China-backed hackers known as Volt Typhoon have been compromising critical infrastructure providers in the US and other countries for at least five years. Their goal is to launch destructive cyberattacks [1] [6], particularly targeting operational technology in the event of a major conflict or crisis [6].


Volt Typhoon [1] [2] [3] [4] [5] [6] [7] [8] [9], a state-sponsored cyber group from China, has been identified as the primary actor behind these attacks [7]. They have targeted critical infrastructure organizations in sectors such as energy [7], water [1] [4] [5] [6] [7] [8], telecommunications [1] [4] [5] [7] [9], and transportation systems [5] [7]. The group has exploited vulnerabilities in routers [6], firewalls [6], and VPNs to gain initial access [2] [6], and they have used stolen administrator credentials to maintain access [6]. They have the capability to manipulate HVAC systems [6], disrupt energy and water controls [6], and potentially access camera surveillance systems [6].

The US Cybersecurity and Infrastructure Security Agency (CISA) [5] [7], the National Security Agency (NSA) [7], and the FBI have released a joint Cybersecurity Advisory [3], stating that state-sponsored actors from China are compromising and maintaining access to US critical infrastructure [3]. The advisory provides actionable information and threat detection and mitigation strategies applicable to “living-off-the-land” activity [3]. CISA has also published a Secure by Design Alert for small office/home office (SOHO) device manufacturers to protect against Volt Typhoon compromises. Critical infrastructure organizations and technology manufacturers are strongly urged to read the advisory and guidance to defend against this threat [3].

The FBI and US Department of Justice recently announced the disruption of the KV Botnet run by Volt Typhoon [6]. The group also targets government assets in Australia, the UK [2] [3] [6] [8] [9], Canada [5] [7] [8], and New Zealand [5] [7] [8]. The assessment by the US agencies is that Volt Typhoon is attempting to position themselves on IT networks in preparation for disruptive or destructive cyberattacks on critical infrastructure in the United States. The group’s behavior and choice of targets indicate that they are pre-positioning themselves to disrupt critical infrastructure functions. The potential for these actors to use their network access for disruptive effects in the event of geopolitical tensions or military conflicts is a concern [7].

Volt Typhoon has been known to exploit network appliances from vendors including Fortinet [2], Ivanti [2], Cisco [2], NetGear [2], and Citrix to gain initial access to targeted IT infrastructure [2]. They have maintained access to victim IT environments for at least five years and are skilled at discovering and exploiting zero-day vulnerabilities. The US agencies recommend patching critical assets and known exploited vulnerabilities in appliances frequently targeted by Volt Typhoon [2]. Small businesses that serve as suppliers to critical infrastructure providers are also at risk [2].


The actions of Volt Typhoon pose a significant threat to critical infrastructure providers in the US and other countries. The potential for disruptive cyberattacks on industries such as transportation, energy [1] [4] [5] [6] [7] [9], communications [1] [4] [5] [7] [9], and water and wastewater systems is a cause for concern. Mitigations and incident response recommendations have been provided to disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities [7]. The ongoing efforts to create panic and disruption in preparation for a possible military attack in the Asia-Pacific region highlight the need for increased cybersecurity measures and vigilance in the face of state-sponsored cyber threats.