Our Approach

Definitive Guide to Ransomware

Threat Actor ProfileVolt Typhoon

State-sponsored cyber operations increasingly form part of long-term strategic competition, particularly through espionage activities targeting sectors essential to national security and economic stability. These operations are typically conducted by advanced persistent threat (APT) groups that prioritize intelligence collection and sustained access over immediate or visible impact. One such actor is Volt Typhoon, a China-linked threat group that has been active since at least 2021 – though large-scale attribution did not occur until 2023 – and is primarily associated with espionage and intelligence collection through strategic pre-positioning within critical infrastructure environments. The group is commonly tracked under several aliases, most notably Vanguard Panda, BRONZE SILHOUETTE, and Insidious Taurus.

Volt Typhoon is distinguished by its operational focus on stealth and persistence rather than the deployment of custom malware or overtly disruptive techniques. Reported activity indicates that the group frequently relies on valid credentials and native system tools – a technique commonly referred to as “living off the land” (LOTL) – to access and operate within target environments, allowing it to blend into legitimate network activity. This approach complicates detection and attribution, particularly in large enterprise and infrastructure environments where similar administrative behavior is common. In some confirmed cases, Volt Typhoon maintained undetected access to victim networks for up to five years before discovery.

Activity attributed to Volt Typhoon has primarily been observed across a range of countries, with targeting concentrated on sectors connected to critical infrastructure and industrial operations. The group's focus on Guam (a U.S. Pacific territory hosting major American military installations) has been specifically highlighted by U.S. authorities as indicative of the group's broader strategic intent, given the island's significance to U.S. military operations in the Indo-Pacific.

In order to assess the threat posed by Volt Typhoon, this profile examines the group’s origins, motivations, campaigns, tools, and techniques, as well as broader trends, sectoral implications, and defensive considerations relevant to affected industries.

Request a free membership to access our full research insights

Already a member? Login here
  • Aliases: BRONZE SILHOUETTE, VANGUARD PANDA, UNC3236, Insidious Taurus, Redfly, VOLTZITE, DEV-0391, Storm-0391
  • Strategic motives: Espionage, information theft, and long-term pre-positioning in critical infrastructure environments
  • Affiliation: People’s Republic of China (PRC)
  • Cyber capabilities: ★★★★☆
  • Target sectors: Communications, manufacturing, energy, transportation, construction, maritime, information technology, education, and government-related infrastructure
  • Observed countries: United States, United Kingdom, Australia, India, Italy, Germany, France, Belgium, Slovenia, Romania, Czech Republic, Canada, New Zealand, Taiwan

Origins, Motivations & Targets

Origins

Volt Typhoon is an advanced persistent threat group with publicly documented activity dating to at least 2021, with large-scale public attribution first occurring in early 2023. Early reporting describes the group's initial discovery as the result of investigations into covert intrusions characterised by long dwell times and minimal use of distinctive malware, rather than the identification of unique malware families. The group was first publicly named and attributed by Microsoft on May 24, 2023, followed immediately by a joint advisory from the cybersecurity agencies of the Five Eyes intelligence alliance (comprising the United States, United Kingdom, Australia, Canada, and New Zealand) marking one of the most significant coordinated public attribution events in recent memory. These early intrusions were marked by an emphasis on maintaining access while avoiding indicators likely to trigger traditional security controls.

From the outset, Volt Typhoon demonstrated extensive use of living-off-the-land (LOTL) techniques and legitimate administrative tooling following initial compromise, indicating a deliberate focus on operational security and persistence. Rather than deploying custom malware (which carries a higher risk of detection and attribution) the group made use of tools native to the Windows operating system, including wmic, ntdsutil, netsh, and PowerShell, to conduct reconnaissance, harvest credentials, and move laterally through victim environments. The group also made early use of compromised small office and home office (SOHO) network devices as intermediate relay infrastructure, later identified by researchers as the KV-Botnet, suggesting early investment in methods designed to obscure the origin of malicious activity and complicate detection and attribution. This combination of stealth, access maintenance, and internal reconnaissance points to an operational model designed for prolonged presence rather than short, high-impact campaigns.

