The Sleeping Dragon: Volt Typhoon and China’s Pre-Positioned Cyber Army

The court order had been obtained in secret. The operation was authorized at the highest levels of the US Department of Justice. And in January 2024, FBI cyber operators did something the United States government rarely acknowledges: they hacked back.

Across the United States, in homes and small offices that had no idea their router had been recruited into a foreign military operation, FBI agents used court-authorized commands to remotely access approximately 650 compromised routers — consumer and small-business devices from Netgear, Cisco, ASUS, and DrayTek — and deleted the software the Chinese government had installed. FBI Director Christopher Wray described the operation to the Senate Intelligence Committee as the most aggressive publicly acknowledged offensive US cyber action against a nation-state in peacetime.

But officials were careful to note: those 650 routers were not the whole network. They were the ones the FBI had found. The adversary — a Chinese hacking group that Microsoft and CISA named Volt Typhoon — had been operating inside American critical infrastructure for years. Some victims had been compromised for five years or more before a February 2024 joint advisory from the intelligence agencies of the United States, United Kingdom, Canada, Australia, and New Zealand told the world what was happening.

This was not espionage. This was not data theft. This was something older and colder: pre-positioning. Volt Typhoon was not inside American power grids and water systems to read files. They were inside to learn how things worked, to map the systems that kept cities alive, to identify the switches and valves and failsafes — and to be ready, when the order came, to throw them.

What Volt Typhoon Actually Is

Before May 24, 2023, most people in cybersecurity had never heard the name. On that date, Microsoft and CISA published simultaneous disclosures describing a Chinese state-sponsored threat actor conducting “stealthy and targeted malicious activity” against critical infrastructure — with a particular focus on Guam — using techniques unlike any previously documented Chinese APT.

The distinction emphasized was strategic. Volt Typhoon used no custom malware and left virtually no fingerprints. They had achieved long-term persistent access using nothing but the tools already installed on target systems.

This is living off the land (LotL) — conducting all post-compromise activity using legitimate OS binaries and administrative tools rather than external malware. Windows comes pre-installed with powerful utilities: wmic for system management, ntdsutil for Active Directory manipulation, netsh for network configuration, PowerShell for scripting. A skilled attacker using only these tools looks, in the logs, like a system administrator doing ordinary work. Volt Typhoon had elevated this technique to an art form, conducting months or years of reconnaissance while generating minimal forensic artifacts.

Threat Actor Profile: Volt Typhoon

Designation: Volt Typhoon; tracked as Bronze Silhouette (Secureworks), Vanguard Panda (CrowdStrike), Voltzite (Dragos, ICS/OT-focused subset)
Attribution: People’s Republic of China MSS/PLA; attributed by US, UK, Canada, Australia, and New Zealand in a joint advisory dated February 7, 2024
Primary Mission: Pre-positioning within US critical infrastructure for potential disruptive cyberattacks in the event of US-China military conflict, specifically related to a potential action against Taiwan
Known Tradecraft: 100% living-off-the-land post-compromise; exploitation of internet-facing VPN appliances and SOHO routers; proxy botnet construction; 5+ year persistent access in some victims; OT/ICS reconnaissance; deliberate avoidance of data theft

Notorious Operations:

• Pacific Rim / Guam Targeting: Targeted communications infrastructure in Guam and the continental US — assessed as preparation for disrupting US military command and logistics in a Pacific conflict.
• Salt Typhoon (2024): Related Chinese operation that penetrated US telecoms including AT&T, Verizon, and Lumen Technologies, accessing communications of senior US government officials. Described by Senator Mark Warner as “the worst telecom hack in US history.”

Why Guam? The Strategic Logic of the Pacific

Guam hosts Andersen Air Force Base and Naval Base Guam — the westernmost substantial US military installations in the Pacific. In any US response to a Chinese invasion of Taiwan, Guam would be the primary staging and logistics hub. B-2 stealth bombers are based at Andersen; submarines operate from Apra Harbor.

