environments for years before discovery. A March 2024 update advisory from CISA revealed that the average dwell time in confirmed compromises was five years. In at least one case, a US organisation’s network had been continuously compromised for five years without detection. In January 2024 the FBI obtained a court order and conducted an operation to disrupt a botnet of compromised small-office/home-office routers that Volt Typhoon was using as proxy infrastructure — removing access points that had been in use for years.

How it worked

Volt Typhoon’s most distinctive characteristic is its deliberate avoidance of custom malware and imported attacker tools. The campaign is the defining case study for what the security industry calls “living off the land” (LOTL): using utilities and capabilities that are already present on the target operating system to carry out attack activities, rather than deploying tools that endpoint security products can detect.

The built-in tools used by Volt Typhoon include standard Windows administration utilities: wmic (Windows Management Instrumentation Command-line), ntdsutil (Active Directory database management), netsh (network configuration), and PowerShell, among others. These are tools that legitimate system administrators use constantly. Activity using them generates no malware signature and, unless the organisation has sophisticated behavioural analytics tuned to detect unusual use of administrative tools, generates no alerts. The group also used built-in credential-dumping techniques and leveraged legitimate remote management capabilities to move laterally.

Initial access was obtained primarily through vulnerabilities in internet-facing networking equipment — routers, VPN appliances, and firewall devices from vendors including Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, and Cisco. These devices sit at the perimeter of networks, are directly accessible from the internet, frequently run outdated firmware, and have access to the internal network once compromised. Exploitation of known vulnerabilities in these devices provided footholds that the group then deepened using LOTL techniques.

To hide the origin of their access, the group routed activity through a botnet of compromised small-office and home-office (SOHO) routers — devices manufactured by Cisco, NETGEAR, Zyxel, and others — that had been compromised through default credentials or unpatched vulnerabilities. Traffic from the Volt Typhoon operators passed through these intermediary devices, appearing to originate from ordinary US IP addresses rather than from China, and bypassing geolocation-based detection controls. The FBI’s January 2024 disruption operation targeted this SOHO botnet specifically.

Timeline

• Mid-2021 or earlier — Volt Typhoon begins systematic targeting of US critical infrastructure networks; initial access via perimeter device vulnerabilities.
• 2021–2023 — Persistent access maintained across multiple sectors; living-off-the-land techniques used to avoid detection; SOHO botnet established and used as proxy infrastructure.
• 24 May 2023 — Microsoft threat intelligence report published simultaneously with Five Eyes joint advisory (AA23-144A) publicly identifying Volt Typhoon and the campaign’s scope and objectives.
• 2023–2024 — Additional victim organisations identified; Congressional hearings; classified briefings to critical-infrastructure operators.
• January 2024 — FBI conducts court-authorised operation disrupting Volt Typhoon’s SOHO router botnet, removing proxy infrastructure.
• March 2024 — CISA update advisory (AA24-038A) discloses that average dwell time in confirmed compromises is five years.
• Ongoing — US government continues incident response support and infrastructure hardening engagement with affected sectors; threat not assessed as fully remediated.

What defenders should learn

Volt Typhoon’s LOTL approach is a fundamental challenge to the dominant endpoint-security model. Most security products are built to detect known malicious tools and signatures. An attacker who operates exclusively through built-in system utilities produces no signature for these products to match. The defensive response requires a different detection paradigm: behavioural analytics that establish a baseline of normal administrative activity and alert on deviations — unusual use of wmic, ntdsutil, or netsh by accounts that don’t normally use them; administrative tool execution at unusual hours; lateral movement via legitimate remote management protocols to hosts that don’t normally communicate. This kind of detection is harder to build and tune than signature matching, but it is the necessary response to a threat that is specifically designed to evade signatures.

The initial access vector — internet-exposed perimeter devices with unpatched firmware — is a recurring theme across Chinese state-sponsored campaigns and is separately addressed in virtually every CISA advisory. Edge devices deserve the same vulnerability management discipline as endpoint systems, with the added complexity that firmware updates on production network infrastructure require careful change-management procedures. Organisations should maintain an accurate inventory of all internet-facing network devices, track vendor security advisories for those devices, and prioritise patching at the perimeter even when it requires operational windows and maintenance coordination.

The five-year average dwell time is the most sobering finding in the Volt Typhoon disclosure. It implies that detection approaches that would identify an attacker moving actively through a network are insufficient for an adversary that accesses systems periodically, maintains persistence quietly, and does not exfiltrate data at volume. Periodic threat-hunting exercises — structured searches for indicators of compromise that are not driven by alerts — are necessary to surface adversaries whose operational tempo is deliberately designed to stay below alert thresholds.

The broader strategic lesson is that critical-infrastructure network defenders need to account for a pre-positioning threat model that is categorically different from either espionage or financially motivated attack. An actor pre-positioning for future disruption is not trying to monetise access now; the measure of their success is remaining undetected indefinitely, ready to be activated later. The appropriate defensive question for operators of power, water, transport, and communications infrastructure is not “has someone tried to steal our data?” but “is there any access to our systems that shouldn’t be there?” Those are different questions that require different detection approaches.