Chinese APT Group 'Volt Typhoon' Maintains Persistent Access to U.S. Critical Infrastructure

U.S. intelligence agencies have issued a stark warning that a Chinese state-sponsored hacking group known as Volt Typhoon has maintained persistent, undetected access to American critical infrastructure networks for at least five years.

The joint advisory, released by CISA, the NSA, and the FBI, describes a sophisticated campaign targeting communications, energy, transportation, and water systems across the United States and its territories.

"The PRC cyber actors are positioning themselves on IT networks to enable lateral movement to OT assets with the goal of disrupting functions," the advisory states. "This is a departure from the typical cyber espionage operations we've seen from China."

According to the advisory, Volt Typhoon gains initial access primarily through internet-facing Fortinet FortiGuard devices, exploiting known vulnerabilities and using compromised SOHO routers as operational relay nodes to obscure their traffic.

The group employs "living off the land" techniques, using legitimate Windows tools like PowerShell, WMI, and netsh to blend in with normal system administration activity, making detection extremely difficult.

Private sector security firms have corroborated the government's findings. "We've observed Volt Typhoon maintaining dormant access in multiple sectors," said James Whitfield, chief threat analyst at CyberDefend Inc. "The pre-positioning suggests preparation for potential disruptive or destructive operations."

The advisory recommends that critical infrastructure operators implement robust logging, network segmentation, and multi-factor authentication, while also hunting for indicators of compromise provided in the report.