Intermediate

Security Hot Takes: Critical Infrastructure Advisory

This briefing walks through a joint cybersecurity advisory addressing Volt Typhoon, a People's Republic of China (PRC) state-sponsored threat actor, and what the findings mean for asset o...

Table of Contents

Module 1: The Volt Typhoon Critical Infrastructure Advisory

Why This Advisory Matters: A Hypothetical Impact Scenario

To understand why this advisory triggered such a strong diplomatic and technical response, consider the kind of scenario security teams are now forced to plan for: a sustained cyber campaign against energy, water, and transportation infrastructure is discovered, prompting a foreign ambassador to be summoned for an emergency meeting. In this hypothetical, a fire breaks out at an oil refinery following a coordinated cyberattack, while major metropolitan areas are left without electricity and water service. This is not a description of a confirmed real-world event — it is an illustrative worst-case scenario used to frame the stakes of the advisory discussed below. It captures exactly why the prepositioning activity described in this advisory is treated as a national-security-level concern rather than a routine espionage disclosure: the threat actor’s foothold is not about stealing data, it is about maintaining the option to disrupt physical infrastructure at a time of the attacker’s choosing.

Overview: A Coordinated International Response

This briefing walks through a joint cybersecurity advisory addressing Volt Typhoon, a People’s Republic of China (PRC) state-sponsored threat actor, and what the findings mean for asset owners and operators of critical infrastructure. The advisory represents a significant escalation in tactics: rather than traditional cyber-espionage aimed at data theft, Volt Typhoon has been observed prepositioning itself inside critical infrastructure networks for potential future disruptive or destructive attacks.

The advisory builds on an earlier warning issued in May 2023 that first laid out much of the group’s tradecraft. What stands out about the current advisory is the breadth of the coalition that co-authored it — a “who’s who” of Western cybersecurity and intelligence agencies:

CountryAuthoring Agency/Agencies
United StatesFBI, NSA, CISA
United KingdomNational Cyber Security Centre (NCSC-UK)
CanadaCanadian Centre for Cyber Security
New ZealandNational Cyber Security Centre (NCSC-NZ)
AustraliaAustralian Cyber Security Centre (implied Five Eyes participation)

The advisory documents Volt Typhoon’s tactics, techniques, and procedures (TTPs) using the MITRE ATT&CK framework, and while the group tailors its approach to each victim environment, it consistently follows a recognizable pattern of behavior across the intrusions investigated so far.

mindmap
  root((Joint Advisory Coalition))
    United States
      FBI
      NSA
      CISA
    United Kingdom
      NCSC-UK
    Canada
      Canadian Centre for Cyber Security
    New Zealand
      NCSC-NZ
    Australia
      ACSC

Volt Typhoon’s Strategic Shift: From Espionage to Prepositioning

Unlike a typical “smash and grab” intrusion, Volt Typhoon’s campaigns are characterized by extraordinary patience. In some documented cases, the actor maintained access inside a victim network for several years before any disruptive action was taken (or before discovery). The operation followed a deliberate, staged progression:

flowchart LR
    A[Reconnaissance<br/>people, process, technology] --> B[Initial Access<br/>edge device exploitation]
    B --> C[Internal Discovery<br/>network scanning, RDP, domain controllers]
    C --> D[Credential Access<br/>NTDS.DIT theft + Mimikatz]
    D --> E[Lateral Movement<br/>pass-the-hash across the network]
    E --> F[OT/ICS Targeting<br/>default vendor credentials]
    F --> G[Long-Term Prepositioning<br/>option for future disruption]

This is a fundamental shift from conventional nation-state cyber-espionage (steal data, exfiltrate, move on) toward maintaining a standing, dormant capability to disrupt or destroy physical infrastructure processes if a geopolitical trigger occurs.

Initial Access: Reconnaissance and Edge Device Exploitation

Volt Typhoon’s reconnaissance phase covers people, processes, and technology:

  • Identifying network topologies and security controls likely in place at the target.
  • Profiling key network and IT staff, including their typical working hours and behaviors — likely to enhance the actor’s own operational security (OPSEC). For example, the actor may deliberately avoid using compromised network-admin credentials outside that admin’s normal working hours, specifically to avoid triggering time-of-day-based security alerts.
  • Open-source reconnaissance of employee information, corporate web pages, and professional social media profiles (e.g., LinkedIn) to build a picture of the organization before the intrusion begins.

