Volt Typhoon and the Quiet Pre-Positioning of the U.S. Power Grid
By Patrick Miller
Volt Typhoon represents a quiet but strategic cyber threat to U.S. electric utilities, characterized by long-term access and persistence rather than immediate disruption. Rather than deploying malware, the actor relies on legitimate administrative tools to maintain durable access inside critical infrastructure networks. This blog examines what makes Volt Typhoon different and why early detection depends on behavioral context, not signatures.
Overview
Over the past several years, U.S. and allied intelligence agencies have been unusually direct about a single cyber threat actor. Known publicly as Volt Typhoon, this People’s Republic of China state-sponsored group represents a fundamentally different category of risk for critical infrastructure owners and operators, particularly electric utilities.
Notably, the absence of publicly confirmed disruptive events has contributed to a false sense of security across parts of the sector. This quiet period should not be interpreted as reduced risk; it reflects an adversary deliberately prioritizing access and readiness over immediate action.
Unlike ransomware crews or espionage-focused advanced persistent threats, Volt Typhoon is not optimized for immediate disruption, financial gain, or data theft. Instead, its activity reflects deliberate, patient pre-positioning inside U.S. critical infrastructure networks. The objective is not speed. It is access, persistence, and optionality. This distinction matters.
What Makes Volt Typhoon Different
In joint advisories issued by the National Security Agency, Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and international partners, Volt Typhoon is described as an actor preparing the cyber terrain for potential future conflict. The group has been observed compromising U.S. critical infrastructure organizations and maintaining long-dwell access designed to survive normal defensive activity.
Importantly, public reporting has not linked Volt Typhoon to confirmed disruptive or destructive cyber-physical events to date. That absence should not be reassuring. Government assessments are explicit that this activity is assessed to enable disruption or destruction of critical services in the event of heightened geopolitical tension or military conflict. This places Volt Typhoon in a category closer to strategic deterrence and coercion than traditional cybercrime.
Congressional testimony and joint government assessments have emphasized that this activity is designed to enable movement from enterprise IT environments toward operational systems when conditions warrant.
Not a Single Actor, but Rather an Operational Model
Increasing analysis from government agencies and multiple security firms suggests that Volt Typhoon, and related activity often described as Salt Typhoon, is best understood not as a single threat actor, but as a coordinated operational construct rather than a single “hands-on-keyboard” adversary. Multiple specialized teams appear to work collaboratively, and at times sequentially, across the same operations. These teams perform specialized functions, much like military units or shift-based operational crews.
This interpretation aligns with independent analysis that treats Volt Typhoon as a campaign model rather than a discrete incident, including assessment by Joe Slowik at Dataminr that emphasizes modular access, persistence, and future risk over singular events.
Observed activity suggests a modular approach. One unit may focus on initial access, often through internet-facing infrastructure or trusted third parties. Another may establish persistence, hardening access paths or repeating configuration changes without full awareness of what previous teams have already accomplished. Still others may focus on internal discovery, credential access, or data staging. The same environment may be touched repeatedly by different operators over time.
This helps explain behaviors that can otherwise seem inconsistent or redundant. Repeated enumeration, duplicated persistence mechanisms, or re-execution of actions that appear already completed are not necessarily mistakes. They are artifacts of handoff-based operations, where multiple teams work against the same target with limited or indirect coordination.
Crucially, this model also explains why Volt Typhoon activity often blends into normal operations. Modular teams relying on legitimate tools and credentials can rotate in and out of environments without triggering obvious alarms. The operation persists even as individual operators change.
For defenders, the implication is significant. There is no single boogeyman to remove. Disrupting one access path or evicting one operator does not end the campaign if other footholds remain. Effective defense requires identifying and dismantling the operational scaffolding itself, including access paths, credential exposure, and trust relationships that enable repeated re-entry.
Living Off the Land as a Strategic Choice
One of the defining characteristics of Volt Typhoon is its near-exclusive reliance on living off the land techniques. Rather than deploying custom malware, the group abuses legitimate administrative tools that already exist in enterprise environments.
