Cipher&Counsel
National Security · OSINT Investigation ← Portfolio
UTSA Research Initiative · 2026 OSINT Threat Actor Investigation TLP:WHITE · Unclassified · Shadow Sample

Volt Typhoon
OSINT Threat Actor Investigation

Living-off-the-Land Pre-Positioning Against U.S. Critical Infrastructure

Volt Typhoon — also tracked as Vanguard Panda, BRONZE SILHOUETTE, Insidious Taurus, and Dev-0391 — is a People's Republic of China (PRC) state-sponsored cyber actor whose objective is not espionage but pre-positioning: gaining and maintaining persistent, covert access inside U.S. critical infrastructure to enable disruptive or destructive effects in the event of a major crisis or conflict. Unlike financially motivated or intelligence-collection actors, Volt Typhoon relies almost exclusively on living-off-the-land (LotL) techniques and a botnet of compromised small-office / home-office (SOHO) routers to blend in with normal network activity — achieving dwell times measured in years rather than days. This investigation consolidates open-source reporting from CISA, the NSA, the FBI, and Microsoft into a single five-year campaign timeline, an eleven-technique MITRE ATT&CK mapping, and behavioral detection guidance for defenders.

Threat Actor
Volt Typhoon
Vanguard Panda · G1017
Attribution
China · PRC State
High Confidence
Active Period
Mid-2021 · 2026
Ongoing
Primary Targets
Comms · Energy
Water · Transport
Report Date
March 2026
UTSA Research Initiative
Analysts monitoring a global cyber threat map in a security operations center
Defending Forward
LotL intrusions hide in legitimate traffic — detection depends on the analyst, not the signature.
Cipher & Counsel · SOC Imagery
Shadow Sample — Original OSINT threat actor investigation produced as a UTSA research portfolio piece. All TTPs, infrastructure details, timelines, and statistics are drawn from publicly available CISA, NSA, FBI, and Microsoft reporting. No proprietary or classified data is reproduced. IOCs are defanged per TLP:WHITE conventions.
· ·
Threat at a Glance

What You Need to Know

5yr
Confirmed dwell time inside at least one U.S. critical-infrastructure network before discovery — access measured in years, not days
0malware
Near-zero custom malware in core operations — intrusions executed almost entirely with built-in Windows tools to evade detection
KVbotnet
Hundreds of end-of-life SOHO routers hijacked as covert proxy infrastructure — disrupted by a court-authorized FBI operation in Jan 2024

Volt Typhoon is a Chinese state-sponsored actor active since at least mid-2021. What makes it distinct is intent. Most nation-state groups steal information; Volt Typhoon steals time and position — quietly embedding inside the networks that run America's communications, energy, water, and transportation systems so that access is already in place if a future crisis demands it.

Because the group operates almost entirely with legitimate, built-in administrative tools rather than malware, traditional antivirus and signature-based defenses rarely catch it. The intrusions look like normal IT activity. Detection requires watching behavior — who is logging in, from where, doing what — not scanning for malicious files.

Campaign Timeline

A Five-Year Pre-Positioning Campaign

Volt Typhoon's public story unfolds across five years — from quiet initial access, to a coordinated government disclosure, to a law-enforcement disruption of its infrastructure, and continued activity through the current reporting period.

