Volt Typhoon / VOLTZITE / Bronze Silhouette (also known as VOLTZITE, Bronze Silhouette, Vanguard Panda, DEV-0391, Insidious Taurus, UTA0178) is a state-sponsored advanced persistent threat group attributed to People's Republic of China (PLA), active since 2021. The group primarily targets critical infrastructure, energy, water, transportation, communications, maritime sectors. It is tracked by MITRE ATT&CK as G1017.
Overview & Attribution
Volt Typhoon represents an unprecedented strategic threat to US national security. Unlike traditional espionage-focused APT groups, Volt Typhoon has been assessed by CISA, NSA, FBI, and Five Eyes intelligence partners as pre-positioning within critical infrastructure networks for potential disruptive or destructive operations during a future geopolitical crisis -- particularly a conflict over Taiwan. The group's exclusive use of living-off-the-land techniques makes detection exceptionally difficult.
Volt Typhoon has been active since 2021, attributed to People's Republic of China (PLA). The group exclusively uses living-off-the-land binaries and legitimate administrator tools, making detection exceptionally challenging. Their presence in US water, energy, transportation, and communications infrastructure has been confirmed by multiple government agencies.
- Attribution: People's Republic of China (PLA)
- Active since: 2021
- Primary targets: Critical infrastructure, energy, water, transportation, communications, maritime
- Also known as: VOLTZITE, Bronze Silhouette, Vanguard Panda, DEV-0391, Insidious Taurus, UTA0178
Arsenal & Tools
Volt Typhoon employs a distinctive approach of using only native operating system tools and legitimate software:
- Living-off-the-land binaries (LOLBins): Exclusive use of native OS tools including ntdsutil, netsh, PowerShell, and wmic to avoid detection
- Impacket: Open-source Python toolkit for network protocol interaction and lateral movement
- Fast Reverse Proxy (FRP): Open-source reverse proxy tool used for tunneling through compromised SOHO routers
- Mimikatz: Credential harvesting tool used selectively during post-exploitation
- SOHO Router Implants: Custom firmware modifications to Cisco, NETGEAR, and other consumer routers for operational relay infrastructure
- KV Botnet: Botnet of compromised end-of-life SOHO routers and IoT devices used as operational relay nodes
Targeting & Operations
The group focuses on critical infrastructure, energy, water, transportation, communications, maritime sectors across the United States and its territories. Their operations are assessed as pre-positioning for disruption rather than traditional intelligence collection, representing a fundamental shift in PRC cyber strategy.
Volt Typhoon is distinguished by its exclusive reliance on living-off-the-land techniques. The group uses only native OS tools (ntdsutil, netsh, PowerShell, wmic) and legitimate administrator credentials, deploying no custom malware. This approach allows them to maintain persistent access for years while blending with normal system administration activity.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing Application | Exploitation of Fortinet FortiGuard, Zoho ManageEngine, and other internet-facing appliances |
| Execution | T1059.001 PowerShell | Native PowerShell for reconnaissance, lateral movement, and data staging |
| Persistence | T1078 Valid Accounts | Credential theft and reuse of legitimate administrator accounts for persistent access |
| Persistence | T1136 Create Account | Creation of local accounts on compromised systems for backup access |
| Defense Evasion | T1218 System Binary Proxy Execution | Exclusive use of LOLBins to blend with legitimate system administration activity |
| Lateral Movement | T1021.002 SMB/Windows Admin Shares | Lateral movement via administrative shares using stolen credentials |
Notable Campaigns
Volt Typhoon has been linked to multiple significant campaigns targeting US critical infrastructure. The group continuously evolves its techniques to evade detection while maintaining persistent access.
- US Critical Infrastructure Pre-Positioning (2021-Present): Persistent presence in energy, water treatment, transportation, and communications networks across the continental United States. CISA Advisory AA24-038A confirmed active compromises with no observed espionage or financial motivation, assessed as pre-positioning for future disruption.
- Guam Military Infrastructure (2023): Targeted communications infrastructure in Guam and other US territories with strategic military significance in the Pacific theater.
- KV Botnet Operations (2022-2024): Operated a botnet of hundreds of compromised SOHO routers (primarily end-of-life Cisco and NETGEAR devices) as covert communication relay infrastructure. Disrupted by FBI operation in January 2024.
- Water and Wastewater Intrusions (2023-2024): Compromised operational technology networks at multiple US water and wastewater treatment facilities, accessing SCADA systems.
Known to use compromised SOHO routers as C2 proxies (no static IOCs)Behavioral detection is primary approach due to LOLBin-only operations
Detection & Defense
- Living-off-the-land detection: Implement behavioral analytics for anomalous use of ntdsutil, netsh, wmic, PowerShell, and other native tools by non-administrative users
- OT/IT network segmentation: Enforce strict segmentation between IT and operational technology networks, especially for water, energy, and transportation systems
- SOHO router hardening: Replace end-of-life SOHO routers, disable remote management, enforce firmware updates on all edge devices
- Identity monitoring: Deploy advanced identity threat detection for lateral movement using legitimate credentials
- CISA advisory implementation: Follow CISA AA24-038A mitigation guidance including enhanced logging, SIEM correlation, and incident response planning
- Network flow analysis: Monitor for anomalous east-west traffic patterns and unusual administrative tool usage across critical infrastructure segments
Defend Against Volt Typhoon
Mjolnir Security provides specialized capabilities to detect and respond to Volt Typhoon operations.
- APT Threat Hunting Proactive hunting for Volt Typhoon TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Volt Typhoon campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts