Volt Typhoon: The Ghost Inside Critical Infrastructure

Ymir Vigfusson

May 6, 2025

It wasn’t a flashing red alert. Instead, it was silence—the kind of silence that hides the most insidious threats. There was no ransomware note demanding Bitcoin and no antivirus software detected anything malicious.

For months—possibly years—Volt Typhoon has moved through critical infrastructure networks, unseen and unchallenged. Unlike ransomware gangs that rely on malware for rapid and often chaotic disruptions, Volt Typhoon takes a stealth-first approach. Instead of encrypting files or demanding ransoms, they embed themselves within networks, waiting for the right moment to act.

A Different Kind of Attack

Volt Typhoon is an advanced persistent threat (APT) group, likely state-sponsored, that specializes in stealth and long-term infiltration. Their objective isn’t immediate destruction or financial gain—it’s deep, sustained access to critical infrastructure.

Rather than deploying malware that security tools can detect, they blend in, using stolen credentials and exploiting weaknesses in IT infrastructure to maintain persistence. They move like insiders, leveraging built-in tools—PowerShell, WMI, RDP, SSH—to navigate networks without raising alarms.

The APT Attack Cycle: Land, Gather Intel, and Expand

Security teams relying on endpoint protection and antivirus? They never saw them coming. Volt Typhoon’s activity mirrors routine administrative behavior, slipping past SOARs, SIEMs, and antivirus solutions unnoticed. Firewalls, rather than stopping them, often serve as their entry points.

Before diving into their techniques, it’s important to understand why this makes traditional detection methods ineffective.

How Volt Typhoon Stays Hidden

Rather than forcing entry, Volt Typhoon exploits known vulnerabilities (CVEs) in overlooked network appliances, including outdated firewalls, misconfigured VPNs, and unpatched routers.  They slip in unnoticed and establish a presence without deploying malware or triggering security alerts. Once inside, they move with patience. 

First, they steal authentication credentials and session tokens. This allows them to impersonate privileged accounts, undermining identity-based security controls. Once they blend in as admins, most security tools become blind to their activity.

If one access point is lost, they pivot seamlessly—switching to another stolen credential, hijacking an active session, or leveraging a different compromised device. Their persistence strategy ensures they always have a way back in.

Here’s a breakdown of their tactics :

Attack Phase Description
Initial Foothold Exploit known vulnerabilities in outdated firewalls, VPNs, and SOHO routers to gain entry.
Credential Theft & Hijacking Steal authentication tokens, passwords, and session cookies, allowing them to impersonate privileged users without triggering security alerts.
Learning & Stalking Monitor network activity, maps security controls, and identifies high-value assets to determine the best path for deeper infiltration.
Lateral Movement and Privilege Exploitation Use compromised admin credentials and remote administration tools (RDP, PsExec, PowerShell, WMI) to move undetected across systems. If their initial access is limited, they escalate privileges to gain deeper control.
Persistence & Evasion Ensure continuous access by maintaining multiple footholds, hijacking active sessions, and using built-in IT tools to blend in.
Objective Execution Maintain long-term access, exfiltrate data, disrupt operations, or prepare for future sabotage.

The Strategy Behind Their Persistence

Volt Typhoon isn’t a smash-and-grab operation. Their objective is to establish deep, long-term access. Security advisories from CISA and the FBI confirm that their presence within U.S. infrastructure isn’t about immediate data theft or ransomware. Instead, they pre-position themselves, waiting for the right moment. U.S. Government officials believe these are strategic campaigns to hamper or delay military mobilization following a Chinese invasion of Taiwan

The ability to remain undetected stems from their methodical approach:

  • Abusing SOHO Routers: Volt Typhoon uses small office/home office (SOHO) routers to proxy their traffic, making malicious activity look like normal business operations.
  • Evasion of Enterprise Security Tools: Many SIEMs and network monitoring solutions are optimized for detecting threats inside enterprise environments, not traffic relayed through home-based routers or personal devices. This blind spot allows Volt Typhoon to operate unnoticed.
  • Exploiting Network Appliances: Firewalls, VPN concentrators, and security appliances are used as entry points.

Understanding these tactics is important in designing a defense strategy that doesn’t rely solely on perimeter security. Looking at the timeline of how Volt Typhoon executed their multi-year campaign gives you an idea of the persistence that led to their infamous exploits.

The Challenge for Security Teams

Traditional security models focus on stopping malware and blocking known attack vectors, and detecting anomalies, but Volt Typhoon’s tactics highlight a critical weakness: security tools that rely on signature-based or anomaly detection are ineffective against adversaries who use legitimate IT tools against their victims.

To counter these threats, security teams need to take a proactive approach, focusing on detection mechanisms beyond malware signatures.

Adapting to a Stealthier Threat

Defending against Volt Typhoon requires a shift away from traditional security measures that rely on malware detection and perimeter defenses. Their ability to blend in with legitimate administrative activity makes them invisible to most security tools, which is why organizations need proactive, real-time detection strategies that go beyond static rules and signatures.

Why Traditional Security Falls Short

Many existing security solutions struggle to detect Volt Typhoon because they focus on known threats, static indicators, and malware signatures. Even advanced anomaly detection often fails because Volt Typhoon moves like an insider, leveraging stolen credentials. Perimeter defenses? They use them as entry points instead of barriers.

Closing the Gaps with Intent-Based Security

To truly combat threats like Volt Typhoon, organizations need to assume adversaries are already inside and focus on real-time behavioral monitoring and adaptive security controls. This is where Keystrike changes the game.

Keystrike’s approach to intent-based security detects stealthy threats operating within trusted environments—even those that bypass SIEMs, evade endpoint detection, and abuse legitimate IT tools. Instead of relying on outdated security models that miss identity-based threats, Keystrike continuously analyzes session integrity, access patterns, and privilege escalations to identify adversaries hiding in plain sight.

Why Keystrike?

  • Real-Time Session Integrity Monitoring – Detects hijacked sessions and unauthorized credential use, even when adversaries mimic legitimate admin behavior.
  • Identity-Centric Security – Focuses on who is accessing what, how, and why, preventing attackers from blending in with normal IT activity.
  • Adaptive Threat Response – Goes beyond static policies, dynamically adjusting security controls to detect and stop stealthy threats in real time.

Organizations must shift to intent-based, adaptive security solutions—not just to detect these threats but to stop them before they can cause damage.

What’s Next?

Volt Typhoon is just one piece of a larger puzzle. As we saw, Salt Typhoon specializes in deep-cover espionage, ensuring persistent access, while Flax Typhoon takes a different approach—rapidly compromising as many networks as possible through credential theft. Their goal isn’t patience; it’s scale, overwhelming defenses through sheer volume.

No matter the method, these attackers exploit identity-based weaknesses and evade traditional security tools and methods. Perimeter defenses and signature-based detection can’t stop them, but Keystrike can. By continuously analyzing session integrity, privilege escalations, and access behaviors, Keystrike detects and shuts down stealthy adversaries before they escalate their attacks.

Security threats are already inside—Keystrike ensures they don’t stay there. With real-time detection and adaptive security controls, organizations don’t just react; they prevent attacks before damage is done.

To learn more about how Keystrike helps organizations detect and stop stealthy adversaries, visit Keystrike.com.

Deploy Keystrike in 20 Minutes

Try Keystrike in Your Environment for 30 Days