A Chinese state-sponsored hacking group called Volt Typhoon has spent years quietly burrowing into US power grids, water systems, ports, and telecommunications networks — not to steal data, but to position themselves to cause chaos if a conflict over Taiwan ever begins.
In May 2023, Microsoft published a blog post that, in a different era, might have triggered a major diplomatic crisis. The company had been tracking a group of Chinese government-sponsored hackers for months. The group had been systematically infiltrating critical infrastructure targets in the United States: power grids, water utilities, telecommunications providers, transportation systems, ports. They had been doing this quietly, without deploying malware that might be detected, using only tools already built into the operating systems they found on the networks they breached.
Microsoft called the group Volt Typhoon. The US government, releasing a joint advisory the same day, confirmed the attribution and described what Volt Typhoon was doing and why. The "why" was the part that made this different from ordinary espionage: Volt Typhoon wasn't primarily interested in stealing data. It was pre-positioning itself to cause disruption — deliberately seeding the networks that run American water, power, and communications with persistent access that could, at a moment of the Chinese government's choosing, be used to trigger cascading failures.
The trigger they appeared to be waiting for: a military conflict over Taiwan.
Microsoft's disclosure arrived alongside a joint advisory signed by the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the FBI, and their counterparts in Australia, Canada, New Zealand, and the United Kingdom — the intelligence alliance known as Five Eyes, plus Australia and New Zealand. The coordinated release was itself significant. Joint advisories of this kind are not rushed; they reflect substantial internal consensus and a deliberate decision to make information public rather than hold it for classified use.
The advisory described a Chinese state-sponsored actor that had been operating against US critical infrastructure targets since at least mid-2021. The targets weren't random. They included:
Guam, the US territory in the Pacific that hosts significant American military infrastructure and would be critical in any conflict involving Taiwan or North Korea, was specifically identified as a target.
The specificity of the targeting warrants attention. In the telecommunications sector, researchers and government advisories identified compromised entities that included regional ISPs and cable operators whose networks form the backbone of internet connectivity across the continental United States. In the water sector, the advisory implicated water and wastewater treatment organisations across multiple US states — including, according to reporting that followed the initial disclosure, a water authority in Hawaii and treatment facilities serving communities in the continental US. These are not high-profile targets in the traditional intelligence sense; they hold no classified information and their operational disruption would not degrade US military capability directly. What they share is dependence: millions of people depend on them working, every day, invisibly. Security researchers at Dragos and CrowdStrike, who track the group under the alternative designations "VOLTZITE" and "Bronze Silhouette" respectively, noted that the selection of targets reflects deliberate prioritisation of systems whose disruption would produce civilian panic and political pressure, rather than the kind of military-grade intelligence that a conventional espionage operation would pursue. "Bronze Silhouette" — the CrowdStrike tracking name — has become a widely used identifier in threat intelligence reports and is often used interchangeably with "Volt Typhoon" in vendor publications, though the groups may differ slightly in scope depending on how each organisation defines cluster boundaries.
The May 2023 joint advisory was the first major public attribution, but it was followed by a second, more detailed advisory in February 2024 — again signed jointly by CISA, NSA, and FBI — that disclosed the full duration of the intrusions and the proximity to operational technology systems. That February advisory stated explicitly that Volt Typhoon operators had demonstrated "the ability to pivot" to industrial control systems that govern physical infrastructure, not merely the IT networks that sit in front of them. The distinction matters: compromising an IT network is one thing; reaching the SCADA systems that open and close valves, manage power flows, or control treatment dosing in a water plant is another level of access with directly physical consequences.
What made Volt Typhoon's approach technically distinctive — and particularly difficult to detect — was their reliance on what security researchers call "living-off-the-land" techniques. This phrase describes the practice of using tools and capabilities that already exist on a compromised system, rather than introducing external malware.
Every Windows computer, and most servers running modern operating systems, comes with a suite of built-in administrative tools: command-line interfaces, network diagnostics utilities, scripting environments, and remote management tools. These tools are present on every system because legitimate administrators need them to manage networks. They also generate log entries that look identical to legitimate administrative activity.
Volt Typhoon operators would gain initial access to a target network — typically through exploiting vulnerabilities in internet-facing devices like firewalls, VPN appliances, and routers, which often run custom operating systems with their own vulnerability profiles. From there, they used only native system tools to move through the network: the Windows command prompt, PowerShell, the built-in network diagnostic tool netstat, Windows Management Instrumentation, and others.
This approach served multiple purposes. It was harder to detect because security monitoring tools are tuned to spot external programs and files that shouldn't be present; they're much worse at identifying when native tools are being used maliciously. It was also harder to attribute, since the absence of custom malware meant there were fewer "fingerprints" that could be traced back to a specific actor.
Perhaps most importantly, it was persistent. Volt Typhoon used built-in tools to create legitimate-looking administrative accounts, establish scheduled tasks that maintained their access, and tunnel their communications through trusted systems in ways that made their traffic difficult to distinguish from normal network activity. Some of the accesses they established were later found to have persisted for years without detection.
The FBI Director Christopher Wray testified before the Senate Intelligence Committee in February 2024 in terms that were unusually direct for intelligence community public statements. He described Volt Typhoon as a "pre-positioning" operation — not primarily interested in the data these systems held, but in the ability to disrupt them.
