← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 93/100

Volt Typhoon Living-Off-the-Land Tactics Detailed — March 7, 2024

Joint advisory AA24-064A shows PRC actor Volt Typhoon living off the land inside U.S. critical infrastructure, pushing operators to harden edge devices, hunt for credential abuse, and accelerate segmentation across IT and OT networks.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Executive briefing: On 7 March 2024 CISA, FBI, NSA, the U.S. Department of Energy, and international partners from Australia, Canada, New Zealand, and the United Kingdom released joint advisory AA24-064A detailing People’s Republic of China (PRC) state-sponsored actor “Volt Typhoon.” The advisory warns that Volt Typhoon has maintained long-term access to U.S. critical infrastructure networks by living off the land (LOTL): abusing built-in tools, valid credentials, and unmanaged equipment to evade detection. Operators of communications, energy, transportation, water, and other lifeline sectors must implement aggressive hunt, hardening, and segmentation programmes.

Volt Typhoon targets routers, VPN appliances, firewalls, and operational technology (OT) equipment to establish persistence. The advisory highlights the group’s use of remote administration tools, scheduled tasks, PowerShell, Windows Management Instrumentation (WMI), and stolen credentials. The actor avoids malware and blends with normal traffic, requiring defenders to rely on behavioural analytics, authentication monitoring, and asset baselining.

Threat activity highlights

  • Initial access: Exploiting public-facing systems (Fortinet, Ivanti Connect Secure, SonicWall, Netgear), brute-forcing telnet/SSH, and compromising small office/home office (SOHO) routers to route traffic.
  • Persistence: Creating scheduled tasks, modifying registry keys, and leveraging remote services such as RDP, SMB, and WinRM with stolen credentials.
  • Command and control: Using legitimate services (OneDrive, Dropbox, Google Drive) and compromised routers as proxies.
  • Reconnaissance and lateral movement: Enumerating domain controllers, Active Directory objects, and OT management systems; targeting backup systems and disaster recovery infrastructure.
  • Impact objectives: Pre-positioning for potential disruptive or destructive operations during geopolitical crises—particularly against communications, energy, transportation, and water/wastewater infrastructure.

Recommended defensive actions

The advisory provides extensive mitigation guidance. Key priorities include:

  • Credential hygiene: Enforce multi-factor authentication, eliminate shared accounts, rotate credentials for privileged and service accounts, and monitor for logins from unexpected hosts or service principals.
  • Logging and monitoring: Enable logging on VPNs, firewalls, and remote management systems. Forward logs to a central SIEM, retain them for at least 12 months, and monitor for anomalies such as unusual WMI usage, `net use` commands, or creation of new scheduled tasks.
  • Asset management: Inventory all network devices, including SOHO routers and unmanaged OT hardware. Replace or upgrade end-of-life equipment and enforce configuration baselines.
  • Network segmentation: Separate IT and OT networks, restrict lateral movement with firewalls and access control lists, and implement zero trust network access for remote administration.
  • Hunt operations: Conduct proactive hunts focusing on LOTL behaviours. Use endpoint detection tools to query for suspicious command-line activity and Windows Event IDs associated with credential abuse.
  • Disable unnecessary services: Turn off unused remote services, disable SMBv1, and enforce least privilege on remote administration tools.
  • Backups and recovery: Ensure offline, immutable backups; test restoration of OT configurations; and protect backup systems with MFA and segmentation.

Governance actions

Executives and boards overseeing critical infrastructure should treat Volt Typhoon as an enduring strategic threat. Actions include:

  • Establishing a cross-functional task force (security operations, OT engineering, network, legal, communications) to coordinate mitigation.
  • Updating risk registers to reflect potential for disruptive attacks tied to geopolitical tensions.
  • Aligning budgets for asset replacement, logging enhancements, and third-party assessments.
  • Integrating mitigation progress into regulatory compliance reporting (e.g., NERC CIP, TSA Security Directives, EPA enforcement agreements).

