Under Attack? Contact Us Start a Free Demo

Defending Against Volt Typhoon: A State-Sponsored Stealthy Threat to Critical Infrastructure

Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) is a state-sponsored cyber actor group believed to be affiliated with the People’s Republic of China (PRC). This group has been actively targeting critical infrastructure sectors in the United States since at least mid-2021. The primary objective of this group is to perform espionage and gain persistent access to target networks for potential disruptive or destructive attacks in the future.

Volt Typhoon – Tactics, Techniques, and Procedures (TTPs)

Volt Typhoon employs a variety of techniques to achieve their goals. Here’s a breakdown of their tactics mapped to the MITRE ATTick framework:

 CISA Alert AA24-038A provides a detailed analysis of Volt Typhoon’s TTPs, including their reconnaissance tactics and initial access methods and highlights Volt Typhoon’s use of LotL techniques and targeting of critical infrastructure.. (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a) It’s important to note that this is not an exhaustive list, and Volt Typhoon may adapt their tactics based on the target and situation.

FBI & US Government Express Concerns about Volt Typhoon

The FBI and US government have expressed strong concern about Volt Typhoon, highlighting the group’s potential to disrupt critical infrastructure and endanger American safety. Here’s a breakdown of their key points and actions:

  • Targeting Critical Infrastructure: Both the FBI and government agencies like CISA have emphasized Volt Typhoon’s focus on compromising critical infrastructure sectors in the US. This includes vital services like energy, communications, and transportation. ([invalid URL removed])
  • Espionage and Disruption: Officials believe Volt Typhoon’s primary objective is not immediate destruction, but gaining long-term access to networks for potential espionage and disruption in the future. This allows them to gather sensitive data and potentially launch attacks in times of geopolitical tension. ([invalid URL removed])
  • Pre-Positioning for Harm: The FBI Director, Christopher Wray, has specifically warned about Volt Typhoon’s “pre-positioning” to cause real-world harm. This suggests their long-term access could be used to manipulate infrastructure and cause disruptions during future conflicts. (https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical)

Industries Targeted By Volt Typhoon:

Volt Typhoon has primarily focused on compromising critical infrastructure organizations in the United States. Their targets have spanned across various sectors, including:

  • Communications
  • Manufacturing
  • Utilities
  • Transportation
  • Construction
  • Maritime
  • Government
  • Information Technology
  • Education

This broad targeting suggests a potential effort to gain a foothold in various sectors for widespread disruption or data collection in the future.

US Government Actions

The US government’s response reflects a proactive approach to defending critical infrastructure and deterring potential cyberattacks from state-sponsored actors. However, the ongoing investigation and the possibility of the Volt Typhoon adapting their tactics highlight the constant vigilance required to stay ahead of cyber threats.

How to Stay Vigilant and Protected from State-Sponsored Threats?

The only way to protect your organization from such sophisticated state-sponsored cyber threats is by adopting unconventional threat detection techniques. Traditional security tools fail to detect such advanced cyber threats. But we have a solution for you!

NetSecurity’s ThreatResponder® Platform is a unified cloud-native cyber-resilient endpoint security platform with an AI-based threat detection engine that can provide effective endpoint threat detection, prevention, response, analytics, intelligence, investigation, and hunting solutions that can help businesses stay ahead of the latest cyber threats.

With ThreatResponder®, organizations gain situational awareness and immediate threat visibility into thousands of endpoints, allowing them to respond to and neutralize cyber attacks across their enterprise. The platform provides 361° threat visibility of enterprise assets, regardless of their location, and is capable of detecting and preventing a wide range of attacks, including exploit, fileless, malware, and ransomware attacks.

The platform is also designed to provide powerful tools for incident response and forensics investigation on remote endpoints, as well as insider threat and data loss prevention capabilities. Furthermore, ThreatResponder® can ingest data from millions of endpoints, providing organizations with valuable insights into users’ activities and network bandwidth utilization. The platform offers a comprehensive threat intelligence module, allowing organizations to consume threat intel from various sources, produce their own threat intelligence, and perform malware analysis using MaLyzer™.

NetSecurity’s ThreatResponder® Platform can help organizations stay ahead of the latest cyber threats. With its comprehensive features, ThreatResponder® provides organizations with the tools they need to detect, prevent, respond to, and investigate cyber attacks, all in one place.

Don’t wait for disaster to strike. Modernize your threat detection capabilities with our ThreatResponder platform today. Contact NetSecurity to learn more and request a free demo.


The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).