Since at least 2021, a Chinese state-sponsored threat group designated Volt Typhoon — also tracked as Voltzite, Bronze Silhouette, and Vanguard Panda — has been methodically embedding itself inside the most critical infrastructure in the United States. Power grids. Water systems. Transportation networks. Communications. Military support facilities. Not to steal data. Not to demand ransom. Not to make noise. To wait.
This is not espionage in the traditional sense. The US Intelligence Community assesses with high confidence that Volt Typhoon's objective is pre-positioning — gaining persistent access to infrastructure that can be disabled or destroyed at a moment of their choosing, specifically in the event of military conflict over Taiwan. They are not looking through windows. They are installing the charges on the load-bearing walls.
Defining Assessment: Dragos CEO Rob Lee stated publicly in February 2026 that there are sites compromised by Volt Typhoon in the United States and NATO countries that "we will never find." The FBI Director called it preparation to "cause real-world harm to American citizens and communities in the event of conflict." The Air Force cyber commander said if those capabilities are activated during a Taiwan crisis, "that is total war in my definition."
This analysis examines how Volt Typhoon achieved five years of undetected persistence, why the obvious remediation steps fail, where the true investigation must begin, and what the policy failure at the heart of this crisis actually is. It is written from the perspective of a security analyst and CMMC consultant who works directly with the defense industrial base in Connecticut — the supply chain that builds the submarines, aircraft engines, and helicopters that would respond to a Taiwan conflict.
Volt Typhoon is a People's Republic of China state-sponsored threat actor assessed by CISA, NSA, FBI, and the Five Eyes intelligence alliance to be operating on behalf of the Chinese government — most likely the People's Liberation Army or the Ministry of State Security. Unlike Chinese APT groups focused on intellectual property theft, Volt Typhoon's targeting pattern is inconsistent with traditional espionage. They target infrastructure with minimal intelligence value but maximum disruption potential.
The strategic logic was confirmed at a December 2024 Geneva summit between Chinese and American officials where Chinese representatives made indirect but unmistakable remarks the US delegation interpreted as a tacit admission — the Volt Typhoon campaign was conducted in response to US support for Taiwan, as a warning about the cost of military intervention in a Taiwan conflict.
Strategic Assessment: China does not need to attack US infrastructure today. They need the US to know that if things go badly over Taiwan, the lights could go out in American cities, water treatment fails, communications collapse, and port operations freeze — all simultaneously, within hours, before US forces can mobilize. It is deterrence through pre-positioned destruction. The cyber equivalent of pointing a loaded weapon at civilian infrastructure to change political decision-making without pulling the trigger.
| Alias | Assigned By | Assessment |
|---|---|---|
| Volt Typhoon | Microsoft | Primary designation — PRC state-sponsored, critical infrastructure focus |
| Voltzite | Dragos | OT-focused tracking — confirmed still active through 2025 and 2026 |
| Bronze Silhouette | Secureworks | Long-term persistence specialist — pre-positioning for disruption |
| Insidious Taurus | CrowdStrike | Assessed PLA or MSS affiliation — Taiwan contingency focus |
| UNC3236 | Mandiant | Living-off-the-land specialist — minimal malware footprint |
The single most important question about Volt Typhoon is the one most analysts have not answered satisfactorily: how does a nation-state threat actor operate inside US critical infrastructure for five-plus years without being detected? The answer operates at three levels — technical, architectural, and human — and each one alone would be insufficient. Together they created a near-perfect cloak.
Traditional security tools — antivirus, endpoint detection, intrusion detection systems — all work on the same fundamental principle: they look for things that should not be there. Malicious files. Known bad signatures. Suspicious executables. Volt Typhoon brought none of those. They used only tools already installed on every Windows system in the country.
The LOTL Principle: When a Volt Typhoon operator ran netstat -ano to map active network connections, that command is identical to what your IT administrator runs on Tuesday morning. When they used PowerShell to query Windows Event Logs, that is identical to what your security team does during normal operations. When they used vssadmin to create a shadow copy — that is a standard Windows backup function. Every tool they used came pre-installed. No antivirus has a signature for your own operating system's built-in utilities.
The first question any analyst asks when examining this intrusion: there must be a login trace. Every network connection leaves a source IP address in the logs. Volt Typhoon solved this with extraordinary ingenuity — they built a secret highway entirely inside America using other people's equipment, without those people's knowledge.
The KV-Botnet — discovered by Lumen Technologies' Black Lotus Labs in December 2023 — is a network of compromised small office and home office routers. Cisco RV320s, Netgear ProSAFE firewalls, DrayTek Vigor routers. End-of-life devices running unpatched 2019 firmware sitting in basements across America, never rebooted, never updated. China compromised them silently and turned them into relay nodes in a secret proxy network.
