threatintel
actor tracker
Named attack · kill-chain walkthrough

Volt Typhoon

PRC state-sponsored pre-positioning in U.S. critical infrastructure

Volt Typhoon (Bronze Silhouette / DEV-0391)Mid-2021 – presentHigh confidence

Attributed by the U.S. government, Five Eyes partners, and MSTIC to a PRC state-sponsored actor assessed to be pre-positioning for potential disruptive or destructive cyberattacks in the event of a major geopolitical crisis or conflict with the United States.

Volt Typhoon infiltrated U.S. critical-infrastructure networks — spanning communications, energy, transportation, and water/wastewater — using exclusively living-off-the-land (LOTL) techniques: no custom malware, only signed Windows binaries. All command-and-control traffic was routed through a botnet of compromised end-of-life SOHO routers (the KV-botnet) so it appeared as ordinary U.S. residential traffic. The assessed purpose is not espionage but pre-positioning: establishing durable, covert access that could enable disruptive action on command.

scene 00 / 07
KV-botnet / JDY-botnet relay cloudend-of-life SOHO routers — C2 traffic looks like U.S. residential IPsPRC operatorvia KV-botnet relaymulti-hop · appears as residential U.S. trafficedge applianceFortinet FortiGuard · Cisco RV32xCitrix NetScaler · Netgear ProSafeT1190internetvictim network perimetervictim internal networkWindows hostno malware installedwmicprocess list /format:csvos getT1059.003 · T1018Windows hostno malware installednetsh · ipconfigint ip show confignetstat -anoT1016 · T1018victim internal networkdomain controllerno malware installedntdsutilIFM snapshot → ntds.ditldifde · certutilT1003.003ntds.ditall domain hashesdefense evasion — LOTL onlywevtutil cl System · wevtutil cl Security · all signed binaries · T1070.001lateral movement & persistencePsExec · WinRM · pass-the-hash · valid accounts · T1078.002target sectors — U.S. critical infrastructureCommsT1040 stagednot executedEnergyT1040 stagednot executedWaterT1489 stagednot executedTransportT1485 stagednot executedGuam — Indo-Pacific staging priorityCISA AA24-038A · key U.S. military logistics hubpre-positionednot activatedlatent capabilitydisruptive / destructiveaction on geopolitical triggerCISA AA24-038A assessmentno data exfiltration publicly attributedno ransomware · no destructive payload executedSources: CISA AA23-144A · AA24-038A · MSTIC 2023-05-24 · DOJ 2024-01-31 · MITRE G1017
  1. Phase 01 · Initial AccessTA0001

    Public-facing edge appliances exploited as the front door — Fortinet, Cisco, NetScaler

    • Volt Typhoon primarily exploited internet-facing Fortinet FortiGuard SSL-VPN appliances using known vulnerabilities (CVE-2022-40684 and related) to gain an initial foothold without credentials.
    • Cisco RV320/RV325 SOHO routers and Netgear ProSafe devices were also exploited for initial access, as were Citrix NetScaler/ADC appliances.
    • These edge devices served a dual purpose: ingress to the victim network AND conscription into the KV-botnet relay infrastructure for subsequent C2 operations.
    • CISA's February 2024 advisory confirmed the actor maintained access to some victim environments for at least five years.
    • No spear-phishing or supply-chain compromise has been attributed to this campaign; all confirmed initial access vectors are internet-exposed network appliances.
    Techniques
    T1190 · Exploit Public-Facing ApplicationT1133 · External Remote Services
    Indicators
    CVE-2022-40684 — Fortinet FortiOS/FortiProxy authentication bypass — widely exploited for initial access
    Sources
  2. Phase 02 · Command & ControlTA0011

    The KV-botnet: all C2 traffic laundered through end-of-life U.S. routers to look residential

    • Volt Typhoon constructed the KV-botnet from hundreds of compromised end-of-life SOHO routers and VPN appliances (Cisco RV320/325, DrayTek Vigor, Netgear ProSafe, Axis IP cameras) acting as multi-hop proxies.
    • By routing operator traffic through devices with legitimate U.S. IP addresses — often in or near the victim's own geography — the actor made intrusion traffic indistinguishable from normal ISP traffic.
    • The FBI obtained a court order and, in January 2024 (Operation Houdini), remotely deleted the KV-botnet malware from affected routers and severed the cluster's C2 communications.
    • A second cluster, the JDY-botnet (discovered by Black Lotus Labs / Lumen), remained active and employs overlapping but distinct infrastructure.
    • No bespoke implant communicates directly from victim to actor; the botnet is the only C2 layer.
    Techniques
    T1090.003 · Proxy: Multi-hop ProxyT1071.001 · Application Layer Protocol: Web Protocols
    Indicators
    KV-botnet / JDY-botnet — SOHO router relay clusters; KV cluster disrupted Jan 31 2024 (DOJ / FBI)
    Sources
  3. Phase 03 · DiscoveryTA0007

    Extensive reconnaissance using only built-in Windows tools — wmic, netsh, ldifde, no scripts dropped

