Background
Volt Typhoon is a People's Republic of China (PRC) state-sponsored cyber actor that has been active since at least mid-2021. The group was publicly disclosed by Microsoft in May 2023 and has since become one of the most closely watched threat actors due to its deliberate targeting of United States critical infrastructure. U.S. intelligence agencies assess that Volt Typhoon operates under the direction of the PRC government, with the strategic objective of pre-positioning within networks that could be disrupted during a geopolitical crisis, particularly one involving Taiwan.
Unlike most Chinese espionage groups that focus on intellectual property theft or intelligence collection, Volt Typhoon's primary mission appears to be establishing and maintaining persistent access to critical infrastructure systems. The group has compromised organizations across the communications, energy, transportation, water and wastewater sectors. FBI Director Christopher Wray testified before Congress in early 2024 that the group's activity represents a "defining threat of our generation," warning that the actors were positioning themselves to cause real-world harm to American citizens.
The group is distinctive in its near-total reliance on living-off-the-land techniques, meaning it uses built-in operating system tools rather than deploying custom malware. This operational approach makes detection exceptionally difficult because the commands executed by the threat actor look identical to normal administrative activity. Volt Typhoon also routes its traffic through compromised SOHO routers and networking equipment, further blending its operations into legitimate network traffic.
Notable Campaigns
U.S. Critical Infrastructure Pre-Positioning (2021-Present): Volt Typhoon has maintained persistent access to networks across multiple U.S. critical infrastructure sectors for years. In February 2024, CISA, NSA, and FBI released a joint advisory confirming that the group had been lurking inside some networks for at least five years without being detected. Compromised organizations spanned communications, energy, transportation systems, and water and wastewater systems.
Guam and Pacific Military Infrastructure (2023): Microsoft's initial disclosure focused on activity targeting critical infrastructure organizations in Guam and elsewhere in the United States. Guam hosts major U.S. military installations including Andersen Air Force Base and Naval Base Guam, both of which would be critical in any Pacific theater conflict. The targeting suggested pre-positioning for potential disruption of military logistics.
KV-Botnet Operations (2022-2024): Volt Typhoon built and operated a botnet dubbed "KV-Botnet" using hundreds of compromised end-of-life SOHO routers, primarily Cisco RV320/325 and Netgear ProSAFE devices. The botnet served as an operational relay network to proxy the group's traffic and obscure the true origin of intrusions. In January 2024, the FBI conducted a court-authorized operation to disrupt the botnet by remotely removing the malware from infected routers.
Telecommunications Sector Intrusions (2023-2024): Multiple U.S. telecommunications and internet service providers were compromised by Volt Typhoon, providing the actors with the ability to intercept communications and gain visibility into network architecture that would be essential during a disruption campaign.
Tactics, Techniques & Procedures
Volt Typhoon gains initial access primarily through exploitation of public-facing appliances, particularly Fortinet FortiGuard devices, Zoho ManageEngine servers, and other internet-facing network equipment. The group also exploits known vulnerabilities in VPN concentrators and web-facing applications to establish a foothold.
Once inside a network, Volt Typhoon exclusively uses living-off-the-land binaries and scripts (LOLBins/LOLScripts). The group relies on built-in Windows tools such as wmic, ntdsutil, netsh, PowerShell, and cmd.exe for reconnaissance, lateral movement, and data collection. For credential harvesting, the actors use ntdsutil to dump Active Directory databases and comsvcs.dll via rundll32 to dump LSASS process memory. All of these are legitimate system administration tools, making behavioral detection the only reliable method.
For persistence, Volt Typhoon favors the use of valid accounts. The group harvests credentials early in the intrusion and uses them to maintain access, avoiding the deployment of web shells or backdoors that could be detected by endpoint security products. When the actors need to schedule tasks, they use Windows Task Scheduler (schtasks) rather than custom persistence mechanisms.
Command and control traffic is routed through compromised SOHO routers and VPN appliances, creating a multi-hop proxy chain that is extremely difficult to trace. The group uses encrypted channels and operates during normal business hours in the victim's time zone to further blend into expected network patterns.
Tools & Malware
Volt Typhoon is notable for what it does not use rather than what it does. The group almost entirely avoids custom malware, instead relying on:
- ntdsutil -- Used to create installation media from Active Directory domain controllers, extracting the NTDS.dit file containing all domain credentials.
- netsh -- Configures port forwarding and proxy settings to enable lateral movement and C2 tunneling.
- PowerShell -- Used selectively for reconnaissance and data collection, often with execution policy bypasses.
- wmic -- Used for remote process execution and system enumeration across compromised networks.
- certutil -- Employed for file transfer operations, downloading additional tools or exfiltrating encoded data.
- ldifde / csvde -- Used to extract Active Directory information including user accounts, group memberships, and organizational structure.
- makecab / expand -- Used for compressing data prior to exfiltration.
- Compromised SOHO Router Firmware -- Custom implants deployed on end-of-life routers (Cisco, Netgear, ASUS, DrayTek) to form the KV-Botnet relay infrastructure.
The group's deliberate avoidance of custom tooling is an operational security decision that dramatically increases the difficulty of attribution and detection.
Indicators & Detection
Detecting Volt Typhoon is exceptionally challenging due to the living-off-the-land approach. Organizations should focus on:
Behavioral Analytics: Monitor for anomalous use of legitimate system tools, particularly ntdsutil, netsh portproxy, and wmic commands executed in unusual contexts or by unexpected user accounts. Baseline normal administrative behavior and alert on deviations.
Network Monitoring: Watch for unusual traffic patterns to and from SOHO network equipment, unexpected proxy configurations created via netsh, and encrypted traffic to IP addresses associated with compromised routers. Monitor for DNS queries and HTTP/S connections that deviate from established baselines.
Credential Hygiene: Implement robust monitoring for credential dumping techniques, particularly LSASS memory access and NTDS.dit extraction. Deploy Credential Guard where possible and monitor for the use of harvested credentials from unusual source systems.
Edge Device Security: Maintain an inventory of all internet-facing appliances and ensure they are patched promptly. Replace end-of-life SOHO routers and networking equipment that no longer receives security updates. Monitor edge devices for unexpected configuration changes and firmware modifications.
Log Integrity: Volt Typhoon has been observed clearing Windows Event Logs to cover tracks. Ensure logs are forwarded to a centralized SIEM in real-time and monitor for log clearing events (Event ID 1102). Enable and collect PowerShell Script Block Logging (Event ID 4104) and Module Logging.
Organizations in critical infrastructure sectors should review the detailed detection guidance in CISA Advisory AA24-038A, which provides specific detection signatures, YARA rules, and network indicators.