Multiple assessments from government agencies and independent cybersecurity researchers attribute Volt Typhoon to state-sponsored activity linked to the People's Republic of China (PRC), assessed with high confidence. The PRC has publicly denied these attributions. Early operational focus included critical infrastructure environments in the United States and U.S. territories such as Guam (home to Andersen Air Force Base and Naval Base Guam, two installations critical to U.S. military posture in the Indo-Pacific) aligning with strategic considerations related to communications, logistics, and military readiness. Independent industrial threat reporting by Dragos, who are tracking the group under the designation VOLTZITE, has identified activity clusters associated with Volt Typhoon operations emerging from 2021 onward, with a particular concentration on electric utilities, telecommunications providers, and emergency services in the United States and allied nations, reinforcing the assessment that the group operates as part of a broader, sustained effort targeting strategically relevant systems.

 

Motivations & Targets

Volt Typhoon's observed activity is primarily motivated by strategic espionage and long-term intelligence collection, clearly distinguishing the group from cybercriminal threat actors operating in overlapping sectors. The group's behaviour reflects an emphasis on covert, sustained access to networks supporting critical services, consistent with objectives centred on strategic situational awareness and operational pre-positioning. This is reinforced by U.S. official assessments characterising the group's activity as preparation for potential future disruptive action during periods of geopolitical crisis, rather than an end in itself. Notably, Dragos has assessed that the group's interest in operational technology (OT) environments and geographic information system (GIS) data (mapping the physical layout of infrastructure) points toward pre-positioning for potential sabotage rather than passive intelligence collection alone.

Targeting has been concentrated on organisations within critical infrastructure and closely related industries. Publicly reported victim sectors include communications, energy, transportation, maritime, manufacturing, construction, information technology, emergency services, and education. Private-sector operators of essential services represent the largest portion of confirmed targets, alongside a smaller number of government-affiliated entities. Financial motivations have not been observed in any publicly attributed Volt Typhoon activity. This absence is itself analytically significant: it confirms that access to victim environments serves strategic rather than economic objectives, and that the group's targeting decisions are driven by geopolitical relevance rather than the monetisation potential of compromised data.

Geographically, confirmed activity has primarily focused on the United States and U.S. territories, most notably Guam, assessed as a strategic target due to its role in Indo-Pacific military logistics and communications. The Five Eyes nations (the United States, United Kingdom, Australia, Canada, and New Zealand) represent the most authoritatively confirmed geographic scope, as reflected in the joint May 2023 advisory. Activity in additional countries including India and several European nations has been referenced in vendor reporting, though attribution strength varies and these assessments carry lower levels of official confirmation than the Five Eyes cases.

Taken together, these motivations and targeting patterns reflect a calculated, long-term approach aimed at embedding persistent access within strategically significant environments.

SWOT analysis

Strengths, weaknesses, opportunities & threats

Strengths

  • Access to significant state resources and long-term strategic tasking
  • Stealthy tradecraft based on credential abuse and living-off-the-land techniques
  • Established covert relay infrastructure
  • Broad sectoral access across critical infrastructure

Weaknesses

  • Strong dependence on valid credentials and existing access paths
  • Limited use of bespoke tooling reduces operational flexibility
  • Dependence on third-party infrastructure introduces operational risk

Opportunities

  • Ability to pre-position within globally interconnected infrastructure
  • Expanding digital dependency across critical infrastructure environments
  • Persistent underdetection due to LOTL tradecraft

Threats

  • Increased international focus on Chinese state-sponsored cyber activity
  • Growing effectiveness of identity-centric and behavior-based detection
  • Active law enforcement and government disruption operations

More detailed information about this actor?

Already a member? Login here

Volt Typhoon in the Netherlands

At the time of writing, there are no publicly confirmed or formally attributed intrusions by Volt Typhoon against Dutch organisations. The absence of public attribution should not be interpreted as evidence that Dutch entities fall outside the group's operational scope. Public reporting links Volt Typhoon to long-term espionage operations targeting critical infrastructure and strategically significant industries in the United States and allied countries, including the United Kingdom and Australia. These operations emphasise access maintenance and internal reconnaissance, suggesting objectives related to strategic positioning rather than immediate operational impact. This targeting logic is not geographically bound but instead prioritises organisations that play a role in interconnected international systems such as logistics, communications, energy distribution, and industrial supply chains.

