Table of Contents
- Module 1: The Volt Typhoon Critical Infrastructure Advisory
- Why This Advisory Matters: A Hypothetical Impact Scenario
- Overview: A Coordinated International Response
- Volt Typhoon’s Strategic Shift: From Espionage to Prepositioning
- Initial Access: Reconnaissance and Edge Device Exploitation
- Why Edge Devices Are the Preferred Entry Point
- Credential Harvesting and Privilege Escalation
- Extracting the Active Directory Database
- Living-off-the-Land: Operational Security and Stealth
- The Endgame: Reaching Operational Technology and Industrial Control Systems
- TTP Summary and MITRE ATT&CK Mapping
- Mitigation and Defensive Recommendations
- Summary
Module 1: The Volt Typhoon Critical Infrastructure Advisory
Why This Advisory Matters: A Hypothetical Impact Scenario
To understand why this advisory triggered such a strong diplomatic and technical response, consider the kind of scenario security teams are now forced to plan for: a sustained cyber campaign against energy, water, and transportation infrastructure is discovered, prompting a foreign ambassador to be summoned for an emergency meeting. In this hypothetical, a fire breaks out at an oil refinery following a coordinated cyberattack, while major metropolitan areas are left without electricity and water service. This is not a description of a confirmed real-world event — it is an illustrative worst-case scenario used to frame the stakes of the advisory discussed below. It captures exactly why the prepositioning activity described in this advisory is treated as a national-security-level concern rather than a routine espionage disclosure: the threat actor’s foothold is not about stealing data, it is about maintaining the option to disrupt physical infrastructure at a time of the attacker’s choosing.
Overview: A Coordinated International Response
This briefing walks through a joint cybersecurity advisory addressing Volt Typhoon, a People’s Republic of China (PRC) state-sponsored threat actor, and what the findings mean for asset owners and operators of critical infrastructure. The advisory represents a significant escalation in tactics: rather than traditional cyber-espionage aimed at data theft, Volt Typhoon has been observed prepositioning itself inside critical infrastructure networks for potential future disruptive or destructive attacks.
The advisory builds on an earlier warning issued in May 2023 that first laid out much of the group’s tradecraft. What stands out about the current advisory is the breadth of the coalition that co-authored it — a “who’s who” of Western cybersecurity and intelligence agencies:
| Country | Authoring Agency/Agencies |
|---|---|
| United States | FBI, NSA, CISA |
| United Kingdom | National Cyber Security Centre (NCSC-UK) |
| Canada | Canadian Centre for Cyber Security |
| New Zealand | National Cyber Security Centre (NCSC-NZ) |
| Australia | Australian Cyber Security Centre (implied Five Eyes participation) |
The advisory documents Volt Typhoon’s tactics, techniques, and procedures (TTPs) using the MITRE ATT&CK framework, and while the group tailors its approach to each victim environment, it consistently follows a recognizable pattern of behavior across the intrusions investigated so far.
mindmap
root((Joint Advisory Coalition))
United States
FBI
NSA
CISA
United Kingdom
NCSC-UK
Canada
Canadian Centre for Cyber Security
New Zealand
NCSC-NZ
Australia
ACSC
Volt Typhoon’s Strategic Shift: From Espionage to Prepositioning
Unlike a typical “smash and grab” intrusion, Volt Typhoon’s campaigns are characterized by extraordinary patience. In some documented cases, the actor maintained access inside a victim network for several years before any disruptive action was taken (or before discovery). The operation followed a deliberate, staged progression:
flowchart LR
A[Reconnaissance<br/>people, process, technology] --> B[Initial Access<br/>edge device exploitation]
B --> C[Internal Discovery<br/>network scanning, RDP, domain controllers]
C --> D[Credential Access<br/>NTDS.DIT theft + Mimikatz]
D --> E[Lateral Movement<br/>pass-the-hash across the network]
E --> F[OT/ICS Targeting<br/>default vendor credentials]
F --> G[Long-Term Prepositioning<br/>option for future disruption]
This is a fundamental shift from conventional nation-state cyber-espionage (steal data, exfiltrate, move on) toward maintaining a standing, dormant capability to disrupt or destroy physical infrastructure processes if a geopolitical trigger occurs.
