BIPI
BIPI

Volt Typhoon: Pre-Positioning in Critical Infrastructure With No Malware

Threat Intelligence

China's Volt Typhoon was not stealing secrets. It was sitting inside US water, energy, and communications operators waiting for orders. The tradecraft is the lesson: there was no malware to find.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 8, 2024 · 9 min read

#volt-typhoon#china#critical-infrastructure#living-off-the-land

Volt Typhoon is the intrusion campaign that forced the US national security community to publicly distinguish between espionage and pre-positioning. CISA, NSA, FBI, and Five Eyes partners issued joint advisories in 2023 and again in early 2024 making clear that this was not a collection operation. It was an option being held open for disruption during a future crisis.

Actor Profile

Volt Typhoon is the Microsoft name for an intrusion cluster also tracked as BRONZE SILHOUETTE (Secureworks), Vanguard Panda (CrowdStrike), and Insidious Taurus (Palo Alto). US government attribution is to the People's Republic of China, with reporting tying activity to PLA Strategic Support Force objectives. The targeting set is unusual: US territory critical infrastructure operators, especially in Guam, Hawaii, and the western continental US.

Attribution caveat: the cluster overlaps technically with broader PRC contractor activity. The campaign objective, not the malware, is the most reliable signature.

TTPs

The defining characteristic of Volt Typhoon is the near-total absence of custom malware. Initial access comes through internet-exposed edge devices and the entire post-exploitation chain uses tools already on the system.

  • Initial access via Fortinet FortiGuard, Ivanti Connect Secure, and Cisco RV320/RV325 router vulnerabilities
  • SOHO router compromise (Cisco, NETGEAR, ASUS end-of-life devices) for operational relay infrastructure (KV-botnet)
  • Living-off-the-land: ntdsutil for AD database extraction, wmic, PowerShell, netsh, certutil (MITRE T1059, T1003.003)
  • Credential theft from LSASS using built-in tools rather than Mimikatz
  • Persistence via legitimate VPN access and valid accounts, no implants on disk

Notable Victims

US Coast Guard logistics, Guam communications infrastructure, multiple water and wastewater utilities, an oil and natural gas operator, and US electricity sector entities. CISA's January 2024 advisory disclosed dwell times of at least five years inside some environments. The KV-botnet running on compromised home and small business routers was disrupted by FBI court order the same month.

Volt Typhoon was the dwell-time argument turned into a national security headline.

Detection Signals

Because there is no malware, EDR signatures are not the answer. Behavioral baselining and identity telemetry are.

  • ntdsutil execution on domain controllers outside scheduled backup windows
  • Repeated wmic process create or PowerShell remoting from non-admin workstations
  • VPN authentications from SOHO-router IP ranges (residential ISPs in unusual geographies)
  • Long-lived sessions on Fortinet, Ivanti, or Cisco edge devices with no associated patch level update
  • Anomalous schtasks or service installations using legitimate Windows binaries

Defensive Controls

CISA's guidance for Volt Typhoon is the cleanest playbook publicly available for living-off-the-land defense. The summary is harsh: most OT-adjacent IT environments do not have the logging required to find this actor.

  1. Patch internet-exposed edge devices (Fortinet, Ivanti, Cisco, Palo Alto, Citrix) on a same-week SLA. Subscribe to KEV catalog.
  2. Centralize Windows command-line logging (Process Creation, PowerShell ScriptBlock, Sysmon) with at least 12 months of retention.
  3. Apply LSA Protection (RunAsPPL) and Credential Guard on every domain controller and admin workstation.
  4. Inventory and replace end-of-life SOHO equipment in any path between corporate IT and OT/ICS networks.
  5. Hunt proactively against the CISA Volt Typhoon advisory IOCs and behavioral analytics. Assume presence and prove absence.

Volt Typhoon is the most important threat intelligence story of the last two years, and it has almost nothing to do with malware. The defense is logging, patching, and the discipline to assume the adversary is already inside. That is uncomfortable, but it is the standard the critical infrastructure sector now has to meet.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.