One of the most common questions when Volt Typhoon's credential dumping activity is disclosed is: why not simply rotate all credentials? They stole the password database — change all the passwords and the stolen data is worthless. This is logical on the surface and completely wrong in practice. Understanding why requires understanding what NTDS.dit actually is and what it enables.
NTDS.dit is the Active Directory database stored on every Windows Domain Controller — the central authentication authority for an entire organization. It contains password hashes for every user account in the domain, service account credentials, Kerberos authentication keys, and critically — the KRBTGT account hash, which allows an attacker to forge what are called Golden Tickets: authentication tokens that grant access to any system in the domain for up to 10 years without requiring a password at all.
Why Rotating Passwords Alone Fails: Rotating all credentials while Volt Typhoon still holds a foothold through a web shell or compromised edge device accomplishes nothing — they dump the new credentials the following day. Rotating passwords without first completely evicting the actor is like changing the locks while the burglar is still inside. The rotation must be simultaneous across thousands of accounts, after confirmed complete eviction, with the KRBTGT account rotated twice to invalidate all forged tickets.
The counterintuitive insight I draw from analyzing Volt Typhoon's access chain is that investigation must not begin at the high-value target. It must begin at the smallest, least-funded, most overlooked facility in the region — because that is almost certainly where the access chain originated.
Investigator's Principle: A Chinese intelligence operation targeting Electric Boat's submarine program does not start by attacking Electric Boat's hardened network directly. It starts by compromising the water treatment plant three miles away that shares a regional communications network. Or the small HVAC vendor whose technician has physical access to the facility. Or the staffing agency that places contractors. The weakest link in the supply chain determines the security of the entire chain.
The most important statement in this entire analysis is also the simplest: legacy operational technology must be replaced, and the cost of replacement cannot be the reason it is not done. This is not a technology position. It is a public safety position. It is a national security position. The infrastructure that controls water treatment, power distribution, and transportation for millions of Americans is running on software that was never designed to be connected to any network — let alone a network accessible to Chinese state intelligence.
The Cost Accounting Failure: Replacing legacy OT infrastructure at a single utility costs tens to hundreds of millions of dollars. That number appears on the balance sheet immediately and visibly. The cost of a successful Volt Typhoon activation — water contamination, grid failure, transportation collapse, loss of life — appears nowhere on the balance sheet until the day it happens. We do not allow water treatment facilities to run corroded pipes because replacement is expensive. We should not allow them to run 2003-era SCADA firmware because cybersecurity investment is expensive.
| OT Security Control | Current State | Required State | Cost Reality |
|---|---|---|---|
| Network segmentation | IT and OT on same network at many facilities | Strict industrial DMZ — OT never directly reachable from IT | High but fundable |
| Patch currency | Many OT systems running EOL firmware from 2003–2015 | Supported firmware only — replacement of EOL equipment | Very high — but mandatory |
| Remote access | Internet-exposed HMI interfaces at many small utilities | No direct internet exposure — jump server required for any remote access | Moderate |
| Behavioral monitoring | Little or no OT-specific monitoring at small facilities | Continuous baseline monitoring with anomaly detection on all OT traffic | Moderate with right tooling |
| Incident response plan | Most small utilities have no documented cyber IR plan | Tested, exercised IR playbook including OT-specific scenarios | Low — primarily staff time |
Detecting Volt Typhoon requires abandoning signature-based thinking entirely. There are no malicious files to scan for. There are no known-bad IP addresses in the logs. The entire detection strategy must shift from "what is here that should not be" to "what is happening that looks different from what normally happens." Behavioral analytics. Baseline deviation. Anomaly at scale.
| Detection Target | What to Monitor | ATT&CK Technique |
|---|---|---|
| DCSync from non-DC | Replication protocol (MS-DRSR) traffic from any IP not in the known Domain Controller list | T1003.006 |
| NTDS.dit access sequence | vssadmin + SYSTEM hive copy + NTDS file read within short window — treat as critical incident | T1003.003 |
| LOTL admin command burst | netstat, whoami, ipconfig, net user sequence from single account in short period | T1087, T1049 |
| Off-hours admin auth | Privileged account authentication outside 07:00–19:00 local time from any source | T1078 |
| IT-to-OT lateral movement | Any new connection from IT network segment to OT/SCADA IP range — flag and alert immediately | T1021 |
| Selective log deletion | Windows Event Log cleared (Event ID 1102) — especially on Domain Controllers — treat as active incident | T1070.001 |
| SOHO admin interface exposure | Any router or firewall with management interface reachable from internet on port 80, 443, 8080, 8443 | T1133 |
| Anomalous outbound volume | Outbound traffic to any destination exceeding 3× 30-day baseline from OT-adjacent systems | T1041 |
The single most important detection capability against LOTL attacks is a mature behavioral baseline — knowing what normal looks like in granular detail so that abnormal is visible even when it uses legitimate tools.
