Volt Typhoon and Salt Typhoon: Defending Critical Infrastructure Against Chinese State-Sponsored Attacks
Most coverage of Chinese state-sponsored cyber activity treats Volt Typhoon and Salt Typhoon as two flavours of the same threat. That framing is wrong, and the framing matters. One is preparing for destruction; the other has been conducting espionage at unprecedented scale. Their missions are different, their targets overlap only partially, and the defensive priorities they impose on critical infrastructure operators are distinct. Conflating them is how organisations end up doing neither job well.
CISA, the NSA, the FBI, and allied agencies in the UK, Canada, Australia, and New Zealand have been clear about the distinction for more than two years. The US Intelligence Community’s 2025 Annual Threat Assessment, referenced by CISA in its China threat briefing, noted that PRC-linked actors are “positioning themselves within information technology networks, enabling lateral movement to operational technology systems” to “disrupt critical functions at a time of their choosing.” That sentence describes Volt Typhoon. Salt Typhoon, by contrast, has spent the last several years inside the telecommunications backbone quietly exfiltrating data — including, according to US officials, the metadata of over a million American mobile users and the contents of some lawful-intercept systems that serve law enforcement.
These are the same adversary, operating under different missions. Understanding which mission is active in your network — and which is more likely to target your sector — is the starting point for defence.
Volt Typhoon: pre-positioning for disruption
In May 2023, Microsoft and a Five Eyes advisory led by the NSA publicly disclosed the existence of a PRC state-sponsored actor they called Volt Typhoon. The group had been operating since at least mid-2021, and the targeting pattern was immediately unusual. Most nation-state cyber activity is either espionage (data theft for intelligence value) or financial (IP theft for economic gain). Volt Typhoon was doing neither. It was quietly establishing persistent access inside American critical infrastructure — water utilities, electricity providers, transportation systems, communications — and doing almost nothing with that access once obtained.
The assessment that followed, articulated most clearly in the February 2024 joint CISA-FBI-NSA advisory and reinforced by NCSC-UK and Five Eyes partners, was that Volt Typhoon’s access was strategic rather than operational. The group was not there to steal data. It was there in case of a future crisis — specifically, a crisis in the Indo-Pacific region in which the United States and its allies might need to respond to Chinese military action against Taiwan. In that scenario, pre-positioned access inside US critical infrastructure would allow the PRC to disrupt power, water, transport, or communications as a means of delaying or complicating the American response.
Then-CISA Director Jen Easterly testified repeatedly to the House Select Committee on the Chinese Communist Party that Volt Typhoon represents “the most serious and significant cyber threat” to US critical infrastructure. Easterly’s language in her outgoing January 2025 statement was stark: CISA had “eradicated numerous Chinese intrusions into critical infrastructure across multiple sectors” but “what we have found is likely just the tip of the iceberg.”
The technical approach that enables this persistence is what CISA calls Living Off The Land (LOTL). Volt Typhoon operates almost exclusively using tools and processes that are natively present on compromised systems — PowerShell, Windows Management Instrumentation, ntdsutil, built-in network administration utilities. There is minimal custom malware. The group does not drop binaries that an endpoint detection system will flag. It logs in, uses legitimate tools that a system administrator would use, and covers its tracks by selectively clearing event logs.
This is extraordinarily difficult to detect with signature-based security tooling. An EDR system looking for malicious binaries will see nothing. A SIEM monitoring for known indicators of compromise will see nothing. What it leaves behind is anomalous patterns — PowerShell executions at unusual times, credential access activity from unexpected hosts, domain controller queries that don’t match normal administrative workflows. Detection requires behavioural analytics, aggressive logging, and — critically — a baseline of what normal activity on the network actually looks like.
Initial access typically comes through internet-facing network edge devices. CISA’s advisories name Fortinet, Ivanti, Cisco, NetGear, and a range of small office / home office (SOHO) router models as historical targets. Once inside, Volt Typhoon moves laterally through authentication protocols (TACACS+ and RADIUS are specifically named in CISA guidance), captures network traffic, and systematically extracts the Active Directory database (NTDS.dit) from domain controllers. The NTDS.dit extraction is a particularly aggressive move — it gives the attacker every hashed credential in the domain, enabling offline password cracking and persistent re-entry even after network changes.
CISA’s stated position on remediation is unusually blunt. If compromise is detected, organisations “should assume full domain compromise” and treat every privileged credential in the trust boundary as suspect. Reset domain user passwords. Reset local account passwords including Administrator, System, Guest, and krbtgt (the latter requires a double reset to invalidate golden tickets). Sever the enterprise network from the internet where feasible. These are disruptive recommendations — CISA is making them because incremental remediation is not sufficient against an adversary who may have been in the network for years.