Implementation roadmap

  1. Immediate (0–14 days): Review the advisory’s indicators of compromise (IOCs) and detection rules. Capture forensic images of suspect systems, revoke compromised credentials, and apply available patches to edge devices.
  2. Near term (15–60 days): Expand logging, deploy EDR on servers and workstations, and launch hunt missions for suspicious command executions, scheduled tasks, and new administrative accounts. Replace or reflash vulnerable SOHO routers used by remote staff.
  3. Medium term (2–6 months): Implement segmentation projects, update OT network diagrams, and deploy privileged access management. Conduct tabletop exercises simulating Volt Typhoon disruptions.
  4. Long term: Establish continuous monitoring aligned with the NIST CSF 2.0 “Monitor” function. Integrate threat intelligence sharing with CISA’s Joint Cyber Defense Collaborative (JCDC) and sector-specific ISACs.

OT-specific considerations

Volt Typhoon targets OT environments to disrupt operations. Operators should:

  • Ensure remote access to OT systems requires jump servers with MFA and auditing.
  • Implement network intrusion detection tuned for industrial protocols (Modbus, DNP3, OPC UA).
  • Backup programmable logic controller (PLC) and supervisory control and data acquisition (SCADA) configurations and store them offline.
  • Coordinate with OEMs to apply security patches without affecting uptime.

Third-party and supply-chain risk

Volt Typhoon leverages trusted relationships. Review vendor access privileges, require secure remote access solutions, and audit managed service providers. Incorporate LOTL detection expectations into contracts. Encourage suppliers to follow CISA’s Secure by Design principles.

Communications and incident response

Update incident response plans with templates for reporting to CISA, FBI, DOE, and other regulators. Establish communication channels with law enforcement and sector risk management agencies. Prepare media statements addressing potential disruptions and highlight resilience measures.

Metrics and monitoring

Track key metrics: number of critical assets without MFA, percentage of edge devices patched within 14 days, volume of anomalous administrative commands, and results of hunt operations. Report progress to executive leadership and regulators.

Regulatory and compliance considerations

Electric utilities should map mitigation steps to NERC CIP standards (CIP-005, CIP-007, CIP-008) and document evidence for future audits. Pipeline and rail operators should align actions with TSA Security Directives and the forthcoming Surface Transportation Cybersecurity Directive. Water utilities should retain documentation for EPA Safe Drinking Water Act enforcement reviews, which increasingly consider cybersecurity practices. Aligning with these frameworks demonstrates diligence and may mitigate penalties in the event of an incident.

Workforce development

Provide targeted training for system administrators and OT engineers on LOTL detection, command-line logging, and credential hygiene. Conduct joint IT-OT exercises to rehearse detection and response. Establish insider threat awareness to identify unusual behaviour among privileged users.

Technology investments

Consider deploying deception technology, privileged session monitoring, and anomaly detection tuned for administrative protocols. Implement secure access service edge (SASE) or zero trust network access (ZTNA) solutions to minimise reliance on traditional VPNs. Ensure cloud environments connected to critical infrastructure follow the same segmentation and logging principles.

Community and government engagement

Participate in information-sharing forums such as CISA’s JCDC, sector ISACs/ISAOs, and state fusion centres. Establish contacts with local emergency management agencies to coordinate response and resilience planning. Engage with public affairs teams to prepare messaging for stakeholders, regulators, and customers.

Future outlook

Volt Typhoon is expected to continue pre-positioning in critical infrastructure. Organisations should maintain heightened alert during geopolitical flashpoints. Monitor for future advisories and updates to detection signatures. Invest in continuous workforce training, including OT security awareness and incident response drills.

Sources

Zeph Tech assists critical infrastructure operators with Volt Typhoon hunt operations, segmentation roadmaps, and regulatory reporting.

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • State-sponsored threats
  • Critical infrastructure
  • Incident response
Back to curated briefings