Initial Access: Reconnaissance and Edge Device Exploitation
Volt Typhoon’s reconnaissance phase covers people, processes, and technology:
- Identifying network topologies and security controls likely in place at the target.
- Profiling key network and IT staff, including their typical working hours and behaviors — likely to enhance the actor’s own operational security (OPSEC). For example, the actor may deliberately avoid using compromised network-admin credentials outside that admin’s normal working hours, specifically to avoid triggering time-of-day-based security alerts.
- Open-source reconnaissance of employee information, corporate web pages, and professional social media profiles (e.g., LinkedIn) to build a picture of the organization before the intrusion begins.
For initial access, the group did not rely on custom malware or novel infrastructure. Instead, it used tools like Shodan to discover internet-exposed, vulnerable network appliances, then exploited known vulnerabilities in edge devices — the advisory specifically calls out products such as Ivanti Secure VPN and Fortinet FortiGate VPN appliances as having been targeted using previously disclosed CVEs.
sequenceDiagram
participant Attacker as Volt Typhoon
participant Internet as Shodan / Internet Scanning
participant Edge as Edge Appliance (VPN/Firewall)
participant Internal as Internal Network
Attacker->>Internet: Scan for exposed appliances
Internet-->>Attacker: Identify vulnerable Ivanti/FortiGate device
Attacker->>Edge: Exploit known/zero-day CVE
Edge-->>Attacker: Initial foothold
Attacker->>Edge: Harvest credentials stored on appliance
Attacker->>Internal: Pivot using harvested credentials
Internal-->>Attacker: Access to RDP servers, domain controllers
Why Edge Devices Are the Preferred Entry Point
This pattern is consistent with a broader trend the discussion highlights: threat actors increasingly target edge devices — firewalls, VPN concentrators, and hypervisors — rather than traditional endpoint malware delivery. Industry research (cited from Mandiant) estimates that roughly 85% of known zero-day vulnerabilities exploited by Chinese state-sponsored groups since 2021 have targeted public-facing appliances of this kind.
The core problem is architectural: a VPN concentrator is built to be a VPN endpoint, not an intrusion detection system. It generally has no built-in capability to detect that it has been compromised or to shut itself down in response. Combined with the reality that a patch may not always be available for a given flaw (i.e., true zero-days), this makes edge appliances a persistently attractive target.
| Factor | Why It Favors Attackers |
|---|---|
| Purpose-built function | VPN/firewall appliances are not designed with self-monitoring/IDS capability |
| Patch availability | Zero-days may have no available fix at time of exploitation |
| Credential storage | Some appliances have been found storing high-privilege credentials insecurely |
| Internet exposure | Must be internet-facing by design, increasing discoverability via tools like Shodan |
| Limited logging | Appliance-level compromises are less likely to generate visible security alerts |
Credential Harvesting and Privilege Escalation
After establishing initial access, the next objective is credential harvesting — specifically pursuing domain admin credentials. The most common technique observed was exploitation of privilege escalation vulnerabilities in the operating system or network services. In at least one documented case, Volt Typhoon exploited a heap-based buffer overflow vulnerability in a Fortinet device to compromise a domain admin account whose credentials were stored on that device — a stark reminder that domain admin credentials should never reside on edge appliances.
Once valid domain credentials are obtained, lateral movement becomes straightforward. The actor identified RDP-enabled servers throughout the network, used them to move laterally, and ultimately located a domain controller (DC).
