Decipher File · Pre-positioning over multiple years through February 2024 advisory

Volt Typhoon (Feb 2024 CISA Advisory): PRC Pre-Positioning in US Critical Infrastructure

CISA, NSA, FBI, and partner agencies in the UK, Australia, Canada, and New Zealand issued joint cybersecurity advisory AA24-038A on February 7, 2024, formally attributing Volt Typhoon to the People's Republic of China and assessing that the actor had pre-positioned inside US critical infrastructure networks for years with the intent to disrupt operational technology during a future crisis. Affected sectors included communications, energy, transportation, and water and wastewater systems. The actor used living-off-the-land techniques to avoid detection. FBI Director Christopher Wray testified to the House Select Committee on the CCP on January 31, 2024 confirming the assessment. The advisory was the most consequential public attribution of PRC state cyber pre-positioning in critical infrastructure to date.

By·Published May 18, 2026·Last verified May 2026

MITRE ATT&CK techniques

T1078 Valid Accounts T1190 Exploit Public-Facing Application T1133 External Remote Services T1059 Command and Scripting Interpreter T1098 Account Manipulation T1071 Application Layer Protocol

Incident summary

On February 7, 2024 CISA, the NSA, the FBI, and partner cyber agencies in the UK, Australia, Canada, and New Zealand issued joint cybersecurity advisory AA24-038A formally attributing Volt Typhoon to the People's Republic of China and assessing that the actor had pre-positioned inside US critical infrastructure networks for years. The advisory's central assessment was strategic, not tactical: Volt Typhoon's persistent access was not for espionage collection but for disruption of operational technology during a future crisis, specifically including a Taiwan-related contingency. The advisory named affected sectors as communications, energy, transportation, and water and wastewater systems.

FBI Director Christopher Wray testified to the House Select Committee on the Chinese Communist Party on January 31, 2024, one week before the advisory, confirming the assessment publicly. Wray's testimony characterized Volt Typhoon as the largest cyber-enabled threat to US critical infrastructure in the FBI's threat estimate and disclosed that the FBI had conducted a court-authorized disruption of the KV Botnet, an operational relay box (ORB) network of compromised small-office and home-office routers that Volt Typhoon used to obscure its origin. The DOJ press release accompanying the testimony provided technical detail on the disruption operation.

Microsoft Threat Intelligence had initially attributed Volt Typhoon publicly in a May 2023 blog post, then expanded the attribution through subsequent reporting in 2023 and 2024. Mandiant tracked closely related activity as Voltzite. The February 7, 2024 joint advisory consolidated public attribution under the joint US-government taxonomy and produced the first formal multi-government statement of the pre-positioning assessment. The strategic significance of the advisory exceeded its technical content: the US and allied governments publicly stated that PRC state cyber actors were already inside US critical infrastructure with the intent to disrupt that infrastructure during a future crisis.

Attack technique

Per CISA AA24-038A, Volt Typhoon's technique chain is dominated by living-off-the-land binary usage. The actor relies on built-in Windows administrative tools including wmic, ntdsutil, netsh, PowerShell, and the dsquery family rather than custom malware payloads. The operational rationale is detection evasion: living-off-the-land binaries produce normal-looking telemetry that conventional endpoint detection and response platforms struggle to flag as malicious. The advisory's appendix includes specific command-line patterns that Volt Typhoon uses, which defenders can operationalize into detection rules.

Initial access patterns vary by victim sector. Common vectors documented in the advisory include exploitation of unpatched public-facing edge infrastructure including Cisco RV-series small business routers, Fortinet FortiGuard appliances, and other edge appliances common in critical infrastructure environments (T1190). The actor also abuses valid administrative credentials harvested from prior compromises and from credential broker marketplaces (T1078). Persistence is established by creating new accounts, modifying existing account permissions, and establishing scheduled tasks that survive reboots and patch cycles.

The operational relay box (ORB) infrastructure was a distinctive feature of the campaign. Volt Typhoon's KV Botnet was a network of compromised small-office and home-office routers, predominantly Cisco RV320, RV325, and similar end-of-life consumer-grade router models with known unpatched vulnerabilities. The compromised routers served as proxies that obscured the actor's true origin. The FBI's January 2024 court-authorized disruption operation removed the actor's persistent presence from KV Botnet routers without affecting router owner usage. The disruption was a meaningful US-government capability demonstration but did not eliminate Volt Typhoon's other access infrastructure.

Post-compromise, Volt Typhoon's pattern was to establish long-dwell persistence rather than to actively collect intelligence. The actor would gain access, establish stealth persistence, and then largely remain dormant for months or years. This pattern is operationally distinct from typical APT collection activity and is the technical evidence that supports the pre-positioning-for-disruption assessment. Active espionage collection produces ongoing telemetry; pre-positioning does not. The CISA assessment that Volt Typhoon was pre-positioning rather than collecting was based on this dormant-after-access pattern across multiple critical infrastructure victims.

