Volt Typhoon
China-state actor pre-positioning in US critical infrastructure; operates KV Botnet for covert relay.
Last refreshed: 30 April 2026
Is Volt Typhoon already inside US and allied power grids, waiting for an order to act?
Timeline for Volt Typhoon
Norway joins the Salt Typhoon victim list
Cybersecurity: Threats and DefencesSixteen agencies put IOC extinction in print
Cybersecurity: Threats and Defences- What is Volt Typhoon and what does it want inside US infrastructure?
- Volt Typhoon is a China-state cyber actor that has been embedding itself inside US critical infrastructure networks since at least 2021. Microsoft and CISA assessed in 2023 that its goal is not intelligence collection but pre-positioning: establishing persistent access to communications, utilities, and transport networks that could be activated to cause disruption in a future US-China crisis, particularly over Taiwan.Source: Microsoft / CISA advisory, May 2023
- What are living-off-the-land techniques and why does Volt Typhoon use them?
- Living-off-the-land means using only the tools already installed on Windows — Netsh, PowerShell, LSASS credential dumping, Ntdsutil — rather than deploying custom malware. Volt Typhoon uses this approach because it makes its activity indistinguishable from legitimate administrator traffic, defeating both signature-based antivirus and behaviour-based EDR tools that look for known malicious files.Source: Microsoft Security Blog
- What is the KV Botnet used by Volt Typhoon?
- KV Botnet is a network of compromised end-of-life Cisco and Netgear routers that Volt Typhoon uses as a covert relay layer for its intrusion operations. Because the routers are end-of-life and cannot be patched, they cycle through the botnet continuously, making it nearly impossible for defenders to block traffic via IP blocklists alone. The FBI disrupted an earlier version in 2024; the 16-agency advisory of April 2026 confirmed KV Botnet is still in use.Source: FBI / NCSC 16-agency advisory
- Has Volt Typhoon been removed from US critical infrastructure?
- No confirmed full eviction has been publicly announced. The FBI disrupted the KV Botnet in early 2024 by court order, removing malware from hundreds of compromised routers, but Volt Typhoon reconstituted infrastructure. The April 2026 16-agency advisory confirmed the group is still active and still using KV Botnet for CNI pre-positioning.Source: 16-agency joint advisory, April 2026
Background
Volt Typhoon is a China-nexus state-sponsored cyber actor first publicly disclosed by Microsoft and CISA in May 2023, though Western intelligence assessments date its activity to at least mid-2021. The group's defining characteristic is its reliance on living-off-the-land (LOTL) techniques: using only built-in Windows utilities (Netsh portproxy, LSASS credential dumping, Ntdsutil, PowerShell) rather than custom malware, making it uniquely difficult to distinguish from legitimate administrator activity. Volt Typhoon targets communications, manufacturing, utilities, transport, construction, maritime, government, IT, and education sectors.
The actor routes its intrusion traffic through the KV Botnet, a covert network of compromised end-of-life Cisco and Netgear routers that lack manufacturer security patches and cannot be updated. This relay layer makes Volt Typhoon's true origin invisible to network defenders looking at connection logs. Microsoft assessed in 2023 that Volt Typhoon is positioning itself to disrupt critical communications infrastructure between the United States and the Asia-Pacific region in any future crisis — the clearest public statement that this actor's mission is sabotage pre-positioning rather than intelligence collection.
The 16-agency joint advisory of 23 April 2026 named Volt Typhoon alongside Flax Typhoon as one of two China-nexus actors whose infrastructure is managed through Integrity Technology Group. The advisory explicitly identified KV Botnet as the instrument Volt Typhoon uses for US critical national infrastructure pre-positioning — formally confirming in allied institutional voice what the FBI had disclosed in 2024 when it disrupted an earlier version of the botnet. The advisory also confirmed the IOC extinction problem: Volt Typhoon cycles through new compromised edge devices faster than defenders can block them, rendering traditional indicator-based defences insufficient.
For UK and allied defenders, the advisory's significance extends beyond attribution. By naming Volt Typhoon's CNI pre-positioning explicitly, the 16 agencies are signalling that the threat model has graduated from espionage to sabotage readiness — the actor is believed to already be embedded in US CNI awaiting an order to activate disruptive capability. The advisory recommendations (edge-device baselining, dynamic threat feeds, Cyber Essentials adoption) are calibrated to this higher threat tier.