01
Mid-2021 · 2022
Quiet Initial Access
The group establishes access to U.S. critical-infrastructure networks by exploiting internet-facing appliances — VPNs, firewalls, and routers from vendors including Fortinet, Citrix, and Ivanti — and harvesting administrator credentials. Activity is low-and-slow by design, avoiding any tooling that would trip detection.
02
May 2023
Public Disclosure — Microsoft & Five Eyes
Microsoft, the NSA, CISA, and Five Eyes partners jointly disclose Volt Typhoon activity, highlighting living-off-the-land tradecraft and targeting of critical infrastructure on Guam — a strategic U.S. military hub in the Pacific. The disclosure reframes the group as a pre-positioning, not espionage, threat.
03
January 2024
KV Botnet Disruption
The U.S. Department of Justice and FBI announce a court-authorized operation that remotely removes Volt Typhoon's malware from hundreds of compromised end-of-life SOHO routers comprising the "KV Botnet" — the covert proxy network the group used to obscure the origin of its intrusions.
04
February 2024
CISA Advisory AA24-038A
CISA, NSA, and the FBI publish a landmark joint advisory confirming Volt Typhoon had maintained access inside some victim IT environments for at least five years, and warning that the group is positioned to enable disruptive effects against critical infrastructure during a major crisis.
05
2025 · 2026
Persistence & Reconstitution
Despite the botnet takedown, open-source reporting through the current period documents continued Volt Typhoon-aligned activity — re-establishing router proxy infrastructure and probing communications and energy providers — underscoring that pre-positioning access is durable and must be assumed, not disproven.
Sector Risk Assessment

Who Is at Risk

SectorRisk LevelWhy TargetedObserved Activity
Communications CRITICAL Disruption of command, control, and civilian connectivity during a crisis Confirmed access to communications providers; Guam telecom targeting
Energy & Electric CRITICAL Ability to degrade or disrupt power delivery to populations and bases Persistent access to energy-sector IT and adjacent OT environments
Water & Wastewater CRITICAL Public-safety leverage; high-impact disruption with limited defenses Targeting of water utility networks confirmed in joint advisories
Transportation HIGH Logistics and military mobility disruption during contingency Access to transportation-sector systems documented by CISA
SOHO / Edge Devices HIGH Hijacked as covert proxy infrastructure to mask intrusion origin End-of-life routers conscripted into the KV Botnet
Executive Recommendations

What to Do Now

Priority 01
Assume Compromise and Hunt for Behavior, Not Malware
Because Volt Typhoon uses built-in tools, not malware, signature-based defenses are insufficient. Prioritize threat hunting against authentication logs, command-line activity, and administrative tool usage to find access that antivirus will never flag.
Priority 02
Patch and Harden Internet-Facing Appliances
Initial access depends on vulnerable edge devices — VPNs, firewalls, and routers. Apply vendor patches promptly, remove end-of-life hardware from service, and disable unnecessary management interfaces exposed to the internet.
Priority 03
Enforce Phishing-Resistant MFA and Credential Hygiene
The group escalates by stealing valid administrator credentials, including domain controller databases. Enforce phishing-resistant MFA, rotate exposed credentials, and tightly restrict and monitor privileged accounts.
Priority 04
Secure and Monitor the IT / OT Boundary
Pre-positioning aims at operational technology that runs physical infrastructure. Segment IT from OT networks, monitor traffic crossing that boundary, and assume lateral movement is the adversary's goal.
Strategic Context

The February 2024 CISA / NSA / FBI advisory assessed that Volt Typhoon's pre-positioning is intended to enable disruption of critical infrastructure in the event of a major U.S.–China crisis or conflict. The threat is therefore strategic and persistent: the absence of data theft is not evidence of safety — it is the signature of an actor preparing the battlefield rather than robbing it.

Actor Overview

Volt Typhoon — Group Profile

Volt Typhoon (MITRE ATT&CK G1017) is a People's Republic of China state-sponsored cyber group assessed with high confidence to be conducting pre-positioning operations against United States critical infrastructure. Also tracked as Vanguard Panda, BRONZE SILHOUETTE, Insidious Taurus, Dev-0391, and UNC3236, the group has been active since at least mid-2021, with confirmed activity across the communications, energy, water and wastewater, and transportation sectors — including U.S. territories such as Guam.

Volt Typhoon is defined by its near-total reliance on living-off-the-land (LotL) techniques. Rather than deploying custom backdoors, operators use legitimate, built-in administrative utilities — wmic, ntdsutil, netsh, PowerShell, and certutil — to conduct discovery, credential access, and lateral movement. Command-and-control is routed through a botnet of compromised SOHO network devices, allowing the group's traffic to originate from benign-looking residential and small-business IP space and evade geolocation-based detection.