These include PowerShell, Windows Management Instrumentation, netsh, ntdsutil, built-in credential handling mechanisms, and standard remote administration protocols. When additional tooling is used, it is often open-source and lightly modified, such as Fast Reverse Proxy or Impacket-based utilities. In practice, this tradecraft is tightly coupled with credential access and reuse, allowing operators to blend into legitimate administrative activity and persist without triggering traditional alerts.
This approach minimizes malware artifacts and signature-based detection, blends malicious activity with routine system administration, and exploits gaps in logging and visibility that are common in both IT and OT-adjacent environments.
From a defender perspective, this means that traditional controls centered on malware detection are insufficient. Detection depends on behavioral analysis, context, and correlation across identity, endpoint, and network activity.
Why Electric Utilities Are a Priority Target
Government advisories and independent analysis consistently identify the electric sector as a priority target for Volt Typhoon activity. This does not imply confirmed compromise of operational technology environments. It does indicate sustained access to enterprise networks with proximity to systems that support generation, transmission, and distribution operations.
Electric utilities present a uniquely attractive target set:
High consequence outcomes from disruption
Complex IT and OT interdependencies
Legacy systems that cannot always be patched or instrumented
Operational imperatives that favor availability over aggressive security controls
Even absent direct OT manipulation, prolonged access to identity systems, network infrastructure, and backup environments creates meaningful operational risk.
The Real Detection Challenge
Volt Typhoon does not “break in loudly.” Instead, defenders should expect activity patterns that are subtle and slow:
Credential harvesting followed by legitimate account use
Administrative tools executed from unusual systems or at unusual times
Port forwarding and proxying using built-in networking features
Targeting of domain controllers, backup systems, and management infrastructure
Selective log manipulation rather than wholesale deletion
None of these actions are inherently malicious in isolation. The risk emerges when they occur in sequence, out of baseline context, or in combinations inconsistent with normal operations.
This is why many government advisories emphasize logging depth, centralized log retention, and long historical visibility. Without these foundations, organizations may simply lack the data required to detect Volt Typhoon activity even if it is occurring.
A persistent adversary does not require constant activity to remain effective. Long-dwell access enables attackers to wait for moments of heightened operational stress, reduced staffing, or widespread vulnerability disclosure, and act faster than defenders can respond. In this model, post-incident and post-event analysis becomes as important as real-time detection.
A Shift in Defensive Thinking
Defending against Volt Typhoon requires a shift away from threat models built around rapid exploitation and obvious payloads. Instead, organizations should assume:
Initial access may already exist
Adversaries may be using valid credentials
Activity may be indistinguishable from legitimate administration without context
This drives a different set of priorities:
Comprehensive logging of identity, process execution, and network activity
Baseline development for administrative behavior
Monitoring for abuse of legitimate tools rather than presence of malware
Strong controls around perimeter devices and remote access infrastructure
Segmentation and monitoring between IT and OT environments
These priorities do not represent new security concepts, but they demand renewed emphasis when facing an adversary optimized for patience rather than speed. For many utilities, the challenge is not awareness of these practices, but deciding where limited resources can most effectively reduce real operational risk. Limited cybersecurity staffing, competing operational priorities, aging infrastructure, and finite budgets all shape what is realistically achievable. The intent of current government and industry guidance is not to imply universal maturity, but to help utilities prioritize the controls that most directly reduce exposure to long-dwell, credential-based intrusions.
Host and Endpoint Indicators Worth Paying Attention To
Because Volt Typhoon relies almost entirely on legitimate administrative tools, host-based detection is less about identifying bad software and more about recognizing unexpected use of trusted utilities. Think more along the lines of “recognizing inconsistent operational patterns” instead of “spotting anomalies.” The table below highlights examples of tools frequently cited in government advisories and what constitutes suspicious use in practice.
