Volt Typhoon
High ConfidenceCritical ThreatVanguard Panda • BRONZE SILHOUETTE • Dev-0391 • UNC3236 • Voltzite • Insidious Taurus
Volt Typhoon is a People's Republic of China (PRC) state-sponsored cyber actor that has been active since at least 2021. The group has been assessed by CISA, NSA, FBI, and Five Eyes partners with high confidence as seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. Unlike traditional cyber espionage operations, Volt Typhoon's choice of targets and pattern of behavior is not consistent with intelligence gathering operations, instead focusing on gaining and maintaining persistent access to operational technology (OT) systems. The group is characterized by its extensive use of living-off-the-land (LOTL) techniques, leveraging native Windows tools and legitimate credentials to blend in with normal system activity. Volt Typhoon conducts extensive pre-compromise reconnaissance to understand target network architecture and operational protocols, then tailors their tactics to each victim environment. The group has demonstrated the capability to maintain access within some victim IT environments for at least five years, with confirmed compromises in Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors across the continental United States and its territories, including Guam.
Volt Typhoon is a People's Republic of China (PRC) state-sponsored cyber actor that has been active since at least 2021. The group has been assessed by CISA, NSA, FBI, and Five Eyes partners with high confidence as seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. Unlike traditional cyber espionage operations, Volt Typhoon's choice of targets and pattern of behavior is not consistent with intelligence gathering operations, instead focusing on gaining and maintaining persistent access to operational technology (OT) systems. The group is characterized by its extensive use of living-off-the-land (LOTL) techniques, leveraging native Windows tools and legitimate credentials to blend in with normal system activity. Volt Typhoon conducts extensive pre-compromise reconnaissance to understand target network architecture and operational protocols, then tailors their tactics to each victim environment. The group has demonstrated the capability to maintain access within some victim IT environments for at least five years, with confirmed compromises in Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors across the continental United States and its territories, including Guam.
Target Sectors
Target Regions
Attributed to PRC State-sponsored (MSS/PLA) (China). Attribution confidence: High.
Future Outlook
Volt Typhoon represents one of the most significant threats to U.S. critical infrastructure. The group is expected to continue pre-positioning operations, with potential for disruptive or destructive attacks during geopolitical tensions with China.
First observed activity attributed to Volt Typhoon
Joint Five Eyes advisory published on Volt Typhoon activity
DOJ disrupts KV Botnet used by Volt Typhoon
CISA Advisory AA24-038A warns of critical infrastructure pre-positioning