MITRE ATT&CK Mapping

Eleven Documented Techniques

The following maps observed Volt Typhoon tradecraft to MITRE ATT&CK Enterprise v18, consolidated from CISA advisory AA24-038A, the NSA/CISA LotL guidance, and Microsoft Threat Intelligence reporting.

Technique IDTacticTechnique NameObserved ImplementationFreq
T1190Initial AccessExploit Public-Facing ApplicationExploitation of internet-facing Fortinet, Citrix, and Ivanti appliances to gain a footholdHIGH
T1133Initial AccessExternal Remote ServicesAbuse of VPN and remote-management services on edge devices for entry and re-entryHIGH
T1078Defense EvasionValid AccountsUse of stolen, legitimate administrator credentials to blend in as authorized usersHIGH
T1059.001ExecutionCommand & Scripting: PowerShellPowerShell used for discovery and execution without dropping files to diskHIGH
T1047ExecutionWindows Management Instrumentationwmic used for remote command execution and host enumerationHIGH
T1003.003Credential AccessOS Credential Dumping: NTDSntdsutil abused to extract the Active Directory NTDS.dit database via Volume Shadow CopyHIGH
T1552.001Credential AccessUnsecured Credentials: Credentials In FilesHarvesting of credentials stored in configuration files on compromised appliancesMED
T1018DiscoveryRemote System DiscoveryNative commands used to map hosts, domains, and network topology quietlyHIGH
T1090.002Command & ControlProxy: External ProxyTraffic routed through the KV Botnet of compromised SOHO routers to mask originHIGH
T1070Defense EvasionIndicator RemovalSelective clearing of event logs and command history to frustrate forensicsMED
T1021.001Lateral MovementRemote Services: RDPUse of valid accounts over RDP and other native remote services to move laterallyMED
MITRE ATT&CK Enterprise v18 · attack.mitre.org/groups/G1017 · CISA Advisory AA24-038A, February 2024 · NSA/CISA "Identifying and Mitigating Living off the Land Techniques," February 2024
Tradecraft & Tooling

Living-off-the-Land Toolset

Volt Typhoon's "toolkit" is largely the victim's own operating system. The table below summarizes the principal native binaries and capabilities documented in public reporting, in place of the custom malware families typical of other actors.

Tool / CapabilityTypeNative?PurposeStatus
ntdsutilLOLBinBuilt-inExtracts the Active Directory NTDS.dit credential database via Volume Shadow Copy.LOTL
wmicLOLBinBuilt-inRemote command execution, process and host enumeration.LOTL
netshLOLBinBuilt-inPort-proxy configuration to pivot and tunnel traffic through compromised hosts.LOTL
PowerShellLOLBinBuilt-inFileless discovery, execution, and scripting across the environment.LOTL
certutilLOLBinBuilt-inFile transfer and encoding/decoding of staged data.LOTL
Fast Reverse Proxy (FRP)Open-sourceIntroducedPublicly available proxy tool used to maintain covert remote access.Observed
KV Botnet implantRouter malwareIntroducedMalware on end-of-life SOHO routers forming covert proxy infrastructure; disrupted Jan 2024.Disrupted
CISA AA24-038A, February 2024 · FBI / DOJ KV Botnet Disruption Announcement, January 2024 · Microsoft Threat Intelligence — Volt Typhoon, May 2023
Infrastructure Analysis

The KV Botnet & Edge-Device Proxying

Covert SOHO Router Proxy Network

Rather than operate from attributable cloud or hosting infrastructure, Volt Typhoon routed operations through the KV Botnet — hundreds of compromised small-office / home-office routers, many of them end-of-life Cisco, NETGEAR, and similar devices no longer receiving security updates. By proxying through residential and small-business IP space geographically close to victims, the group defeated geolocation-based anomaly detection and made its inbound connections appear to originate from benign local networks.