These examples are not exhaustive indicators of compromise, but representative behaviors that gain significance when observed over time or in combination.
| Tool or Capability | Behavior That Warrants Scrutiny | Why It Matters |
|---|---|---|
| PowerShell | Encoded or obfuscated commands, credential access, registry modification, or network enumeration executed outside normal maintenance windows | PowerShell is widely used by administrators and attackers alike; context and timing are critical for distinguishing misuse |
| Windows Management Instrumentation (WMIC) | System, disk, or network enumeration followed by credential activity or lateral movement | WMIC enables remote command execution and discovery with limited default logging |
| netsh | Creation of port proxy rules or firewall changes not tied to documented operational needs | Port forwarding can be used to covertly tunnel command-and-control traffic through trusted hosts |
| ntdsutil and Volume Shadow Copy | Creation of Active Directory database backups or shadow copies outside approved backup processes | Access to NTDS.dit effectively compromises the entire domain |
| Command Prompt (cmd.exe) | Spawned by unusual parent processes or used to chain multiple administrative commands | Attackers frequently use cmd.exe as a control layer for living off the land activity |
| Impacket-based utilities | WMI or SMB execution patterns originating from unexpected systems or service accounts | Impacket enables lateral movement and credential reuse without deploying traditional malware |
| 7-Zip and compression utilities | Compression of system files, backups, or directories not normally archived | Often used to stage data for exfiltration prior to removal from the environment |
Looking Ahead
Volt Typhoon should be understood as a long-duration strategic risk, not a discrete incident to be detected and closed. For many electric utilities, addressing this risk must occur alongside real constraints on staffing, budgets, and operational capacity. The objective is not immediate perfection, but steady reduction of the access paths and conditions that enable persistent, state-sponsored presence.
This reality demands a serious shift in how defensive priorities are set.
Utilities should assume that traditional malware-focused defenses are insufficient on their own. Volt Typhoon’s reliance on legitimate administrative tools means detection hinges on visibility, context, and correlation. Organizations that lack centralized logging, long log retention, and behavioral baselines are unlikely to identify this activity even if it is present.
Perimeter and identity systems deserve renewed scrutiny. Government advisories consistently emphasize exploitation of internet-facing devices and abuse of valid credentials as foundational to Volt Typhoon operations. Utilities should prioritize aggressive patching of edge devices, restrict administrative access paths, and apply strong authentication controls to all privileged accounts, particularly those used for remote access.
Host and endpoint monitoring must focus on how tools are used, not simply which tools are present. The behaviors outlined earlier in this blog are not exotic or rare. They are familiar administrative actions that become risky when they occur outside expected patterns. Utilities should invest in baselining normal administrative activity and detecting deviations rather than chasing static indicators.
IT and OT environments cannot be treated as independent security domains. Even when operational systems are not directly compromised, prolonged access to enterprise networks creates indirect operational risk through shared identity services, management infrastructure, and support systems. Segmentation, monitored interfaces between IT and OT, and clearly defined trust boundaries are essential.
Preparedness should extend beyond detection. Utilities should validate that incident response plans account for long-dwell, credential-based intrusions and that leadership understands the implications of pre-positioned access. Exercises should test scenarios where the adversary is already inside the environment rather than focusing solely on initial breach.
Volt Typhoon represents a narrow but important window of opportunity. Organizations that invest now in visibility, disciplined operations, and architectural resilience are far better positioned than those that wait for confirmation in the form of disruption. Silence, in this case, reflects an adversary preserving options and choosing when, not whether, to act.
From Awareness to Action: A Deeper Look
This blog is intended to raise awareness of how Volt Typhoon operates and why its lack of visible disruption should not be mistaken for low risk. For organizations looking to move beyond awareness and into practical action, Ampyx Cyber has published a companion whitepaper that goes deeper.
The whitepaper expands on the operational model behind Volt Typhoon, explains why traditional security assumptions fall short, and outlines concrete steps utilities can take to reduce exposure. It is written for security leaders and operational stakeholders who need to translate threat intelligence into defensible priorities, realistic investments, and measurable improvements.
Recognizing that this topic also requires clear communication at the executive and board level, Ampyx Cyber has also developed a concise executive brief. The brief is designed to help security leaders frame this risk in plain language for senior leadership, align expectations, and support informed decision-making.
If this blog raises questions about whether your organization has sufficient visibility, resilience, or preparedness for long-dwell threats, these materials are intended to help answer them.
Download the detailed whitepaper here (direct link).
Download the executive brief here (direct link).