The targeting priorities confirmed by CISA and other Five Eyes agencies include electric power, water and wastewater, transportation systems, and communications. The water sector is particularly concerning — CISA has repeatedly flagged that smaller water utilities often operate with minimal IT staff, legacy operational technology (OT), and poor segmentation between IT networks and the industrial control systems that manage pumps, valves, and treatment chemicals. A prepositioned adversary in that environment could cause physical consequences.
Salt Typhoon: espionage at telecom scale
Salt Typhoon is a different problem. Where Volt Typhoon is about future disruption, Salt Typhoon is about present espionage — and where Volt Typhoon targets critical infrastructure that could affect American citizens physically, Salt Typhoon targets the backbone of global communications.
The campaign became public in October 2024 when reports emerged that Chinese state-sponsored hackers had compromised major US telecommunications providers. Subsequent disclosure confirmed the scale: at least nine US carriers breached, including AT&T, Verizon, T-Mobile, Spectrum (Charter Communications), Lumen, Consolidated Communications, and Windstream. Viasat, the satellite communications provider, was named as a victim in June 2025. Canada’s government confirmed that major Canadian telecoms had been hit. New Zealand, Australia, Norway, and — as reported in February 2026 — all four of Singapore’s major telecoms have now been identified as victims. Former FBI officials have described the operation as reaching more than 200 organisations across over 80 countries.
What makes Salt Typhoon strategically significant is what it accessed. According to statements from US officials and investigative reporting by TechCrunch and others, the group compromised the systems American telecom carriers use to comply with the Communications Assistance for Law Enforcement Act (CALEA) — the 1994 law that requires telecoms to build lawful-intercept capabilities into their networks so law enforcement can wiretap with a court order. Compromising CALEA infrastructure gave Salt Typhoon access to exactly the systems designed to intercept communications, which the group then used to target US law enforcement data, political figures, and (according to reports) phone audio and text messages involving staffers for both Trump and Harris 2024 campaigns.
Senator Mark Warner described it publicly as “the worst telecom hack in our nation’s history.” The FBI offered a $10 million Rewards for Justice bounty for information leading to identification of individuals involved. In January 2025, the US Treasury’s Office of Foreign Assets Control sanctioned Sichuan Juxinhe Network Technology, a Sichuan-based cybersecurity firm that Treasury said had “direct involvement” in Salt Typhoon operations.
Technically, Salt Typhoon is a more diverse toolkit than Volt Typhoon. The group deploys a custom Windows kernel-mode rootkit called Demodex (named by Kaspersky) that provides remote control over compromised servers. A custom backdoor called GhostSpider targets telecommunications infrastructure specifically. A modified NinjaCopy variant uses a low-level NTFS parser to bypass Windows access controls and exfiltrate sensitive system files including NTDS.dit and SYSTEM registry hives. In late 2025, CISA’s joint advisory (AA25-239A) with NSA, FBI, and international partners detailed that Salt Typhoon and related PRC-attributed clusters (tracked variously as OPERATOR PANDA, RedMike, UNC5807, GhostEmperor, and Earth Estries) primarily exploit publicly known CVEs in network edge devices — Cisco, Fortinet, Juniper, and similar — rather than relying on zero-days.
The attacker’s high-value pivot, however, is into the routing and authentication protocols that telecommunications providers use internally. CISA’s advisory specifically names TACACS+ and RADIUS as targets, and documents the use of SNMP enumeration and SSH for lateral movement. Once inside, Salt Typhoon passively collects packet captures from specific customer networks, captures traffic using built-in SPAN, RSPAN, and ERSPAN mirroring capabilities on telecom routers, and maintains persistence by modifying router configurations to ensure continued access even after standard credential resets.
An investigation by Cisco reported that in at least one case, Salt Typhoon maintained undetected access for three years before eviction. That figure is worth pausing on. Three years of telecom backbone access, on routers that pass a substantial fraction of US and allied internet traffic, is an intelligence windfall without recent historical parallel.
The espionage mission is ongoing. In February 2026, Deputy Assistant Director for Cyber Intelligence Michael Machtinger told CyberTalks that the threat posed by Salt Typhoon actors “is still very, very much ongoing.” Senator Maria Cantwell has publicly expressed scepticism that AT&T and Verizon have meaningfully evicted the adversary, citing the telecoms’ refusal to release Mandiant’s post-incident security assessments. Reporting by CyberScoop in March 2026 confirmed that Salt Typhoon compromised US federal networks before the telecom intrusions were understood as a single campaign.