    • Operators ran `wmic process list /format:csv` and `wmic os get` to enumerate running processes and OS metadata without touching disk with any external tool.
    • Network topology was mapped with `netsh int ip show config`, `ipconfig /all`, and `netstat -ano`, producing a full picture of interfaces, routes, and active connections.
    • Active Directory was queried using `ldifde` and `ntdsutil` to enumerate domain users, computers, groups, and Kerberos service accounts (T1087.002).
    • Because all commands are signed Microsoft binaries, EDR tools that rely on process reputation rather than behavioral analysis produced no alerts.
    Techniques
    T1059.003 · Command and Scripting Interpreter: Windows Command ShellT1018 · Remote System DiscoveryT1087.002 · Account Discovery: Domain AccountT1016 · System Network Configuration Discovery
    Sources
  4. Phase 04 · Credential AccessTA0006

    ntds.dit extracted via ntdsutil volume-shadow-copy trick — the entire domain credential store, offline

    • The actor used `ntdsutil` to create a legitimate IFM (Install From Media) snapshot, which copies ntds.dit and the SYSTEM hive to a staging directory without triggering VSS alerts or requiring a third-party tool.
    • With ntds.dit and the SYSTEM registry hive, all domain password hashes can be extracted offline using freely available tools — giving the actor credentials for every Active Directory account.
    • Kerberos silver and golden ticket capability follows from NTDS extraction, providing long-term, stealthy authenticated access even after password resets on individual accounts.
    • MSTIC observed `certutil` used to encode and stage credential material for later retrieval via the edge-device foothold.
    Techniques
    T1003.003 · OS Credential Dumping: NTDST1003.002 · OS Credential Dumping: Security Account Manager
    Indicators
    ntdsutil IFM snapshot — Legitimate Windows utility abused to copy ntds.dit without a third-party tool
    Sources
  5. Phase 05 · Defense EvasionTA0005

    Living-off-the-land: zero malware, only signed Microsoft binaries — and logs wiped on the way out

    • No custom malware was deployed on victim hosts in documented intrusions; every tool used (wmic, ntdsutil, certutil, netsh, PsExec) ships with Windows or is a widely used, signed admin utility.
    • Event logs were cleared using `wevtutil cl System` and `wevtutil cl Security` to remove evidence of lateral movement and credential access.
    • The actor disabled or tampered with security logging on network devices to prevent detection of reconnaissance commands.
    • CISA assessed that the actor's primary defense evasion goal was to blend into normal system-administrator activity to survive forensic triage and threat hunts.
    • The use of the KV-botnet (phase 2) is itself a defense evasion measure at the network layer, making all external C2 traffic appear local.
    Techniques
    T1070.001 · Indicator Removal: Clear Windows Event LogsT1218 · System Binary Proxy ExecutionT1562.002 · Impair Defenses: Disable Windows Event Logging
    Sources
  6. Phase 06 · Lateral Movement & PersistenceTA0008

    Valid domain credentials drive lateral movement — PsExec and WinRM, no implant required

    • With harvested NTDS credentials, Volt Typhoon moved laterally using PsExec and Windows Remote Management (WinRM), both legitimate remote-admin protocols already enabled in operational technology environments.
    • Impacket-style pass-the-hash and pass-the-ticket techniques authenticated to additional hosts without re-using cleartext passwords.
    • Persistence rested almost entirely on valid domain credentials (T1078.002), meaning the actor could re-enter networks at will — no scheduled tasks, registry run keys, or implants that could be detected and removed.
    • On network devices, the actor installed modified firmware or config backdoors to maintain a persistent foothold independent of Windows domain accounts.
    • CISA confirmed access durations of multiple years in some victim networks without detection.
    Techniques
    T1021.006 · Remote Services: Windows Remote ManagementT1021.002 · Remote Services: SMB / Windows Admin SharesT1078.002 · Valid Accounts: Domain AccountsT1550.002 · Use Alternate Authentication Material: Pass the Hash
    Sources
  7. Phase 07 · Pre-positioningTA0040

    Pre-positioning, not espionage — a latent capability to disrupt U.S. critical infrastructure on command

    • The U.S. government assessed Volt Typhoon's purpose is NOT intelligence collection but pre-positioning for potential disruptive or destructive attacks against U.S. critical infrastructure sectors: communications, energy, transportation systems, and water/wastewater.
    • Particular focus was placed on Guam — a critical Indo-Pacific logistics and military staging hub — as well as U.S. mainland targets in all five sectors.
    • CISA's February 2024 Five Eyes advisory stated the actor sought to develop capabilities that could disrupt critical infrastructure in the event of a geopolitical crisis or armed conflict involving the United States and the PRC.
    • No destructive action has been publicly attributed to this campaign to date; the threat is the pre-positioned access itself, held in reserve.
    • Network sniffing (T1040) was observed on OT-adjacent network segments, consistent with learning the operational environment rather than immediate exfiltration.
    Techniques
    T1040 · Network SniffingT1485 · Data Destruction (capability staged, not executed)T1489 · Service Stop (capability staged, not executed)
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Volt Typhoon (Bronze Silhouette / DEV-0391)
Capability
  • T1190
  • T1133
  • T1090.003
  • T1071.001
  • T1059.003
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources