The first time I saw a Volt Typhoon case write-up cross my desk, I had to read the indicators twice. There were no commodity RATs, no Cobalt Strike beacons, no custom loaders. The attackers had logged in over RDP with valid credentials, used netsh, ntdsutil, and PowerShell's built-in cmdlets, exfiltrated the Active Directory database using ntdsutil snapshot, and cleared their Windows Event Logs on the way out. The dwell time was more than five years. It was, and remains, the cleanest intrusion I have personally reviewed, and that is exactly what makes Volt Typhoon worth taking seriously.
On May 24, 2023, Microsoft and the Five Eyes intelligence agencies jointly disclosed the group publicly. In January 2024, FBI Director Christopher Wray testified that Volt Typhoon had pre-positioned in U.S. water, energy, transportation, and communications sectors specifically "to wreak havoc and cause real-world harm to American citizens and communities." This is not a garden-variety APT disclosure. The U.S. government does not hold that kind of press conference about a phishing crew.
What the Group Is Actually Doing
Volt Typhoon — also tracked as Vanguard Panda, BRONZE SILHOUETTE, Insidious Taurus, and Voltzite — is attributed to Chinese state-sponsored activity with a specific operational mandate: gain and maintain persistent access to U.S. critical infrastructure operators, particularly in Guam and on the west coast, in order to disrupt those networks during a future conflict. That framing, stated bluntly in CISA advisory AA24-038A on February 7, 2024, is different from espionage. Espionage wants data. Pre-positioning wants a button it can push later.
The group's tradecraft is aggressively minimalist. Once inside, operators rely almost entirely on "living-off-the-land" binaries — wmic, PowerShell, netsh, ntdsutil, xcopy, ping, net, and reg — because these tools generate telemetry that blends into normal IT operations. When custom malware shows up, it tends to be a lightweight webshell like Awen, a reverse proxy like Fast Reverse Proxy (frp), or an Impacket Python script repackaged with minor modifications. None of it triggers signature-based detection, and most of it evades behavioral detection if the analyst is not looking specifically for anomalous administrative activity.
The SOHO Router Botnet
The part that is most relevant to supply chain defenders is how Volt Typhoon gets in. The group has repeatedly compromised end-of-life or unpatched small office / home office routers — Cisco RV320/RV325, Netgear ProSafe, DrayTek Vigor, Fortinet FortiGate, and, most notably, hundreds of Cisco small business devices — and stitched them into covert transit networks. These compromised routers proxy operator traffic into target networks, making intrusions appear to originate from legitimate residential IP addresses inside the same geography as the victim.
In December 2023, the FBI conducted a court-authorized operation to disrupt the "KV-botnet," a Volt Typhoon-operated network of hundreds of compromised SOHO routers. A Lumen Black Lotus Labs analysis published December 13, 2023 and a follow-up in February 2024 traced how the botnet was used as the anonymizing infrastructure for intrusions into U.S. telecommunications and energy networks. The relevant CVEs — CVE-2019-1652, CVE-2019-1653, CVE-2021-27860 on DrayTek, CVE-2023-1389 on TP-Link Archer, and various Fortinet and Cisco ASA flaws — are not new. They are just patched slowly enough, and deployed widely enough, that the botnet never runs out of fuel.
The supply chain angle here is embarrassingly mundane: the devices sitting between most organizations and the internet are themselves software products with their own vulnerabilities, their own end-of-life dates, and their own firmware update channels that virtually nobody audits.
Where Volt Typhoon Touches the Software Supply Chain
The group is not known for trojanizing build systems the way APT29 or Lazarus are, but they touch the supply chain in subtler ways.
First, they exploit edge and network device CVEs to land, including CVE-2024-39717 (Versa Director zero-day disclosed by Black Lotus Labs on August 26, 2024 and attributed to Volt Typhoon), CVE-2023-27997 on Fortinet FortiOS, and older Cisco IOS flaws. These are all supply chain products in the sense that the customer is running code written and shipped by a vendor, and the vendor's patch cadence determines the window.
Second, they target managed service providers, ISPs, and telecom vendors as a springboard to customer environments. An MSP compromise lets an attacker pivot into dozens of downstream clients using trusted administrative tools — exactly the living-off-the-land playbook, extended across organizational boundaries.
Third, they abuse default credentials and outdated firmware on OT/IoT gateways. The May 2023 joint CSA listed a victim where Volt Typhoon operators had accessed human-machine interface (HMI) consoles through VPN credentials that had never been rotated after a vendor handoff. The "supplier risk" here is the security posture of the firm that installed and commissioned the equipment, not the vendor who manufactured it.
Detection Is Not Easy
The honest assessment is that detecting Volt Typhoon requires mature telemetry and deliberately tuned analytics. PowerShell script-block logging, Sysmon with a vetted configuration like Olaf Hartong's or SwiftOnSecurity's, Windows Event ID 4648 monitoring for explicit credential use, and a baseline of what "normal" administrative activity looks like on each host — all of these are minimum entry-level requirements. Organizations that rely on signature-based EDR alone will not see the group.
On the network side, East-West traffic inspection matters more than North-South. Volt Typhoon's tradecraft generates almost no interesting external beaconing. What it does generate is internal lateral movement that looks like a systems administrator working odd hours, which is exactly why behavioral baselining against working-hours and role-based patterns is so valuable.
What the Group Signals About PRC Posture
Volt Typhoon is not acting alone. Related clusters — Salt Typhoon, Flax Typhoon, Velvet Ant — have been attributed to overlapping PRC operational units and use similar SOHO botnet infrastructure, LOTL tradecraft, and edge-device exploitation. The September 2024 FBI and CISA disclosures about Flax Typhoon's "Raptor Train" botnet, which involved over 260,000 compromised devices, suggest that the PRC has invested heavily in persistent access at the infrastructure layer. Supply chain defenders should expect more, not less, of this activity over the next several years.
How Safeguard Helps
Safeguard supports defenders against Volt Typhoon-class adversaries by surfacing the supply chain and infrastructure blind spots the group reliably exploits. The platform continuously inventories edge and network appliance firmware versions — Cisco, Fortinet, DrayTek, Versa — against CISA KEV entries like CVE-2024-39717 and CVE-2023-27997, so teams can prioritize patching the exact products Volt Typhoon keeps burning. Integrated supplier risk scoring highlights managed service providers and third-party integrators whose access patterns might expose downstream environments, while anomaly detection on build and deployment pipelines catches unexpected administrative tool usage patterns consistent with living-off-the-land tradecraft. By tying CVE intelligence, asset inventory, and supplier posture into one view, Safeguard gives teams the context they need to make the hard pre-positioning call before the pre-positioning matters.