Extracting the Active Directory Database
With administrative access to (or in proximity to) a domain controller, Volt Typhoon was observed using multiple distinct methods to extract the Active Directory database (NTDS.DIT) and the associated SYSTEM registry hive, which together allow offline extraction of every account’s password hash.
flowchart TD
Start([Admin credentials obtained]) --> Choice{AD Extraction Method}
Choice -->|1| VSS[Volume Shadow Copy Service<br/>vssadmin manual snapshot]
Choice -->|2| NTDSUtil[ntdsutil IFM export<br/>legitimate built-in tool]
Choice -->|3| PowerSploit[PowerSploit module<br/>VSS-backed PowerShell extraction]
Choice -->|4| Snapshot[Virtual machine snapshot<br/>of the domain controller]
VSS --> Extract[Offline NTDS.DIT + SYSTEM hive]
NTDSUtil --> Extract
PowerSploit --> Extract
Snapshot --> Extract
Extract --> Hashes[Extract password hashes<br/>e.g. via Mimikatz]
Hashes --> PTH[Pass-the-hash across<br/>other network services]
Method 1: Volume Shadow Copy Service (VSS)
The Volume Shadow Copy Service has existed in Windows Server since Windows Server 2000 and can be manually invoked to create a point-in-time copy of a live volume — including the volume holding the Active Directory database. Because it is a legitimate, built-in Windows feature, using it does not raise an alert by default.
# Representative example of manually creating a shadow copy to access a locked file (illustrative)
vssadmin create shadow /for=C:
# Copy the Active Directory database and registry hive out of the shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM
Method 2: ntdsutil
ntdsutil is a legitimate, long-standing command-line management tool for Active Directory Domain Services, commonly used by administrators for tasks such as transferring FSMO roles. Because it is a fully expected tool in any AD environment, its use is extremely stealthy — it does not generate a log entry flagging its use for credential extraction, making it one of the quietest available techniques.
# Representative example of the ntdsutil "Install From Media" (IFM) extraction technique
ntdsutil
activate instance ntds
ifm
create full C:\temp\ntds-extract
quit
quit
This produces a full offline copy of ntds.dit and the SYSTEM hive that can be moved off-box and cracked or parsed at leisure.
Method 3: PowerSploit (VSS-backed PowerShell Extraction)
A somewhat less stealthy — but still commonly used — technique involves modules from the PowerSploit penetration-testing framework (such as Invoke-NinjaCopy), which use the Volume Shadow Copy Service under the hood to create a new volume that can be used to copy out locked files, including ntds.dit. Running the full module is more conspicuous because it is recognizable as a known offensive-security toolkit; however, an attacker can break the module down into its individual underlying PowerShell commands and run them separately, which looks far more like ordinary administrative activity in security logs.
# Representative example: PowerSploit-style VSS-backed extraction (illustrative)
Invoke-NinjaCopy -Path "C:\Windows\NTDS\ntds.dit" -LocalDestination "C:\temp\ntds.dit"
Because PowerShell itself is often poorly monitored on enterprise networks — despite the availability of Group Policy–based module logging and constrained language mode — commands run outside of the full framework can blend into normal admin noise entirely.
Method 4: Virtual Machine Snapshots
If the domain controller runs as a virtual machine, an attacker can instead target any existing VM snapshots and pull the NTDS.DIT file directly out of one. A snapshot is, by definition, a full point-in-time copy of the VM’s disk — including the live Active Directory database at the time the snapshot was taken. If a snapshot exists (for rollback/recovery purposes), it effectively hands the attacker a ready-made offline copy of the domain database.
| AD Extraction Technique | Stealth Level | Why |
|---|---|---|
vssadmin shadow copy | High | Built-in feature; no default logging of the read operation |
ntdsutil IFM export | Very High | Legitimate admin tool; leaves minimal forensic trace |
| PowerSploit module (full) | Medium | Recognizable as an offensive toolkit if module logging is enabled |
| PowerSploit commands (broken apart) | High | Individual PowerShell commands blend in with normal administration |
| VM snapshot extraction | High | Exploits an existing artifact retained for legitimate recovery purposes |
Once the hashes are extracted from the database (commonly using a credential-dumping tool such as Mimikatz), the actor can either use them directly via pass-the-hash techniques against other services on the network, or crack them offline to recover plaintext passwords.