Comparing the two
The table below summarises the operational distinctions that matter for defenders.
| Dimension | Volt Typhoon | Salt Typhoon |
|---|---|---|
| Mission | Pre-positioning for future disruption | Ongoing espionage and signals intelligence |
| Primary targets | Electricity, water, transport, communications (OT-adjacent IT) | Telecommunications backbone, lawful-intercept systems, government |
| Observed since | Mid-2021 (publicly disclosed May 2023) | At least 2019; publicly disclosed October 2024 |
| Geographic scope | Primarily US critical infrastructure | Global — US, Canada, UK, EU, Singapore, South Africa, Brazil, APAC |
| Key technical signature | Living off the land (built-in tools only) | Custom malware (Demodex, GhostSpider, NinjaCopy) + LOTL |
| Initial access pattern | Edge-device exploitation (Fortinet, Ivanti, SOHO routers) | Known CVEs in Cisco/Fortinet/Juniper edge devices |
| Preferred persistence | Credential theft, NTDS.dit extraction, account creation | Router firmware/config modification, rootkit deployment |
| Attributed to | PRC state-sponsored (People’s Liberation Army-linked assessments) | PRC Ministry of State Security (MSS) via Sichuan Juxinhe |
| Microsoft name alias | Volt Typhoon | Salt Typhoon / Earth Estries / GhostEmperor / FamousSparrow |
| Why it matters | Could cause physical harm in a future crisis | Has already compromised communications privacy at scale |
Both groups favour Living Off The Land techniques once inside, both rely heavily on unpatched known vulnerabilities in edge devices for initial access, and both are capable of maintaining persistence for years. But the sectoral targeting and the mission profile are materially different, and any defender should know which is more likely to be active in their environment.
What CISA and NCSC recommend — and what matters most
The joint CISA / NSA / FBI / NCSC-UK guidance on identifying and mitigating Living Off The Land techniques, published in February 2024 and reinforced across multiple subsequent advisories, is the authoritative reference. Organisations in critical infrastructure sectors should read the primary source documents. What follows is a defender’s summary of what matters most, not a substitute for that reading.
First: assume edge devices are under attack. Both campaigns begin with compromise of an internet-facing network appliance. Patch every Cisco, Fortinet, Juniper, SonicWall, and Ivanti device under your control to current firmware. Rotate every credential on those devices — including the ones that were migrated forward from older hardware. Disable any management interfaces that do not need to be internet-facing. Monitor for unusual administrative activity on edge devices themselves, not just on the internal network.
Second: aggressive logging is not optional. Both Volt Typhoon and Salt Typhoon can defeat signature-based detection because they use native tools and known protocols. What they cannot defeat is baseline-deviation analysis applied to high-quality logs. CISA’s LOTL guidance prioritises implementing logging and aggregating logs in an out-of-band, centralised location; establishing a baseline of normal network, user, and application activity; and using automation to continuously compare live activity against that baseline. These are generationally harder to implement than buying a new tool, but they are the specific controls that detected Volt Typhoon at the organisations where it was eventually detected.
Third: segment your OT and your identity plane. For Volt Typhoon particularly, the mission depends on pivoting from IT networks into operational technology systems where it can cause physical consequences. NCSC-UK’s Principle 6 guidance on limiting the impact of compromise is explicit: implement zoned or segmented network architecture, implement a demilitarised zone between externally connected systems and core OT networks, and restrict trust relationships between administrative devices and managed systems. Microsegmentation in OT environments is not a compliance box-tick — it is the control that prevents IT compromise from becoming OT compromise.
Fourth: credential hygiene at scale. Both groups harvest credentials aggressively. Volt Typhoon’s NTDS.dit extraction gives it offline access to every hashed credential in a compromised Active Directory environment. Salt Typhoon’s NinjaCopy variant does the same thing. The defensive response requires: multi-factor authentication enforced on every administrative account without exception; privileged access workstations isolated from general-purpose workstations; regular review of privileged group membership; and — critically — rotation of krbtgt and service account credentials on a defined schedule rather than only after incidents. If you are reading this and you have a krbtgt that has not been reset in the last year, that is the first thing to fix.
Fifth: edge device hardening specifically. CISA’s Secure by Design initiative puts responsibility on hardware manufacturers to ship products that are not trivially exploitable, but the reality is that most edge devices have been designed for performance rather than security. Defenders should assume these devices are high-value targets, restrict their management interfaces, enforce firmware update cycles, and — where feasible — move toward architectures (ZTNA, SASE) that reduce reliance on the internet-facing VPN appliance as a single point of compromise.
For organisations with complex vendor ecosystems, the overlap with broader third-party risk management is significant. Salt Typhoon’s ability to pivot between telecom carriers and their downstream customers is a supply-chain compromise by another name. Treating edge-device vendors as high-trust, continuously-monitored third parties is consistent with post-Salesloft and post-Snowflake thinking on third-party risk management.