For initial access, the group did not rely on custom malware or novel infrastructure. Instead, it used tools like Shodan to discover internet-exposed, vulnerable network appliances, then exploited known vulnerabilities in edge devices — the advisory specifically calls out products such as Ivanti Secure VPN and Fortinet FortiGate VPN appliances as having been targeted using previously disclosed CVEs.

sequenceDiagram
    participant Attacker as Volt Typhoon
    participant Internet as Shodan / Internet Scanning
    participant Edge as Edge Appliance (VPN/Firewall)
    participant Internal as Internal Network

    Attacker->>Internet: Scan for exposed appliances
    Internet-->>Attacker: Identify vulnerable Ivanti/FortiGate device
    Attacker->>Edge: Exploit known/zero-day CVE
    Edge-->>Attacker: Initial foothold
    Attacker->>Edge: Harvest credentials stored on appliance
    Attacker->>Internal: Pivot using harvested credentials
    Internal-->>Attacker: Access to RDP servers, domain controllers

Why Edge Devices Are the Preferred Entry Point

This pattern is consistent with a broader trend the discussion highlights: threat actors increasingly target edge devices — firewalls, VPN concentrators, and hypervisors — rather than traditional endpoint malware delivery. Industry research (cited from Mandiant) estimates that roughly 85% of known zero-day vulnerabilities exploited by Chinese state-sponsored groups since 2021 have targeted public-facing appliances of this kind.

The core problem is architectural: a VPN concentrator is built to be a VPN endpoint, not an intrusion detection system. It generally has no built-in capability to detect that it has been compromised or to shut itself down in response. Combined with the reality that a patch may not always be available for a given flaw (i.e., true zero-days), this makes edge appliances a persistently attractive target.

FactorWhy It Favors Attackers
Purpose-built functionVPN/firewall appliances are not designed with self-monitoring/IDS capability
Patch availabilityZero-days may have no available fix at time of exploitation
Credential storageSome appliances have been found storing high-privilege credentials insecurely
Internet exposureMust be internet-facing by design, increasing discoverability via tools like Shodan
Limited loggingAppliance-level compromises are less likely to generate visible security alerts

Credential Harvesting and Privilege Escalation

After establishing initial access, the next objective is credential harvesting — specifically pursuing domain admin credentials. The most common technique observed was exploitation of privilege escalation vulnerabilities in the operating system or network services. In at least one documented case, Volt Typhoon exploited a heap-based buffer overflow vulnerability in a Fortinet device to compromise a domain admin account whose credentials were stored on that device — a stark reminder that domain admin credentials should never reside on edge appliances.

Once valid domain credentials are obtained, lateral movement becomes straightforward. The actor identified RDP-enabled servers throughout the network, used them to move laterally, and ultimately located a domain controller (DC).

Extracting the Active Directory Database

With administrative access to (or in proximity to) a domain controller, Volt Typhoon was observed using multiple distinct methods to extract the Active Directory database (NTDS.DIT) and the associated SYSTEM registry hive, which together allow offline extraction of every account’s password hash.

flowchart TD
    Start([Admin credentials obtained]) --> Choice{AD Extraction Method}
    Choice -->|1| VSS[Volume Shadow Copy Service<br/>vssadmin manual snapshot]
    Choice -->|2| NTDSUtil[ntdsutil IFM export<br/>legitimate built-in tool]
    Choice -->|3| PowerSploit[PowerSploit module<br/>VSS-backed PowerShell extraction]
    Choice -->|4| Snapshot[Virtual machine snapshot<br/>of the domain controller]
    VSS --> Extract[Offline NTDS.DIT + SYSTEM hive]
    NTDSUtil --> Extract
    PowerSploit --> Extract
    Snapshot --> Extract
    Extract --> Hashes[Extract password hashes<br/>e.g. via Mimikatz]
    Hashes --> PTH[Pass-the-hash across<br/>other network services]

Method 1: Volume Shadow Copy Service (VSS)

The Volume Shadow Copy Service has existed in Windows Server since Windows Server 2000 and can be manually invoked to create a point-in-time copy of a live volume — including the volume holding the Active Directory database. Because it is a legitimate, built-in Windows feature, using it does not raise an alert by default.

# Representative example of manually creating a shadow copy to access a locked file (illustrative)
vssadmin create shadow /for=C:

# Copy the Active Directory database and registry hive out of the shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM

Method 2: ntdsutil

ntdsutil is a legitimate, long-standing command-line management tool for Active Directory Domain Services, commonly used by administrators for tasks such as transferring FSMO roles. Because it is a fully expected tool in any AD environment, its use is extremely stealthy — it does not generate a log entry flagging its use for credential extraction, making it one of the quietest available techniques.

# Representative example of the ntdsutil "Install From Media" (IFM) extraction technique
ntdsutil
  activate instance ntds
  ifm
    create full C:\temp\ntds-extract
  quit
quit

This produces a full offline copy of ntds.dit and the SYSTEM hive that can be moved off-box and cracked or parsed at leisure.