The Netherlands occupies a central position within these systems due to its role as a hub for European logistics, maritime transport, digital connectivity, and industrial production. The Port of Rotterdam (the largest port in Europe) and Amsterdam Internet Exchange (AMS-IX) (one of the world's largest internet exchange points) represent exactly the kind of strategically significant infrastructure that Volt Typhoon has demonstrably targeted elsewhere. National threat assessments have explicitly warned of sustained interest by state-linked actors, including those affiliated with China, in Dutch economic, technological, and infrastructure assets, particularly where access could have broader international consequences. The AIVD's 2025 threat assessment specifically identified Chinese state-sponsored cyber actors as among the most significant and persistent threats facing the Netherlands, noting a pattern of targeting that aligns closely with Volt Typhoon's observed operational focus. While these assessments do not attribute specific incidents to Volt Typhoon by name, they describe a threat landscape that closely aligns with the group's observed targeting patterns in other countries.

Attribution challenges further complicate detection in this context. Volt Typhoon's reliance on valid accounts and trusted network paths means that intrusions may be detected as anomalous behaviour without being conclusively linked to a specific threat actor. In practice, organisations may identify credential misuse or suspicious internal activity without being able to determine whether it is associated with Volt Typhoon or another APT.

From a defensive perspective, this uncertainty should be viewed as a call to action. Volt Typhoon's operations demonstrate that malicious activity can often be detected at the behavioural level even when attribution remains unclear. Given the broader strategic context, the Netherlands' position as a critical node in European and global infrastructure, and the documented involvement of Chinese state-sponsored actors in operations targeting comparable environments, Volt Typhoon remains a relevant and credible threat to the Dutch threat landscape despite the lack of publicly confirmed cases.

Trends & Connections

Volt Typhoon's activity reflects a broader evolution in state-sponsored cyber operations, in which long-term access and strategic positioning take precedence over short-term disruption or demonstrative attacks. Rather than pursuing immediate operational effects, the group's campaigns emphasise persistence, internal reconnaissance, and the maintenance of covert access to environments of strategic relevance. The group demonstrates sustained interest in civilian and commercial infrastructure with broader systemic importance. This targeting approach mirrors warnings from Western intelligence services regarding cyber-enabled pre-positioning by state-backed actors intended to provide strategic leverage during periods of heightened geopolitical tension. This approach aligns with a growing trend among advanced state-backed actors to treat cyber operations as a preparatory capability integrated into wider geopolitical and national security planning.

A defining characteristic of this trend is the deliberate minimisation of unique tooling. Volt Typhoon's reliance on valid accounts, native system utilities, and living-off-the-land techniques mirrors tradecraft increasingly observed across multiple Chinese state-linked cyber operations. By avoiding custom malware and overt command-and-control infrastructure, the group reduces attribution confidence and extends dwell time in complex enterprise environments. This approach is not unique to Volt Typhoon but reflects a broader doctrinal shift across PRC-affiliated threat actors toward operationally disciplined, low-noise intrusion tradecraft.

Within this context, Volt Typhoon is best understood as part of a broader ecosystem of Chinese state-sponsored cyber capability. While the group exhibits its own operational patterns, significant overlap exists with other PRC-aligned intrusion clusters at the level of access methods, infrastructure abuse, and targeting logic. Analysts have noted similarities between Volt Typhoon and other China-linked threat groups that emphasise credential abuse and stealthy persistence, suggesting coordination at a doctrinal or organisational level rather than coincidental tactical overlap.

This ecosystem-based view is further illustrated by reporting on the exploitation of multiple zero-day vulnerabilities in Ivanti Connect Secure appliances in late 2023 and early 2024. During this activity, several Chinese espionage clusters were observed exploiting the same vulnerabilities — specifically CVE-2023-46805 and CVE-2024-21887 — for initial access while displaying distinct post-compromise behaviour, suggesting parallel operations by related but separately managed threat clusters. One such cluster, UNC5135, has been assessed with moderate confidence to be linked to UNC3236, which is in turn suspected to align with publicly reported Volt Typhoon activity. This assessment should be treated as tentative rather than confirmed, given the moderate confidence level of the underlying attribution.

Learn more about our threat research?

Get in touch