Volt Typhoon China-Backed APT Infiltrates US Critical Infrastructure Orgs

According to Microsoft and researchers, the state-sponsored threat actor could very well be setting up a contingency plan for disruptive attacks on the US in the wake of an armed conflict in the South China Sea.

China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.
Thats according to a
breaking investigation from Microsoft
, which dubs the advanced persistent threat (APT) Volt Typhoon. Its a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.
While espionage appears to be the goal for now, there could very well be a more sinister purpose at play. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises, according to the analysis.
The first signs of compromise emerged in telecom networks in Guam, according to a
New York Times report
ahead of the findings being released. The National Security Agency discovered those intrusions around the same time that the
Chinese spy balloon
was making headlines for entering US airspace, according to the report. It then enlisted Microsoft to further investigate, eventually uncovering a widespread web of compromises across multiple sectors, with a particular focus on air, communications, maritime, and land transportation targets.
The discovery of the activity is playing out against the backdrop of the US frosty relations with Beijing; the two superpowers have stalled in their diplomacy since the shooting down of the balloon, and has worsened amidst fears that Russias invasion of Ukraine could
spur China to do the same in Taiwan
.
In the event of a military crisis, a destructive cyberattack on US critical infrastructure could disrupt communications and hamper the countrys ability to come to Taiwans aid, the Times report pointed out. Or, according to John Hultquist, chief analyst at Mandiant Intelligence - Google Cloud, a disruptive attack could be used as a proxy for kinetic action.
These operations are aggressive and potentially dangerous, but they dont necessarily indicate attacks are looming, he said in an emailed statement. A far more reliable indicator for [a] destructive and disruptive cyberattack is a deteriorating geopolitical situation. A destructive and disruptive cyberattack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict.
Dubbing such preparations contingency intrusions, he added that China is certainly not alone in conducting them — although notably, China-backed APTs are
typically far more focused on cyber espionage than destruction
.
Over the last decade, Russia has targeted a variety of critical infrastructure sectors in operations that we do not believe were designed for immediate effect, Hultquist noted. Chinese cyber threat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks. As a result, their capability is quite opaque.
To achieve initial access, Volt Typhoon
compromises Internet-facing Fortinet FortiGuard devices
, a popular target for cyberattackers of all stripes (Microsoft is still examining how theyre being breached in this case). Once inside the box, the APT uses the devices privileges to extract credentials from Active Directory account and authenticate to other devices on the network.
Once in, the state-sponsored actor uses the command line and
living-off-the-land binaries
to find information on the system, discover additional devices on the network, and exfiltrate data, according to the analysis.
To cover its tracks, Volt Typhoon proxies its network traffic through compromised small office/home office (SOHO) routers and other edge devices from ASUS, Cisco, D-Link, NETGEAR, and Zyxel — that allows it to blend into normal network activity, Microsoft researchers noted.
The post also provides mitigation advice and indicators of compromise, and the NSA has published a tandem
advisory on Volt Typhoon
(PDF) with details on how to hunt for the threat.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Volt Typhoon China-Backed APT Infiltrates US Critical Infrastructure Orgs