# Representative example of offline hash extraction from a stolen NTDS.DIT + SYSTEM hive (illustrative)
mimikatz # lsadump::dcsync /domain:contoso.local /user:krbtgt
Living-off-the-Land: Operational Security and Stealth
A defining characteristic of this campaign is Volt Typhoon’s extensive use of living-off-the-land binaries (LOLBins) — legitimate, pre-installed Windows commands and utilities (such as ntdsutil and native PowerShell) — rather than custom malware. This choice is deliberate: introducing malware onto a host is highly likely to trigger an alert, immediately drawing defender attention to the compromised system. By instead relying entirely on tools that are already expected to exist and be used in the environment, the group avoids leaving malware artifacts behind and blends its activity into routine administrative noise.
flowchart LR
subgraph "Traditional Malware Approach"
M1[Deploy custom malware] --> M2[AV/EDR alert triggered]
M2 --> M3[Defenders isolate host]
end
subgraph "Volt Typhoon LOLBin Approach"
L1[Use native Windows/Linux commands] --> L2[No malware signature to detect]
L2 --> L3[Blends into normal admin activity]
L3 --> L4[Long-term undetected persistence]
end
This operational discipline — patience, avoidance of malware, careful timing of credential use, and reliance on native tooling — is what makes Volt Typhoon exceptionally difficult to detect using traditional signature-based defenses.
The Endgame: Reaching Operational Technology and Industrial Control Systems
With domain-level access effectively achieved (“the keys to the kingdom”), the critical question is: what was the actor’s actual objective? Rather than broadly exploiting every system available to them, Volt Typhoon remained sharply focused on one goal: reaching operational technology (OT) and industrial control systems (ICS).
Observed behavior included:
- Testing access to OT assets using default OT vendor credentials.
- In some cases, accessing OT systems using credentials obtained via the earlier
NTDS.DITtheft. - In one confirmed compromise, moving laterally from one control system to a second control system, demonstrating deep familiarity with — and entrenchment within — the OT environment.
- Gaining access to camera surveillance systems at critical infrastructure sites in some cases.
flowchart TD
A[Domain Admin Access via NTDS.DIT] --> B[Test default OT vendor credentials]
B --> C[Access Control System 1]
C --> D[Lateral movement to Control System 2]
A --> E[Access camera surveillance systems]
C --> F[Potential impact: HVAC manipulation]
C --> G[Potential impact: ICS process disruption]
D --> H[Potential impact: energy/water facility disruption]
The implications are significant: with this level of access, an actor could manipulate building systems such as HVAC in server rooms, or disrupt industrial control processes at energy and water facilities. The fact that the group is described as “critical infrastructure” specific is not incidental — disruption at this level has the potential to cascade into broader economic and public-safety impact.
A recurring theme in the discussion is basic security hygiene failure as a root enabler: default credentials on perimeter appliances and OT equipment remain a widespread, preventable weakness. Combined with insufficient monitoring, this creates an environment where a patient, disciplined actor like Volt Typhoon can operate almost invisibly for years.