From China’s perspective, disrupting Guam’s communications, power, and logistics at the moment of a military operation could be the difference between a coordinated US response and one that was blind during the critical opening hours. The same logic applied to the mainland: disrupting civilian power, water, and communications would create domestic political pressure to limit US military intervention.

This is the doctrine Chinese planners call integrated network electronic warfare — cyber operations pre-positioned to activate in coordination with military action, not as intelligence tools but as kinetic enablers.

The Technique: Living Off the Land and the KV Botnet

Initial access came through internet-facing vulnerabilities in perimeter devices: Fortinet FortiGate VPN appliances (CVE-2022-40684), Cisco routers, NETGEAR ProSAFE devices, and Citrix ADC systems — known vulnerabilities combined with default credentials small organizations had never changed. Entry through edge devices provided two advantages: they are rarely monitored as rigorously as workstations, and compromising them allowed traffic manipulation that obscured subsequent activity.

Once inside, operators used only Windows built-in tools: wmic for system discovery, ntdsutil for dumping Active Directory credentials, netsh for port proxying, certutil for file operations, and vssadmin to delete Volume Shadow Copies. Command syntax was deliberately crafted to match legitimate administrator activity — indistinguishable from IT staff work in any organization without behavioral baselines.

The KV Botnet — named by researchers at Lumen Technologies’ Black Lotus Labs — was the operational infrastructure making this stealth possible at scale. Volt Typhoon compromised hundreds of SOHO routers (Netgear ProSAFE, Cisco RV series, ASUS, DrayTek) forming a US-based proxy network. Operators in China sent commands through the KV botnet, which relayed them through compromised US devices. Traffic appeared to originate from legitimate US IP addresses, generating no alerts for China-sourced connections.

The Targets: What Disruption Actually Means

The sectors Volt Typhoon targeted were chosen for disruption value, not data value:

Electric utilities: Access to OT networks controlling power distribution, with specific interest in restart procedures and failsafe mechanisms — knowledge that would allow an attacker to extend an outage by targeting the recovery process, not just the initial failure.

Water and wastewater systems: Sufficient system knowledge to cause unsafe chemical dosing or distribution pump failures, creating public health emergencies that consume emergency response resources.

Communications: Telecommunications and internet infrastructure — disruption cascades to emergency services, financial systems, and military command.

Transportation and IT sector: Ports, rail, aviation support infrastructure, and managed service providers providing supply-chain access to multiple downstream targets.

What Volt Typhoon was mapping was not data — it was operational knowledge: how does this system work, who operates it, what are the manual procedures when automation fails?

The Five Eyes Warning and Congressional Alarm

The February 7, 2024 joint advisory confirmed Volt Typhoon had persistent access to some US critical infrastructure for five years or more and was unusually direct:

“The authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.”

FBI Director Christopher Wray, testifying before the House Select Committee on the Chinese Communist Party, drew bipartisan alarm:

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”

Wray called it “the defining threat of our generation.” CISA Director Jen Easterly and NSA Director General Paul Nakasone echoed the assessment. The consensus was that Volt Typhoon represented not a scandal to be managed or a crime to be prosecuted, but a strategic military capability built inside American infrastructure waiting to be activated.

The FBI Counter-Operation

The January/February 2024 counter-operation was authorized under Rule 41 of the Federal Rules of Criminal Procedure — the same authority used against the Emotet and VPNFilter botnets. FBI operators reverse-engineered the KV Botnet’s command-and-control protocol and sent commands that removed Volt Typhoon implants from approximately 650 devices, severing the botnet’s connections.

What the operation could not do was eliminate Volt Typhoon’s presence inside the critical infrastructure networks the botnet had accessed. Those intrusions — inside electrical utilities, water systems, communications networks — required detection and remediation by affected organizations. Many of those organizations did not yet know they were compromised.

