No items found.

Tracking Volt Typhoon, State-Sponsored Threat Activity Against Critical Infrastructure

February 19, 2024

In response to the latest reports around Volt Typhoon, we are sharing guidance on leveraging OT asset management capabilities as part of your overall defense strategy.

Volt Typhoon is reported to be a People’s Republic of China (PRC) state-sponsored cyber actor, known to target critical infrastructure. Active since mid-2021, Volt Typhoon raised alerts last year when Microsoft disclosed observed activities, followed by a report from CISA. CISA issued another alert about Volt Typhoon on February 7, confirming observed compromises of IT environments are multiple critical infrastructure organizations.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.”
- CISA Cybersecurity Advisory "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure"

Responding to Volt Typhoon

Volt Typhoon is known to primarily use living off the land (LOTL techniques). They are also known for using valid accounts and remaining undiscovered for the long-term.  

While Industrial Defender's core functions serve asset management, system hardening, and compliance programs, our platform can support and be used in tandem with other tools addressing other parts of the attack lifecycle. We strongly recommend that you refer to CISA’s guidance for a thorough framework on addressing this threat:

For leveraging Industrial Defender to support these efforts, we recommend that you:

  • Use Industrial Defender to monitor credential modifications, as a potential indicator of persistence.
  • Use Industrial Defender to monitor changes to firewall configurations.
  • Use Industrial Defender to monitor new network connections, for both access and exfiltration.
  • Activate IDS features on your IDCs and consider custom rules.
  • Ensure Industrial Defender agents are monitoring relevant directories.  
  • Inspect for cleared audit logs.
  • Investigate Windows Firewall rule modifications/unauthorized exceptions for security breaches.

You can track the latest on this threat and others at