TTP Summary and MITRE ATT&CK Mapping
| Phase | Technique (Representative) | MITRE ATT&CK Category |
|---|---|---|
| Reconnaissance | OSINT on staff, network topology, security controls | Reconnaissance |
| Initial Access | Exploitation of public-facing edge appliances (Ivanti, FortiGate) | Exploit Public-Facing Application |
| Initial Access | Use of Shodan to identify vulnerable internet-exposed devices | Active Scanning |
| Credential Access | Credentials stored insecurely on compromised appliances | Unsecured Credentials |
| Privilege Escalation | Exploitation of OS/network service privilege escalation flaws | Exploitation for Privilege Escalation |
| Discovery | Internal network scanning, RDP/domain controller enumeration | Network Service Discovery, Remote System Discovery |
| Credential Access | NTDS.DIT extraction via VSS / ntdsutil / PowerSploit / VM snapshot | OS Credential Dumping: NTDS |
| Credential Access | Hash extraction via Mimikatz-style tooling | OS Credential Dumping |
| Lateral Movement | Pass-the-hash using extracted credentials | Use Alternate Authentication Material |
| Defense Evasion | Living-off-the-land binaries (native OS commands) | System Binary Proxy Execution |
| Defense Evasion | OPSEC-aware timing of credential use (avoiding off-hours anomalies) | Impair Defenses (behavioral) |
| Collection/Impact (potential) | Access to OT/ICS assets via default vendor credentials | Valid Accounts (OT-specific) |
| Collection (potential) | Access to physical surveillance camera systems | Collection |
Mitigation and Defensive Recommendations
| Recommendation | Rationale |
|---|---|
| Eliminate default credentials on all network and OT vendor equipment | Default credentials were a recurring enabler across multiple stages of the intrusion |
| Patch internet-facing edge appliances (VPNs, firewalls) promptly | Edge devices are the primary initial-access vector; zero-days remain a residual risk |
| Never store domain admin or other high-privilege credentials on edge appliances | Directly enabled privilege escalation in at least one documented case |
| Enable and monitor PowerShell logging (module logging, script block logging) | LOLBin/PowerShell activity is otherwise invisible to defenders |
Monitor and alert on ntdsutil, vssadmin, and unexpected VSS/snapshot activity | These built-in tools are abused precisely because they are rarely monitored |
| Restrict and audit VM snapshot access for domain controllers | Snapshots can serve as an unintended offline copy of the AD database |
| Segment IT and OT networks; enforce unique credentials for OT systems | Prevents IT-side credential theft from translating into OT access |
| Increase monitoring maturity for edge device and appliance logs | Appliances typically lack built-in intrusion detection |
| Conduct proactive threat hunting for living-off-the-land activity | Signature-based/malware-focused detection will not catch this actor |
| Review and restrict remote access protocols (RDP) between network segments | Used extensively for lateral movement toward domain controllers |
Summary
Volt Typhoon represents a meaningful evolution in nation-state cyber threat activity against critical infrastructure: rather than smash-and-grab espionage, the group demonstrates extraordinary patience, disciplined operational security, and a clear focus on reaching operational technology and industrial control systems rather than simply exfiltrating data. Its toolkit is deliberately unremarkable — reconnaissance via open-source intelligence and Shodan, exploitation of known vulnerabilities in edge appliances like Ivanti and FortiGate VPNs, and near-total reliance on living-off-the-land techniques such as ntdsutil, vssadmin, native PowerShell, and VM snapshot abuse to extract the Active Directory database and its credential hashes. The ultimate objective observed across confirmed compromises was positioning for potential future disruption of energy, water, and other critical infrastructure sectors — not conventional data theft.
Defensive Checklist:
- Eliminate all default credentials on network appliances and OT/ICS vendor equipment.
- Patch and monitor all internet-facing VPN, firewall, and edge appliances; assume some flaws will be zero-days.
- Prohibit storage of domain admin or other privileged credentials on edge devices.
- Enable PowerShell module and script block logging across the environment.
- Alert on anomalous use of
ntdsutil,vssadmin, and unexpected shadow copy/snapshot creation. - Restrict and audit access to domain controller VM snapshots.
- Enforce IT/OT network segmentation with unique, non-reused credentials on each side.
- Increase edge appliance and OT vendor equipment log monitoring maturity.
- Proactively threat-hunt for living-off-the-land activity rather than relying solely on malware signatures.
- Review and tightly control RDP and other lateral-movement-enabling remote access protocols.
- Treat OT/ICS credential hygiene as a first-class security priority, not an afterthought.
Search Terms
security · hot · takes · critical · infrastructure · advisory · threat · intel · networking · systems · method · edge · operational · typhoon · volt