Context: Taiwan, the 2027 Timeline, and Chinese Strategic Thinking

Xi Jinping has made Taiwan unification a defining goal of his leadership. US military assessments consistently cite 2027 — the 100th anniversary of the People’s Liberation Army — as a date by which China’s military may achieve the capability for forced unification.

Chinese strategic doctrine of systems confrontation (体系对抗) describes defeating an adversary not in conventional battle but by degrading the systems that enable military power projection. Volt Typhoon is the cyber implementation: disrupting West Coast cities that host naval bases, degrading Pacific communications infrastructure, creating civilian emergencies demanding domestic resources — all calibrated to slow and confuse a US military response in the critical early days of a conflict.

This is the explicit assessment of the US intelligence community, stated publicly by the FBI Director and confirmed by the Five Eyes advisory.

Legacy: The Ongoing Challenge

CISA updated its Cross-Sector Cybersecurity Performance Goals to emphasize network monitoring, SOHO router security, and OT/ICS visibility. The SOHO router problem became a focused policy area — though the challenge is daunting: hundreds of millions of deployed devices, most never updated, monitored, or replaced until failure.

The OT/ICS security gap moved from specialist conference discussions to mainstream policy debate. American critical infrastructure, much of it privately owned, was built for reliability — not security. Legacy industrial control systems connected to corporate IT networks had created attack paths Volt Typhoon had been methodically mapping for years. The Microsoft Typhoon taxonomy gave public shorthand to a Chinese cyber threat that had not previously existed in mainstream discourse.

Volt Typhoon continued to operate after the FBI counter-operation, rotating to new infrastructure and continuing the patient work of learning how American critical infrastructure works.

The sleeping dragon had been disturbed. It had not been slain. The routers have been cleaned. The networks have not all been found.

---

Attack Chain: Volt Typhoon Critical Infrastructure Pre-Positioning

graph TD
    A["Initial Access\nExploit internet-facing VPN/router\nvulnerabilities (Fortinet, Cisco, Citrix)\nor use default credentials on\nSOHO routers"] --> B["KV Botnet Construction\nCompromise SOHO routers\n(Netgear ProSAFE, Cisco RV,\nASUS, DrayTek)\nBuilds US-based proxy network"]
    B --> C["Persistent Access\nEstablish long-term foothold\nin critical infrastructure IT network\nusing native Windows tools only"]
    C --> D["Living-Off-the-Land\nwmic, ntdsutil, netsh,\nPowerShell, certutil\nBlends with legitimate admin activity"]
    D --> E["Credential Harvesting\nDump Active Directory\nvia ntdsutil\nObtain domain admin credentials"]
    E --> F["Lateral Movement to OT\nMove from IT network toward\nOperational Technology systems\nSCADA, ICS, control networks"]
    F --> G["OT/ICS Reconnaissance\nMap control systems\nLearn restart procedures\nIdentify manual failsafes\nStudy physical infrastructure logic"]
    G --> H["Long-Term Persistence\n5+ years in some victims\nDormant — awaiting activation order\nC2 proxied through KV Botnet"]
    H --> I["Strategic Pre-Positioning\nReady to disrupt:\n- Power grids\n- Water systems\n- Communications\n- Transportation\nOn command during US-China conflict"]

    I --> J["FBI Counter-Operation\nJan/Feb 2024 — Court authorized\nFBI remotely removes Volt Typhoon\ntools from ~650 compromised routers"]
    J --> K["Partial Disruption\nKV Botnet degraded\nCore infrastructure presence\nmay remain — hunt continues"]

    style A fill:#1a1a2e,color:#e0e0e0
    style C fill:#c0392b,color:#fff
    style G fill:#c0392b,color:#fff
    style H fill:#8e44ad,color:#fff
    style I fill:#8e44ad,color:#fff
    style J fill:#27ae60,color:#fff
    style K fill:#2c3e50,color:#e0e0e0