Law-Enforcement Disruption — January 2024

In January 2024 the U.S. Department of Justice disclosed a court-authorized operation in which the FBI remotely removed the botnet malware from compromised routers and severed their connection to Volt Typhoon's infrastructure. The action degraded the group's proxy network but did not remove pre-positioned access from victim enterprise environments — a reminder that infrastructure takedowns and host remediation are distinct problems.

Indicator Summary

IndicatorTypeContext
ntdsutil.exeLOLBinNTDS.dit extraction via Volume Shadow Copy — credential access
netsh interface portproxyCommandPort-proxy creation for internal tunneling and pivoting
cmd.exe /c "wmic process call create"CommandRemote execution and enumeration pattern
End-of-life SOHO routersInfrastructureKV Botnet proxy nodes — Cisco / NETGEAR EOL devices
Anomalous admin login (off-hours / new ASN)BehavioralValid-account abuse from unexpected source networks

Note: Volt Typhoon produces few static file-based IOCs by design. Behavioral indicators — anomalous use of native administrative tooling and valid accounts — are the primary detection surface. Restore any defanged values before use in tooling.

CISA AA24-038A, February 2024 · MITRE ATT&CK G1017, v18 · Microsoft Threat Intelligence, May 2023
Detection Guidance

Behavioral Detection & Mitigation

Identity & Credential Controls

Detection
  • Alert on anomalous use of valid administrator accounts — off-hours logins, new source ASNs, or impossible-travel patterns inconsistent with the account's history
  • Monitor for ntdsutil execution and Volume Shadow Copy creation on domain controllers — a high-fidelity signal of NTDS.dit theft
  • Enforce phishing-resistant MFA on all privileged and remote-access accounts; rotate credentials known to have been exposed on compromised appliances

Endpoint & Command-Line Telemetry

Detection
  • Enable and centrally collect command-line and PowerShell script-block logging — LotL activity is invisible without process-level telemetry
  • Baseline normal administrative tool usage and alert on wmic, netsh portproxy, and certutil invocations outside known workflows
  • Hunt for fileless execution chains spawning from unexpected parent processes on servers and edge hosts

Network & Edge Controls

Detection
  • Patch and replace internet-facing appliances promptly; retire end-of-life routers and firewalls that can be conscripted as proxy infrastructure
  • Monitor for unexpected port-proxy and tunneling configurations and outbound connections from servers that should not initiate them
  • Segment IT from OT and inspect traffic crossing that boundary — pre-positioning aims at the operational systems behind it
NSA/CISA — Identifying and Mitigating Living off the Land Techniques, February 2024 · CISA AA24-038A · FBI / DOJ, January 2024
Sources

Citations & References

All technical content is sourced from publicly available government and vendor threat research. No proprietary or classified data is reproduced. IOCs are defanged per TLP:WHITE conventions.

  • [1]CISA / NSA / FBI — Joint Advisory AA24-038A: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure · cisa.gov · February 2024
  • [2]NSA / CISA / FBI — Identifying and Mitigating Living off the Land Techniques · cisa.gov · February 2024
  • [3]Microsoft Threat Intelligence — Volt Typhoon Targets U.S. Critical Infrastructure with Living-off-the-Land Techniques · microsoft.com · May 2023
  • [4]U.S. Department of Justice — U.S. Government Disrupts Botnet (KV Botnet) Used by PRC-Linked Volt Typhoon Actors · justice.gov · January 2024
  • [5]MITRE ATT&CK — Volt Typhoon Group Profile G1017 · attack.mitre.org/groups/G1017 · v18
  • [6]CISA — People's Republic of China Cyber Threat / Volt Typhoon Resource Hub · cisa.gov
  • [7]FBI — Director's Statement on PRC Cyber Pre-Positioning Against U.S. Critical Infrastructure · fbi.gov · 2024
  • [8]Lumen / Black Lotus Labs — KV Botnet Technical Analysis · blog.lumen.com · 2023–2024