Connect with us

Hi, what are you looking for?



Mandiant Intelligence Chief Raises Alarm Over China’s ‘Volt Typhoon’ Hackers in US Critical Infrastructure

Mandiant’s Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in a series of eyebrow-raising attacks against targets in Guam and the United States.

ICS Cybersecurity Conference

ATLANTA – SECURITYWEEK 2023 ICS CYBERSECURITY CONFERENCE – Chief analyst at Mandiant Intelligence John Hultquist says defenders in the critical infrastructure trenches should urgently work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in a series of eyebrow-raising attacks against targets in Guam and the United States.

Speaking at a keynote fireside chat at SecurityWeek’s 2023 ICS Cybersecurity Conference in Atlanta on Tuesday, Hultquist said the Volt Typhoon campaign included “very deliberate targeting of critical infrastructure” installations and represents a major shift by Chinese hacking teams known mostly for economic espionage and IP theft.

“This Volt Typhoon activity is a brand-new thing for them. We have not seen a lot of deliberate targeting in the critical infrastructure space from China,” Hultquist said. “Occasionally, we’ll catch them probing into power, but this is a deliberate, long-term attempt to infiltrate a lot of critical infrastructure in a way that stays below the radar.”

The Volt Typhoon campaign was first flagged by Microsoft with deliberate targeting of critical infrastructure in Guam, a discovery that raised eyebrows because the tiny island is considered an important part of a future China/Taiwan military conflict.

“They were found in Guam but they were also discovered all over the continental United States, including in telecommunications and logistics. Microsoft indicated that they’ve also been found in power and water sectors,” Hultquist noted.

“The NSA indicated that their theory behind this is that they are digging in for the possibility of creating a disruptive event in the event of a wartime scenario. While I don’t have the intelligence to confirm that, the deliberate targeting of critical infrastructure makes it a priority for us. This is especially concerning given how hard they’re working on their operational security, using botnets and zero-days to stay below the radar,” Hultquist added.

Chief analyst at Mandiant Intelligence John Hultquist

Volt Typhoon has been publicly documented as “stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery.”

“Microsoft assesses with moderate confidence that this [Chinese cyberespionage] campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the software giant said in a note documenting the APT discovery.

The group, active since mid-2021, has compromised a wide variety of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors. 

Advertisement. Scroll to continue reading.

Hultquist urged defenders to prioritize patching and mitigations for internet-facing edge devices and network routers that provide a major entry point for high-end attackers. 

In the case of Volt Typhoon, he noted that the attackers are leveraging botnets for command and control with minimal use of malware, making it really hard to hunt them.

“You should really be keeping your eye on two things right now. One is the Volt Typhoon situation; it’s all over the United States. They are clearly dug in, and we’re going to have to root them out.  The second one is the current situation in the Middle East. The United States is heavily involved, and because of that, the likelihood of some sort of response, possibly from Iran, is legitimate. We have to keep that in mind as well. You’re starting to see some telemetry; they are at play without a doubt.”

Sessions from SecurityWeek’s ICS Cybersecurity Conference can be watched in both live stream and on demand this week.

Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets

Related: Microsoft Says Chinese .Gov Hackers Targeting US Critical Infrastructure

Related: Fortinet Warns of Possible Zero-Day Exploited in Limited Attacks

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

OT zero trust access and control company Dispel has appointed Dean Macris as its CISO.

Cloud identity and security solutions firm Saviynt has hired former Gartner Analyst Henrique Teixeira as Senior Vice President of Strategy.

PR and marketing firm FleishmanHillard named Scott Radcliffe as the agency's global director of cybersecurity.

More People On The Move

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...