Impact and consequences

The direct technical impact of Volt Typhoon, in terms of disclosed disruption or data theft, has been small relative to the strategic significance of the assessment. The actor has not, per public reporting through 2024 and into 2025, executed disruptive activity against US critical infrastructure. The impact is the pre-positioning itself: the established access that gives the PRC the operational option to disrupt US communications, energy, transportation, and water sector infrastructure during a future crisis without first having to establish access. The option value of pre-positioned access is the strategic asset.

Sector-specific operational consequences have been significant. Water and wastewater utility operators across the US received targeted CISA outreach in 2024 about Volt Typhoon-style threat hunting and segmentation upgrades. Electric sector operators expanded existing North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements with informal post-Volt Typhoon hardening expectations. Transportation operators including major US airlines, freight railroads, and port operators received CISA briefings on threat hunting against Volt Typhoon TTPs. The water sector, which has historically had limited cybersecurity resourcing, received specific EPA and CISA support packages.

Regulatory and policy consequence followed quickly. The Office of the National Cyber Director's National Cybersecurity Strategy implementation plan, updated May 2024, incorporated Volt Typhoon as the reference threat case for critical infrastructure cybersecurity baseline-raising. The CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) implementation rule-making, ongoing at CISA through 2024, used Volt Typhoon as the reference scenario for mandatory critical infrastructure incident reporting requirements. The EPA's water sector cybersecurity rule-making cited Volt Typhoon as the threat case justifying expanded federal requirements.

International coordination expanded materially. The February 7, 2024 advisory was issued jointly with the UK NCSC, the Australian Signals Directorate, the Canadian CCCS, and the New Zealand GCSB. Subsequent Five Eyes Critical Five Critical Infrastructure Cybersecurity coordination work through 2024 produced joint guidance on living-off-the-land detection, joint threat-hunting guidance specific to critical infrastructure sectors, and joint information-sharing channels for sector-specific Volt Typhoon indicators. The coordination scope and depth was unusual for cyber advisories and reflected the perceived strategic significance.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

› Compromised small-office and home-office routers used as operational relay boxes (ORBs) per the February 7, 2024 CISA advisory
› Living-off-the-land binary usage including wmic, ntdsutil, netsh, and PowerShell with patterns documented in CISA AA24-038A
› Active Directory replication activity from non-administrative hosts consistent with credential harvesting via ntds.dit extraction
› Sustained valid-account authentication patterns from compromised routers and OT segments inside critical infrastructure networks
› Cisco RV320 and 325 router compromises and Fortinet FortiGuard appliance compromises tied to Volt Typhoon ORB infrastructure
› FBI court-authorized disruption of the KV Botnet in late January 2024 disclosed via DOJ press release January 31, 2024

Lessons for defenders

Living-off-the-land detection is the realistic defensive control for Volt Typhoon-class adversaries. Conventional signature-based and behavior-based EDR detection struggles to flag wmic, ntdsutil, netsh, and PowerShell usage as malicious because the binaries themselves are legitimate Windows administrative tools. Build detection that fires on the specific command-line patterns documented in CISA AA24-038A's appendix, on the unusual user-context combinations (administrative tools running under unexpected user contexts), and on the temporal patterns (administrative tool usage outside of expected change windows). Microsoft Defender XDR, CrowdStrike Falcon, and SentinelOne all support custom detection rules that can operationalize the AA24-038A indicators.

Critical infrastructure operational technology segmentation is the structural defensive control. Volt Typhoon's pre-positioning targets OT networks where disruption during a future crisis would have strategic impact. OT network segmentation from corporate IT, separate identity tiers for OT versus IT access, and out-of-band administrative access for OT systems are the structural defenses. ICS-CERT, the SANS Industrial Control Systems Library, and the relevant sector-specific cybersecurity frameworks (NERC CIP for electric, AWWA for water, TSA security directives for pipeline) provide the operational baselines.

Edge infrastructure patching cadence is a critical infrastructure cybersecurity issue, not an IT housekeeping issue. Volt Typhoon's initial access in many victims exploited unpatched edge appliances including small business routers and firewall appliances. Patches were available at the time of exploitation; the lag between patch availability and patch deployment was the operational failure. CISA's January 2025 binding operational directive on edge infrastructure patching cadence applies to federal agencies but provides a reference standard for critical infrastructure operators. End-of-life consumer-grade routers should not be in service in critical infrastructure environments. Replace them.

Dormant-actor threat hunting is the realistic detection posture. Volt Typhoon's operational pattern is to establish access and then remain dormant for months or years before any active activity. Conventional detection that fires on active malicious activity will not catch a dormant pre-positioned adversary. Threat hunting that operates on the assumption that the actor is already inside, has established persistence, and is waiting for instructions is the realistic posture. Hunt for the persistence artifacts: scheduled tasks created outside change windows, account creation events with administrative privileges, modifications to authentication infrastructure, and edge appliance configuration changes that lack documented authorization.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

Related Decipher Files

Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →

Frequently asked questions

What is Volt Typhoon?

