Volt Typhoon
Chinese state-sponsored · Pre-positioning / espionage
Tactics, Techniques & Procedures (TTPs)
- Living off the land (LOTL) — avoids custom malware
- SOHO/edge device compromise (routers, firewalls)
- Operational Relay Box (ORB) networks for traffic obfuscation
- Credential harvesting via built-in OS tools
- OT/ICS network access via IT pivot
- Long-duration, stealthy persistence (months to years)
Known Targets
Analyst Notes
Assessed by CISA, NSA, NCSC, and Five Eyes partners as focused on pre-positioning for potential disruptive attacks on CNI rather than immediate intelligence collection.
Also Known As
Intelligence Reports
NCSC Warns: Volt Typhoon Reconnaissance Extends to Tier 2 UK Government Suppliers
Intelligence confirms Volt Typhoon pre-positioning activity has moved beyond primary CNI operators into the Tier 2 supplier networks that service UK central government and defence. Smaller suppliers with privileged access to government systems are now directly in scope.
Volt Typhoon Activity Confirmed Across UK Water and Energy OT Networks
NCSC and Five Eyes partners have confirmed Volt Typhoon intrusions at operational technology networks in UK water treatment and regional energy distribution. The group is not causing disruption — it is waiting.
Volt Typhoon: The Long Game in Western Critical Infrastructure
A deep analysis of Volt Typhoon's objectives, methods, and targets — and what the sustained Chinese pre-positioning campaign in Western CNI means for how operators, regulators, and governments need to respond.