"Pre-positioning" is a military concept that has a specific tactical meaning when applied to cyber operations. It describes the practice of establishing persistent access to systems before you intend to use that access, so that when you need to act, you don't first have to break in — you're already there. In conventional military terms, it's analogous to pre-deploying forces and equipment near a theatre of conflict before hostilities begin. In Volt Typhoon's case, "activation" of pre-positioned access could mean several things: issuing commands that shut down power distribution systems, altering chemical dosing at water treatment plants to dangerous levels, disrupting the routing infrastructure that carries internet traffic across major metropolitan areas, or interfering with the port logistics systems that handle cargo at US Pacific coast terminals. Security researchers who have modelled these scenarios note that a coordinated, simultaneous attack on multiple utility sectors — power, water, and communications — in the same geographic area would be qualitatively different from a single-sector attack: the knock-on effects multiply. A city without power cannot run water pumps; a city without communications cannot coordinate emergency response. These cascading effects are understood by military planners and, it appears, by the operators behind Volt Typhoon.
"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities," Wray told senators. He described specific scenarios: attacks on water treatment facilities that could contaminate drinking water, disruptions to the power grid that could cause blackouts, interference with transportation and communications systems at moments of military tension.
The Taiwan connection is important context. China considers Taiwan part of its territory and has never renounced the use of military force to achieve reunification. US military commitments and arms sales to Taiwan have long been a source of tension. American military and intelligence officials have expressed growing concern that China may attempt to use force against Taiwan within the next decade.
In that scenario, Volt Typhoon's pre-positioned access in US infrastructure would serve as a deterrent and a coercive tool. The prospect of a Chinese cyberattack causing blackouts in major US cities, contaminating water supplies, or disrupting ports at the start of a Taiwan conflict would create domestic pressure on US decision-makers. Whether it would actually deter US military involvement is a matter of genuine strategic debate, but the capability being built — persistent access to critical infrastructure that could be weaponised — is real.
One of the more unsettling aspects of the Volt Typhoon revelations was the accumulated evidence of how long and how deeply the group had been inside American systems.
The January 2025 advisory from CISA, released in collaboration with FBI and NSA, revealed that Volt Typhoon had compromised the IT environments of multiple critical infrastructure organisations and, in some cases, had "pre-positioned themselves on IT networks" in ways that could allow for "lateral movement to OT assets" — meaning they had gotten close enough to the operational technology that actually controls physical systems (turbines, water pumps, electrical switches) to potentially manipulate them.
The advisory noted that some Volt Typhoon intrusions had lasted for years before discovery. In one case involving a communications organisation, persistence was maintained for "at least five years." That's five years of access to systems that, if disrupted, could affect millions of people.
The Pacific region infrastructure was particularly targeted, consistent with the Taiwan-related strategic rationale. But the affected sectors weren't limited to obvious military-adjacent targets. Water utilities serving American cities. Power utilities. The quiet, unglamorous infrastructure that most people never think about because it simply works.
A secondary revelation in the government's Volt Typhoon investigations concerned how the group moved its attack traffic. Rather than routing communications through servers that could be traced to China, Volt Typhoon built and operated a botnet — a network of compromised devices — consisting primarily of small office and home office (SOHO) routers, cameras, and network-attached storage devices.
These are the kinds of devices that millions of small businesses and homes use: Cisco, Netgear, and Fortinet routers; ASUS routers; IP cameras. They're often connected to the internet, running old firmware with known vulnerabilities, and rarely monitored. By compromising hundreds of these devices, Volt Typhoon created a relay network through which their actual attack traffic could be routed — making it appear to originate from ordinary American internet connections rather than Chinese servers.
The Justice Department, in January 2024, announced that it had disrupted this botnet through a court-authorised operation that deleted the malware from infected devices in the United States. But botnet infrastructure can be rebuilt, and the underlying vulnerability — poorly secured consumer and small-business devices connected to the internet — remains pervasive.
The honest answer is that ordinary Americans have very little direct ability to protect themselves from a nation-state operation targeting the power grid. If China chose to use Volt Typhoon's pre-positioned access to cause a major infrastructure disruption, the remedies are at the level of governments, utilities, and security agencies — not individual households.
But there are several things worth understanding.
The first is that this threat is not hypothetical. Volt Typhoon is not a theoretical risk that might materialise someday. The accesses were real. The persistence was documented. The attribution, which is notoriously difficult to make publicly in cybersecurity, was confirmed by the intelligence agencies of multiple countries. The intrusions have already happened; what hasn't happened yet is the activation of that access for destructive purposes.
The second is that consumer and small-business router security matters more than most people realise. The Volt Typhoon botnet was built from compromised small-office and home routers. If you run a small business, or have a home router that you've never updated, you may be hosting part of a nation-state attack infrastructure without knowing it. Basic router hygiene — keeping firmware updated, using strong admin passwords, disabling remote management if you don't need it — limits your contribution to these botnets.
The third is about the broader systemic lesson. American critical infrastructure — the water systems, power grids, and communications networks that people rely on daily — is substantially operated by private companies, many of which are small utilities that don't have the resources to defend against sophisticated nation-state attackers. The gap between the threat and the defensive capacity is significant. Bridging it is a policy and investment challenge, not just a technical one.
FBI Director Wray described the situation plainly: "China's hackers are preparing to wreak havoc. They are biding their time and planning to land low blows against civilian infrastructure to try to induce panic."
What changes after that statement is a matter for policymakers, infrastructure operators, and security agencies. But the public deserves to know that the scenario isn't science fiction. It's already begun.
References:
AT&T confirmed in March 2024 that a dataset containing the personal information of approximately 73 million current and former customers had been leaked online. The data included Social Security numbers, account passcodes, and personal details. Here's what happened and what you should do.
A hacking group called ShinyHunters claims to have stolen the personal data of 560 million Ticketmaster customers, including names, addresses, phone numbers, and partial payment card details. Here's what happened and what you should do.
Genetic testing company 23andMe confirmed that hackers accessed the personal data of 6.9 million users. Your DNA wasn't stolen, but your ancestry data, family connections, and personal details may have been. Here's what you need to know.