The hard question
The hardest question the Volt Typhoon and Salt Typhoon campaigns pose is not technical. It is institutional.
CISA’s 2024 and 2025 eviction campaigns against Volt Typhoon were significant, but the reality acknowledged by senior officials is that successful evictions have covered a fraction of the likely affected organisations. The telecom sector’s response to Salt Typhoon has been, in the assessment of multiple sitting senators, inadequate. In March 2026, officials were publicly worrying that the lack of sustained public outrage over the Salt Typhoon breach was killing momentum for meaningful regulatory reform. The US Cyber Safety Review Board, which had been investigating the telecom breach, had its members dismissed in early 2025 before the investigation could complete.
Under those institutional conditions, individual organisations — hospitals, water authorities, regional carriers, electric cooperatives — cannot rely on policy or regulation to force the hard changes these adversaries require. Defence against pre-positioned state adversaries is a capital investment in network architecture, identity hygiene, and behavioural detection that must be made voluntarily and maintained continuously. The organisations that will be safer in 2027 and 2028 are the ones that are treating CISA’s 2024 guidance as a procurement and architecture roadmap rather than a compliance reference.
For a narrower view of how the same defensive principles apply to financially motivated adversaries that increasingly borrow state-sponsored tradecraft, our analysis of Scattered Spider’s tactics and defences covers the help-desk social engineering and identity-plane compromise vectors that have characterised the most impactful non-state intrusions of the past two years.
Frequently asked questions
Are Volt Typhoon and Salt Typhoon the same group? No. Both are attributed to the People’s Republic of China, but they have different missions, different targets, and different technical signatures. Volt Typhoon pre-positions for future disruption of US critical infrastructure. Salt Typhoon conducts ongoing espionage against global telecommunications and government networks. They are tracked separately by CISA, NCSC-UK, and Microsoft.
Has Volt Typhoon caused any actual damage? No publicly disclosed destructive actions have been attributed to Volt Typhoon. The concern is that the group’s pre-positioned access is intended to enable disruption during a future geopolitical crisis — specifically, a conflict in the Indo-Pacific region. US officials have been clear that the risk is strategic rather than immediate.
Is Salt Typhoon still inside US telecom networks? FBI officials stated publicly in February 2026 that the Salt Typhoon threat is “still very, very much ongoing.” Senator Maria Cantwell has formally questioned whether AT&T and Verizon have fully evicted the adversary, citing the carriers’ refusal to release Mandiant post-incident assessments. New victims including Viasat, Canadian telecoms, Norwegian government entities, and all four Singapore telecoms have been identified through 2025 and into 2026.
What is “living off the land” and why is it so hard to detect? Living Off The Land (LOTL) is a set of techniques where attackers use legitimate, native tools already present on a compromised system — PowerShell, Windows Management Instrumentation, administrative utilities — rather than dropping custom malware. This evades signature-based detection because there is no malicious binary to match against. Detection requires behavioural analytics: recognising unusual patterns in how legitimate tools are being used, which requires a high-quality baseline of normal activity.
Are UK organisations affected? Yes. NCSC-UK has co-authored the major CISA advisories on both Volt Typhoon and Salt Typhoon, specifically because the techniques and the strategic risk apply to UK critical infrastructure. NCSC-UK’s assessment is that Living Off The Land activity poses a threat to UK critical national infrastructure, and the agency has urged all infrastructure providers to implement the joint Five Eyes guidance. UK telecom operators are within the target scope of Salt Typhoon’s global campaign.
What should a CISO prioritise first? If you operate critical infrastructure or a telecommunications service, start with edge-device hardening: patch, rotate credentials, and restrict management interface exposure. In parallel, invest in centralised logging aggregation with baseline-deviation alerting — this is the specific capability required to detect LOTL activity. The third priority is network segmentation between IT and OT, with a hardened DMZ between externally-connected systems and core operational networks.
Where can I read the primary sources? The key references are CISA’s joint advisory AA24-038A (PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure), CISA’s joint advisory AA25-239A (Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide), the joint CISA/NSA/FBI/Five Eyes guidance Identifying and Mitigating Living Off the Land Techniques, and NCSC-UK’s Operational Technology Secure Connectivity principles. All are publicly available and should be the canonical references for any critical infrastructure defence programme.
This is a permanent reference page on the two most significant PRC state-sponsored cyber threats facing critical infrastructure in 2026. It is updated as new advisories, eviction operations, and victim disclosures emerge. Primary sources are CISA, NSA, FBI, and Five Eyes partner agencies; this page synthesises and contextualises their published guidance and should not be read as a substitute for that guidance.