A joint advisory from NCSC, CISA, and Five Eyes partners has confirmed that Volt Typhoon — a Chinese state-sponsored threat actor — has achieved persistent access inside operational technology (OT) networks at several UK water treatment facilities and regional electricity distribution operators.
The intrusions are not accidents of opportunity. This is deliberate, patient pre-positioning.
What Has Been Found
Volt Typhoon did not enter these networks through their IT systems. They came through internet-facing operational equipment: engineering workstations, remote access points for SCADA systems, and in two confirmed cases, poorly segmented historian servers that bridged IT and OT environments.
Once inside, the group used only tools already present on the target systems — a technique known as “living off the land.” No custom malware was deployed. They moved slowly, established persistent access, and left almost no forensic trail. In several cases, access is believed to have been maintained for over twelve months before detection.
The intent is not theft of data. Volt Typhoon does not sell ransomware or exfiltrate commercial secrets. The strategic purpose, assessed with high confidence by intelligence partners, is to pre-position for potential disruption of critical services during a future geopolitical crisis — whether a conflict over Taiwan, economic escalation, or another trigger event.
Why This Matters to Your Organisation
If you operate, manage, or depend on UK water treatment or regional energy distribution infrastructure, the message from this advisory is stark: assume you may already be compromised at a level below your current detection capability.
For business leaders, this raises several immediate questions:
- Do you have visibility into your OT environment at a level comparable to your IT estate?
- Are your industrial control systems segmented from your corporate network, and has that segmentation been tested?
- Do you have a tested incident response plan that covers OT disruption, not just IT ransomware?
Most organisations that have been compromised did not know until someone else told them.
The Broader Picture
Volt Typhoon is not a unique problem. It is the visible expression of a doctrine being applied across Western critical infrastructure by multiple state actors. Russia’s Sandworm group has demonstrated willingness to use pre-positioned OT access to cause physical disruption — cutting power to Ukrainian cities in 2015 and 2016. China, assessed as more cautious in current conditions, appears to be building the same capability as leverage.
Immediate Actions
Organisations in affected sectors should, as a priority:
- Conduct an OT asset inventory and identify all internet-facing industrial systems
- Audit remote access pathways into OT environments, including legacy VPN and SCADA remote access points
- Review authentication on engineering workstations — default credentials remain a common entry point
- Engage NCSC’s Early Warning service if not already subscribed
- Run a tabletop exercise covering a scenario in which OT systems are inaccessible or producing unreliable data
The NCSC advisory and associated indicators of compromise are available through the NCSC portal for qualifying organisations.