Method 3: PowerSploit (VSS-backed PowerShell Extraction)

A somewhat less stealthy — but still commonly used — technique involves modules from the PowerSploit penetration-testing framework (such as Invoke-NinjaCopy), which use the Volume Shadow Copy Service under the hood to create a new volume that can be used to copy out locked files, including ntds.dit. Running the full module is more conspicuous because it is recognizable as a known offensive-security toolkit; however, an attacker can break the module down into its individual underlying PowerShell commands and run them separately, which looks far more like ordinary administrative activity in security logs.

# Representative example: PowerSploit-style VSS-backed extraction (illustrative)
Invoke-NinjaCopy -Path "C:\Windows\NTDS\ntds.dit" -LocalDestination "C:\temp\ntds.dit"

Because PowerShell itself is often poorly monitored on enterprise networks — despite the availability of Group Policy–based module logging and constrained language mode — commands run outside of the full framework can blend into normal admin noise entirely.

Method 4: Virtual Machine Snapshots

If the domain controller runs as a virtual machine, an attacker can instead target any existing VM snapshots and pull the NTDS.DIT file directly out of one. A snapshot is, by definition, a full point-in-time copy of the VM’s disk — including the live Active Directory database at the time the snapshot was taken. If a snapshot exists (for rollback/recovery purposes), it effectively hands the attacker a ready-made offline copy of the domain database.

AD Extraction TechniqueStealth LevelWhy
vssadmin shadow copyHighBuilt-in feature; no default logging of the read operation
ntdsutil IFM exportVery HighLegitimate admin tool; leaves minimal forensic trace
PowerSploit module (full)MediumRecognizable as an offensive toolkit if module logging is enabled
PowerSploit commands (broken apart)HighIndividual PowerShell commands blend in with normal administration
VM snapshot extractionHighExploits an existing artifact retained for legitimate recovery purposes

Once the hashes are extracted from the database (commonly using a credential-dumping tool such as Mimikatz), the actor can either use them directly via pass-the-hash techniques against other services on the network, or crack them offline to recover plaintext passwords.

# Representative example of offline hash extraction from a stolen NTDS.DIT + SYSTEM hive (illustrative)
mimikatz # lsadump::dcsync /domain:contoso.local /user:krbtgt

Living-off-the-Land: Operational Security and Stealth

A defining characteristic of this campaign is Volt Typhoon’s extensive use of living-off-the-land binaries (LOLBins) — legitimate, pre-installed Windows commands and utilities (such as ntdsutil and native PowerShell) — rather than custom malware. This choice is deliberate: introducing malware onto a host is highly likely to trigger an alert, immediately drawing defender attention to the compromised system. By instead relying entirely on tools that are already expected to exist and be used in the environment, the group avoids leaving malware artifacts behind and blends its activity into routine administrative noise.

flowchart LR
    subgraph "Traditional Malware Approach"
    M1[Deploy custom malware] --> M2[AV/EDR alert triggered]
    M2 --> M3[Defenders isolate host]
    end
    subgraph "Volt Typhoon LOLBin Approach"
    L1[Use native Windows/Linux commands] --> L2[No malware signature to detect]
    L2 --> L3[Blends into normal admin activity]
    L3 --> L4[Long-term undetected persistence]
    end

This operational discipline — patience, avoidance of malware, careful timing of credential use, and reliance on native tooling — is what makes Volt Typhoon exceptionally difficult to detect using traditional signature-based defenses.

The Endgame: Reaching Operational Technology and Industrial Control Systems

With domain-level access effectively achieved (“the keys to the kingdom”), the critical question is: what was the actor’s actual objective? Rather than broadly exploiting every system available to them, Volt Typhoon remained sharply focused on one goal: reaching operational technology (OT) and industrial control systems (ICS).

Observed behavior included:

  • Testing access to OT assets using default OT vendor credentials.
  • In some cases, accessing OT systems using credentials obtained via the earlier NTDS.DIT theft.
  • In one confirmed compromise, moving laterally from one control system to a second control system, demonstrating deep familiarity with — and entrenchment within — the OT environment.
  • Gaining access to camera surveillance systems at critical infrastructure sites in some cases.
flowchart TD
    A[Domain Admin Access via NTDS.DIT] --> B[Test default OT vendor credentials]
    B --> C[Access Control System 1]
    C --> D[Lateral movement to Control System 2]
    A --> E[Access camera surveillance systems]
    C --> F[Potential impact: HVAC manipulation]
    C --> G[Potential impact: ICS process disruption]
    D --> H[Potential impact: energy/water facility disruption]

The implications are significant: with this level of access, an actor could manipulate building systems such as HVAC in server rooms, or disrupt industrial control processes at energy and water facilities. The fact that the group is described as “critical infrastructure” specific is not incidental — disruption at this level has the potential to cascade into broader economic and public-safety impact.