What Good Baseline Detection Looks Like: Admin account X logs in Monday through Friday between 8am and 6pm from IP range 10.x.x.x. They run 15-20 standard commands per session. They access 3-4 specific server groups. They never touch OT systems. The day they log in at 2am from a Phoenix Arizona IP address, run 47 commands in 12 minutes including netstat and whoami, and query Active Directory for all user accounts — that pattern fires an alert regardless of whether any individual command is technically malicious. The deviation from baseline IS the detection. This is the approach that Volt Typhoon's technique cannot evade.
This analysis is written specifically for the defense industrial base in Connecticut — the supply chain that builds nuclear submarines at Electric Boat in Groton, jet engines at Pratt and Whitney in East Hartford, and military helicopters at Sikorsky in Stratford. These are among the most secure private facilities in the country internally. The threat is not to their internal networks directly. The threat is to the infrastructure around them — and through that infrastructure, to them.
The Uncomfortable Reality: If Volt Typhoon is embedded in the regional power grid that supplies Electric Boat's facility, the submarine program has a vulnerability that no amount of internal cybersecurity investment addresses. If they are in the water treatment system that serves Groton, the manufacturing facility has a physical security dependency on infrastructure it does not control. CMMC compliance protects the contractor's own systems. It does not protect the ecosystem those systems depend on.
| NIST SP 800-171 Control | Control ID | Volt Typhoon Relevance | Gap Assessment |
|---|---|---|---|
| System and communications protection | 3.13.1 | Network segmentation between IT and OT | Frequently absent at small subcontractors |
| Audit and accountability | 3.3.1 | Log retention and review — catching LOTL activity | Logs kept but rarely reviewed actively |
| Configuration management | 3.4.1 | Baseline configurations — detect deviations | OT baselines rarely documented |
| Identification and authentication | 3.5.3 | MFA on all privileged and remote access | IT MFA common — OT MFA rare |
| Incident response | 3.6.1 | Playbooks for LOTL and credential theft scenarios | OT-specific IR plans largely absent |
| Supply chain risk management | 3.1.20 | Vendor access controls and monitoring | Most critical gap — supply chain is the entry point |
Volt Typhoon is not a theoretical future threat. It is an active, ongoing, confirmed operation that has been running inside the infrastructure Americans depend on for basic survival — power, water, communications, transportation — for more than five years. The FBI Director has confirmed it. The Air Force cyber commander has called its potential activation "total war." Dragos has confirmed some footholds will never be found.
The question this analysis has tried to answer is not whether the threat is real — it is demonstrably real. The question is why it persists, why remediation is so difficult, and what actually needs to change. The answers point not primarily to technology failures but to policy failures: voluntary guidance where mandatory standards are needed, absent liability where accountability should exist, and deferred investment in legacy OT infrastructure where replacement should have been funded a decade ago.
Final Assessment: A water treatment plant running on unpatched 2003-era SCADA firmware three miles from a nuclear submarine construction facility is not an acceptable national security posture. Neither is a regional power grid with a Chinese state actor embedded in its control loop. The technical solutions exist. The detection methods exist. The funding mechanisms exist. What is missing is the political will to treat critical infrastructure cybersecurity as the life-safety issue it already is — and to act accordingly before the first activation, not after. The cost of prevention is measured in millions. The cost of the alternative is measured in lives.
All findings in this report are based on publicly available information including reports from CISA, NSA, FBI, Microsoft Threat Intelligence, Dragos, Lumen Black Lotus Labs, Mandiant, CrowdStrike, Secureworks, SecurityScorecard, the US Air Force, Congressional Research Service, and MITRE ATT&CK. This represents the author's independent analysis and does not reflect the views of any employer or client organization.
Yana Ivanov is a security analyst and CMMC consultant based in Connecticut, specializing in cybersecurity risk assessment for defense contractors in the Connecticut defense industrial base — Electric Boat, Pratt and Whitney, Sikorsky, and their supply chains. With 15 years of enterprise technology experience and an MS in Information Systems, she brings a practitioner perspective to threat intelligence analysis with a focus on the intersection of operational technology security, CMMC compliance, and nation-state threat actors. She is pursuing CompTIA Security+ and CMMC Registered Practitioner certification. This analysis was produced independently as a contribution to the security community's understanding of persistent nation-state threats to US critical infrastructure.