Volt Typhoon: Critical Infrastructure Supply Chain

What is Volt Typhoon and why should critical-infrastructure operators care?

Volt Typhoon is the Microsoft-assigned name for an activity cluster that CISA, NSA, FBI, and Five Eyes partners have publicly attributed to PRC state-sponsored actors. In May 2023, Microsoft's initial blog post described the group targeting U.S. critical infrastructure sectors, particularly those in Guam, using living-off-the-land techniques. In February 2024, CISA, NSA, FBI, and partners published joint advisory AA24-038A, which sharpened the picture considerably: Volt Typhoon has pre-positioned inside U.S. critical infrastructure networks, including communications, energy, transportation systems, and water and wastewater, to enable disruptive cyber operations in the event of a major crisis or conflict.

The FBI Director publicly described the group as preparing to "wreak havoc" on U.S. infrastructure. That is unusual language from the FBI, and it should be read as unusual.

What makes Volt Typhoon's tradecraft different from criminal intrusions?

Answer first: intent and style. Criminal groups steal or extort; Volt Typhoon is measuring the switchboard for a rainy day.

The tradecraft hallmarks per the joint advisory and Microsoft reporting:

• Living-off-the-land (LOTL) reliance. Volt Typhoon heavily prefers built-in Windows administrative utilities - wmic, ntdsutil, netsh, PowerShell, Impacket libraries - rather than bespoke malware. This evades most signature-based detection and much of behavioral detection that is tuned to external tooling.
• Compromise of SOHO routers and edge devices as proxy infrastructure. Reports from Black Lotus Labs and Lumen have described botnets of compromised Cisco, NetGear, and similar devices used as Volt Typhoon operational relays. Disruption of the "KV-botnet" was publicly announced in January 2024.
• Extremely long dwell times (CISA reported five years in some environments) with minimal detectable activity.
• Careful targeting of operational technology (OT) networks via IT-network pivots, but typically stopping short of destructive action so far.

The strategic posture is not theft. It is persistence.

Why is this a supply chain problem?

Because Volt Typhoon gets in through third parties and through edge equipment that sits in the supply chain of connectivity. Per public reporting:

• Initial access has been observed through known vulnerabilities in internet-exposed appliances (Fortinet, Ivanti, Citrix, and other edge gear).
• MSPs and IT service providers serving critical-infrastructure sectors are in-scope. An MSP with delegated admin rights into a utility is a natural entry point.
• SOHO router compromises put the group's proxy infrastructure inside residential ISP space, making its traffic blend into normal background noise from the defender's perspective.

For a water utility or a regional ISP, "Volt Typhoon risk" includes the posture of every appliance vendor you buy from, every MSP that touches your OT-adjacent network, and every contractor with VPN credentials.

What controls meaningfully raise the cost of Volt Typhoon tradecraft?

Per CISA's guidance and what is plausible to implement:

• Harden edge appliances aggressively. Maintain a KEV-list-priority patch cadence for Fortinet, Ivanti, Citrix, Cisco ASA, and similar. Replace out-of-support hardware, even when the budget argument is painful.
• Eliminate or tightly control internet-exposed management interfaces. The admin web UI of an edge appliance should not be directly reachable from the internet. This advice is a decade old and still commonly ignored.
• Monitor for LOTL patterns. Windows Event Logs 4688 (process creation) with command-line auditing enabled, piped to a SIEM, is the single most valuable telemetry source for detecting Volt Typhoon-style activity. Add Sysmon for process-tree depth.
• Restrict PowerShell and WMIC. Not through awareness training, but through constrained language mode, WDAC policies, and audited remote-administration workflows.
• Segment OT from IT and from corporate IT with enforced flow controls, not just VLANs. The ICS-CERT guidance on Purdue-model zoning still matters.
• Credential hygiene at the service-account layer. Volt Typhoon has been observed harvesting NTDS.dit and extracting credentials for lateral movement. Enforce LSA protection, Credential Guard, and reduce the number of accounts with domain-wide privilege.

How do you detect five-year dwell?

You largely do not, retroactively, unless you have already retained telemetry that supports the hunt. Forward-looking, the defender's job is to make dwell expensive:

• Keep authentication and network flow logs for at least 12 months, ideally longer for Tier 0 sources. Cloud blob storage of compressed logs is cheaper than many teams assume.
• Baseline service-account behavior. An account that has historically issued 30 queries a day against a single database does not suddenly enumerate schema at 2 a.m.
• Tag and monitor edge-device management sessions separately. Any RDP or SSH session that terminates on a router or firewall management plane is worth individual review.
• Hunt for archives and compressed data staged in directories that match common exfil staging patterns. Low-volume, patient operators still need to stage data before moving it out.

What about the MSP and vendor angle?

Several recommendations for operators who rely on third parties:

• Inventory every external party with remote access. By name, by privilege, by route. Many critical-infrastructure operators have not done this in any actionable way. Start there.
• Require phishing-resistant MFA and logged admin sessions from every MSP with access. "Our MSP says they do MFA" is not an audit.
• Demand evidence of their detection coverage. If your MSP cannot describe their monitoring for the specific CISA-listed Volt Typhoon TTPs, you are trusting luck.
• Build your own visibility into what they do. MSPs should not be the sole custodians of the audit logs describing their activity in your environment.

Is the threat limited to the United States?

No. Five Eyes partners (Canada, UK, Australia, New Zealand) have issued corroborating advisories. Western European critical infrastructure is plausibly in-scope, and allied reporting has described analogous activity. Organizations in sectors not obviously "critical" should not assume they are out of scope either; upstream vendors, industrial component suppliers, and logistics operators have historically been in the targeting path.

What should a 2026 executive-level ask look like?

At the board level, the right questions are not "are we patched." They are:

• Do we know every external party with access into our OT-adjacent networks?
• Have we verified, in the last 30 days, that our edge-appliance inventory is current and on supported firmware?
• Can we reconstruct six months of identity and network telemetry right now?
• Do we have an isolated-recovery plan that assumes adversarial pre-positioning inside our network?

If any of those answers is "we think so," the answer is no.

How Safeguard.sh Helps

Safeguard.sh maps your critical-infrastructure software and appliance supply chain against Volt Typhoon's documented tradecraft and infrastructure. We continuously assess the patch posture of your edge vendors, inventory external parties holding privileged access into OT-adjacent networks, correlate their security posture against PRC-nexus campaign activity, and flag changes that suggest pre-positioning risk. When a KEV-listed vulnerability hits an appliance category Volt Typhoon has used, your exposure surfaces in minutes with a mapped list of affected systems and vendors. Pre-positioning thrives on slow defender visibility; we accelerate it.