Volt Typhoon is the public name for a People's Republic of China state-sponsored cyber actor that has pre-positioned inside US critical infrastructure networks for years with the intent to disrupt operational technology during a future crisis. CISA, NSA, FBI, and Five Eyes partner agencies issued joint cybersecurity advisory AA24-038A on February 7, 2024 formally attributing Volt Typhoon to the PRC and documenting techniques and indicators of compromise. Affected sectors include communications, energy, transportation, and water and wastewater systems.

How is Volt Typhoon different from typical Chinese cyber espionage?

Typical Chinese cyber espionage focuses on intelligence collection: stealing intellectual property, government documents, or commercial data. Volt Typhoon's operational pattern is to establish access and then largely remain dormant, which is technically distinct from active espionage collection. The CISA assessment that Volt Typhoon is pre-positioning for disruption rather than collecting is based on this dormant-after-access pattern. Pre-positioning has strategic option value during a future crisis even without any active disruption today.

What sectors are affected by Volt Typhoon?

Per CISA advisory AA24-038A, named affected sectors include communications, energy, transportation, and water and wastewater systems. Specific operators have not been publicly named in CISA disclosures, but FBI Director Christopher Wray's January 31, 2024 testimony characterized the affected operator count as significant across multiple sectors. The water sector received particular focus in subsequent EPA and CISA outreach because of the sector's historically limited cybersecurity resourcing.

What techniques does Volt Typhoon use?

Volt Typhoon relies on living-off-the-land binary usage including wmic, ntdsutil, netsh, and PowerShell rather than custom malware. The actor exploits unpatched public-facing edge infrastructure including Cisco RV-series small business routers and Fortinet appliances (MITRE T1190), abuses valid administrative credentials (T1078), and uses external remote services (T1133). The actor also operates an operational relay box (ORB) network called the KV Botnet, a network of compromised small-office and home-office routers used to obscure the actor's true origin.

What was the FBI KV Botnet disruption?

In late January 2024 the FBI conducted a court-authorized disruption operation against the KV Botnet, a network of compromised small-office and home-office routers (predominantly end-of-life Cisco RV-series and similar models) that Volt Typhoon used as operational relay boxes to obscure the actor's true origin. The DOJ disclosed the disruption in a January 31, 2024 press release. The operation removed the actor's persistent presence from KV Botnet routers without affecting router owner usage. The disruption did not eliminate Volt Typhoon's other access infrastructure.

How can critical infrastructure operators defend against Volt Typhoon?

Living-off-the-land detection that fires on the specific command-line patterns in CISA AA24-038A's appendix is the realistic technical control. Operational technology segmentation from corporate IT, separate identity tiers for OT access, and out-of-band administrative access for OT systems are the structural defenses. Edge infrastructure patching cadence must be aggressive, and end-of-life consumer-grade routers should not be in service in critical infrastructure environments. Dormant-actor threat hunting that operates on the assumption that the actor is already inside is the realistic detection posture.

What policy and regulatory changes followed Volt Typhoon?

The National Cybersecurity Strategy implementation plan, updated May 2024, incorporated Volt Typhoon as the reference threat case for critical infrastructure cybersecurity baseline-raising. CIRCIA implementation rule-making at CISA used Volt Typhoon as the reference scenario for mandatory incident reporting. The EPA water sector cybersecurity rule-making cited Volt Typhoon as the threat case justifying expanded federal requirements. Five Eyes Critical Five coordination produced joint guidance on living-off-the-land detection and sector-specific Volt Typhoon indicators.

Sources

CISA Joint Advisory AA24-038A: PRC State-Sponsored Actors Compromise US Critical Infrastructure · Primary joint advisory attributing Volt Typhoon to PRC and documenting TTPs
FBI Director Christopher Wray Testimony to House Select Committee on the CCP · January 31, 2024 testimony on Volt Typhoon assessment and FBI disruption activity
DOJ Press Release: Court-Authorized Disruption of KV Botnet · January 31, 2024 DOJ statement on the FBI's disruption of the KV Botnet used by Volt Typhoon
Microsoft Threat Intelligence: Volt Typhoon Targets US Critical Infrastructure · Microsoft's May 2023 initial public attribution, expanded by subsequent reporting in 2024
Mandiant Threat Brief: Volt Typhoon Activity Update · Mandiant's expanded TTP analysis and additional victim sector reporting
Wall Street Journal: Chinese Hackers Pre-Positioned in US Infrastructure · WSJ reporting on the strategic intent and pre-positioning assessment

DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.

Last verified: 2026-05-18?Report an inaccuracy

This role lives inside a packaged path

Want the curriculum, comp delta, and recommended courses for this role?

DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:

Take the 2-min Risk Score →Open the cybersecurity path hub →

Where to go next

Three next steps depending on where you are. The first two are free.

Free · 2 minutes

Start with the AI Risk Score

Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.

Start the AI Risk Score →

Paid program · $147-$597

Aligned course: SOC Analyst Fundamentals

Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.

View the course →

Free account

Save your results and track progress

A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.

Create your account →

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.