Decipher Files: Volt Typhoon and the State Actor That Was Already Inside

CISA published joint advisory AA23-144A on May 24, 2023 (with NSA, FBI, and Five Eyes partners) describing "people's republic of china state-sponsored cyber actor living off the land techniques targeting critical infrastructure." The advisory identified Volt Typhoon (Microsoft's tracking name; also tracked as Vanguard Panda by CrowdStrike, BRONZE SILHOUETTE by Mandiant) as the responsible actor.

The February 7, 2024 follow-up advisory AA24-038A materially expanded the scope: "Volt Typhoon has been positioned in IT environments of multiple critical infrastructure organizations, primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors, for at least five years." FBI Director Christopher Wray testified before the House Select Committee on the Chinese Communist Party on January 31, 2024 that Volt Typhoon's "pre-positioning is to be able to wreak havoc and cause real-world harm to American citizens and communities, if and when China decides the time has come to strike."

The technical anatomy is unusually consistent across the affected environments and is documented in the Microsoft Threat Intelligence "Volt Typhoon" blog (May 24, 2023, multiple updates), the CISA Volt Typhoon advisory series, and Mandiant's BRONZE SILHOUETTE research:

1. Initial access: exploitation of internet-facing edge devices, primarily SOHO routers and VPN concentrators with known unpatched vulnerabilities. Fortinet FortiGuard, Cisco RV-series routers, NETGEAR ProSafe, and ASUS routers are the most commonly identified compromised devices. The KV-Botnet (a separate but adjacent operation, disrupted by FBI in January 2024 per Department of Justice press release) was used as command-and-control infrastructure to obscure the actual origin of the traffic.

2. Living-off-the-land tradecraft: once inside the target environment, Volt Typhoon avoided custom malware. The actor used built-in Windows utilities (PowerShell, WMI, ntdsutil, certutil, netsh, schtasks) and legitimate administrative remote-access tools. Detection-engineering implications: traditional IOC-based detection misses this tradecraft entirely; behavior-based detection on tool-usage patterns is the only effective approach.

3. Credential harvesting: lateral movement via Active Directory replication abuse. The actor frequently performed ntdsutil-based domain controller dumps to extract krbtgt and DSRM credentials, then used those credentials to maintain access through normal Kerberos authentication paths.

4. Persistence: scheduled tasks, modified service binaries, and DLL hijacking against legitimate Windows services. The persistence mechanisms were chosen for low detection profile rather than operational efficiency.

5. Operational objective: the actor avoided data exfiltration. Microsoft's analysis specifically noted the absence of typical espionage tradecraft (mass document collection, mailbox export, source-code theft). The behavioral signature pointed to access maintenance and reconnaissance for future operational use rather than current intelligence collection.

The Cyber Safety Review Board has not yet conducted a formal review of Volt Typhoon, but the National Security Council's December 2023 announcement of the cybersecurity portion of the National Defense Authorization Act FY24 explicitly cited the pre-positioning campaign as the strategic justification for cybersecurity investments in CISA's regulatory authority over critical infrastructure operators.

Six lessons that compound for cybersecurity practitioners:

First, state-sponsored pre-positioning is operationally distinct from financially-motivated intrusion. The detection signatures that work for ransomware actors (rapid lateral movement, credential bulk-harvesting, large data exfiltration, domain-wide encryption) do not work for actors whose operational objective is to establish access and remain undetected indefinitely. Cybersecurity-program implications: critical-infrastructure operators require detection engineering specifically tuned to long-dwell, low-volume tradecraft. CISA's January 2024 hunt-and-incident-response guidance specifically for Volt Typhoon is the public template.

Second, edge-device security is now a national-security priority, not a SOHO-vendor concern. The KV-Botnet's compromise of approximately 30,000 Cisco RV-series routers (FBI press release, January 31, 2024) demonstrated that consumer and small-business routers form the operational launch infrastructure for state-actor campaigns against critical infrastructure. The cybersecurity-policy implications include CISA's 2024 routine guidance on edge-device hardening and the FCC's Cyber Trust Mark labeling program (announced March 2024).

Third, "living off the land" tradecraft is not detectable through static rules. Microsoft Defender's expansion of behavioral detection (April 2024 update introducing dedicated Volt Typhoon detection rules) and Splunk's behavioral content (multiple 2023-2024 SOC content packs) represent the industry's response. Cybersecurity-program implications: any critical-infrastructure operator relying primarily on signature-based or rule-based detection has a known structural blind spot. Behavioral detection requires baseline-establishment work that most operators have not invested in.

Fourth, the "we paid the ransom and recovered" mental model does not apply. Volt Typhoon does not encrypt and does not extort. The incident-response playbook has to assume that the access has existed for years before discovery, that data has been minimally exfiltrated (so containment is not the same as in a smash-and-grab), and that the actor's response to detection includes operational pivots rather than withdrawal. Cybersecurity-program implications: incident-response runbooks for state-actor pre-positioning are structurally different and should be exercised distinctly.

Fifth, the cyber-insurance-and-compliance posture is not aligned with this threat model. Most cyber-insurance policies condition coverage on rapid notification, rapid containment, and rapid forensic capture; Volt Typhoon's long-dwell pattern means that initial discovery may be 3-5 years after intrusion, making "rapid" notification structurally infeasible. The insurance industry's 2024 product evolution (specifically anchored by the Marsh and Aon 2024 cyber-insurance market reports) is beginning to address this gap; SEC cybersecurity-rule materiality determinations on multi-year-dwell discoveries are still untested.

Sixth, the geopolitical-cybersecurity coupling is now operationally explicit. Volt Typhoon's strategic justification is geopolitical-contingency capability. The Russia-Ukraine cyberwar pre-positioning patterns (NotPetya 2017, the wiper-malware deployments before the February 2022 invasion) and Volt Typhoon's pre-positioning against US critical infrastructure now form a coherent strategic-operational pattern that cybersecurity programs at critical-infrastructure operators must explicitly model. Cybersecurity-program implications: threat-intelligence consumption should include geopolitical-risk-monitoring as a first-class input, not as background context.

For careers: threat hunters specializing in long-dwell adversary tradecraft, threat-intelligence analysts focused on China-aligned APT groups, OT-ICS security engineers at critical-infrastructure operators, incident responders with state-actor experience, and cybersecurity consultants advising on critical-infrastructure cybersecurity programs all reference Volt Typhoon as core curriculum. The CISA Volt Typhoon advisory series is required reading for any cybersecurity practitioner working in or with the 16 US critical-infrastructure sectors.