A recurring theme in the discussion is basic security hygiene failure as a root enabler: default credentials on perimeter appliances and OT equipment remain a widespread, preventable weakness. Combined with insufficient monitoring, this creates an environment where a patient, disciplined actor like Volt Typhoon can operate almost invisibly for years.

TTP Summary and MITRE ATT&CK Mapping

PhaseTechnique (Representative)MITRE ATT&CK Category
ReconnaissanceOSINT on staff, network topology, security controlsReconnaissance
Initial AccessExploitation of public-facing edge appliances (Ivanti, FortiGate)Exploit Public-Facing Application
Initial AccessUse of Shodan to identify vulnerable internet-exposed devicesActive Scanning
Credential AccessCredentials stored insecurely on compromised appliancesUnsecured Credentials
Privilege EscalationExploitation of OS/network service privilege escalation flawsExploitation for Privilege Escalation
DiscoveryInternal network scanning, RDP/domain controller enumerationNetwork Service Discovery, Remote System Discovery
Credential AccessNTDS.DIT extraction via VSS / ntdsutil / PowerSploit / VM snapshotOS Credential Dumping: NTDS
Credential AccessHash extraction via Mimikatz-style toolingOS Credential Dumping
Lateral MovementPass-the-hash using extracted credentialsUse Alternate Authentication Material
Defense EvasionLiving-off-the-land binaries (native OS commands)System Binary Proxy Execution
Defense EvasionOPSEC-aware timing of credential use (avoiding off-hours anomalies)Impair Defenses (behavioral)
Collection/Impact (potential)Access to OT/ICS assets via default vendor credentialsValid Accounts (OT-specific)
Collection (potential)Access to physical surveillance camera systemsCollection

Mitigation and Defensive Recommendations

RecommendationRationale
Eliminate default credentials on all network and OT vendor equipmentDefault credentials were a recurring enabler across multiple stages of the intrusion
Patch internet-facing edge appliances (VPNs, firewalls) promptlyEdge devices are the primary initial-access vector; zero-days remain a residual risk
Never store domain admin or other high-privilege credentials on edge appliancesDirectly enabled privilege escalation in at least one documented case
Enable and monitor PowerShell logging (module logging, script block logging)LOLBin/PowerShell activity is otherwise invisible to defenders
Monitor and alert on ntdsutil, vssadmin, and unexpected VSS/snapshot activityThese built-in tools are abused precisely because they are rarely monitored
Restrict and audit VM snapshot access for domain controllersSnapshots can serve as an unintended offline copy of the AD database
Segment IT and OT networks; enforce unique credentials for OT systemsPrevents IT-side credential theft from translating into OT access
Increase monitoring maturity for edge device and appliance logsAppliances typically lack built-in intrusion detection
Conduct proactive threat hunting for living-off-the-land activitySignature-based/malware-focused detection will not catch this actor
Review and restrict remote access protocols (RDP) between network segmentsUsed extensively for lateral movement toward domain controllers

Summary

Volt Typhoon represents a meaningful evolution in nation-state cyber threat activity against critical infrastructure: rather than smash-and-grab espionage, the group demonstrates extraordinary patience, disciplined operational security, and a clear focus on reaching operational technology and industrial control systems rather than simply exfiltrating data. Its toolkit is deliberately unremarkable — reconnaissance via open-source intelligence and Shodan, exploitation of known vulnerabilities in edge appliances like Ivanti and FortiGate VPNs, and near-total reliance on living-off-the-land techniques such as ntdsutil, vssadmin, native PowerShell, and VM snapshot abuse to extract the Active Directory database and its credential hashes. The ultimate objective observed across confirmed compromises was positioning for potential future disruption of energy, water, and other critical infrastructure sectors — not conventional data theft.

Defensive Checklist:

  • Eliminate all default credentials on network appliances and OT/ICS vendor equipment.
  • Patch and monitor all internet-facing VPN, firewall, and edge appliances; assume some flaws will be zero-days.
  • Prohibit storage of domain admin or other privileged credentials on edge devices.
  • Enable PowerShell module and script block logging across the environment.
  • Alert on anomalous use of ntdsutil, vssadmin, and unexpected shadow copy/snapshot creation.
  • Restrict and audit access to domain controller VM snapshots.
  • Enforce IT/OT network segmentation with unique, non-reused credentials on each side.
  • Increase edge appliance and OT vendor equipment log monitoring maturity.
  • Proactively threat-hunt for living-off-the-land activity rather than relying solely on malware signatures.
  • Review and tightly control RDP and other lateral-movement-enabling remote access protocols.
  • Treat OT/ICS credential hygiene as a first-class security priority, not an afterthought.

Search Terms

security · hot · takes · critical · infrastructure · advisory · threat · intel · networking · systems · method · edge · operational · typhoon · volt

More Security Hot Takes & Threat Intel courses

View all 21

Interested in this course?

Contact us to book it or get a custom training plan for your team.