It wasn’t a flashing red alert. Instead, it was silence—the kind of silence that hides the most insidious threats. There was no ransomware note demanding Bitcoin and no antivirus software detected anything malicious.
For months—possibly years—Volt Typhoon has moved through critical infrastructure networks including power generation and distribution, unseen and unchallenged. Unlike ransomware gangs that rely on malware for rapid and often chaotic disruptions, Volt Typhoon takes a stealth-first approach. Instead of encrypting files or demanding ransoms, they embed themselves within networks, waiting for the right moment to act.
A Different Kind of Attack
Volt Typhoon is an advanced persistent threat (APT) group, likely state-sponsored, that specializes in stealth and long-term infiltration. Their objective isn’t immediate destruction or financial gain—it’s deep, sustained access to critical infrastructure.
Rather than deploying malware that security tools can detect, they blend in, using stolen credentials and exploiting weaknesses in IT infrastructure to maintain persistence. They move like insiders, leveraging built-in tools—PowerShell, WMI, RDP, SSH—to navigate networks without raising alarms.
Security teams relying on endpoint protection and antivirus? They never saw them coming. Volt Typhoon’s activity mirrors routine administrative behavior, slipping past SOARs, SIEMs, and antivirus solutions unnoticed.
Before diving into their techniques, it’s important to understand why this makes traditional detection methods ineffective.
How Volt Typhoon Stays Hidden
Rather than forcing entry, Volt Typhoon exploits known vulnerabilities (CVEs) in overlooked network appliances, including outdated firewalls, misconfigured VPNs, and unpatched routers. They slip in unnoticed and establish a presence without deploying malware or triggering security alerts. Once inside, they move with patience.
First, they steal authentication credentials and session tokens. This allows them to impersonate privileged accounts, undermining identity-based security controls. Once they blend in as admins, most security tools become blind to their activity.
If one access point is lost, they pivot seamlessly—switching to another stolen credential, hijacking an active session, or leveraging a different compromised device. Their persistence strategy ensures they always have a way back in.
Here’s a breakdown of their tactics :
The Strategy Behind Their Persistence
Volt Typhoon isn’t a smash-and-grab operation. Their objective is to establish deep, long-term access. Security advisories from CISA and the FBI confirm that their presence within U.S. infrastructure isn’t about immediate data theft or ransomware. Instead, they pre-position themselves, waiting for the right moment. U.S. Government officials believe these are strategic campaigns to hamper or delay military mobilization following a Chinese invasion of Taiwan.
The ability to remain undetected stems from their methodical approach:
- Abusing SOHO Routers: Volt Typhoon uses small office/home office (SOHO) routers to proxy their traffic, making malicious activity look like normal business operations.
- Evasion of Enterprise Security Tools: Many SIEMs and network monitoring solutions are optimized for detecting threats inside enterprise environments, not traffic relayed through home-based routers or personal devices. This blind spot allows Volt Typhoon to operate unnoticed.
- Exploiting Network Appliances: Firewalls, VPN concentrators, and security appliances are used as entry points.
Understanding these tactics is important in designing a defense strategy that doesn’t rely solely on perimeter security. Looking at the timeline of how Volt Typhoon executed their multi-year campaign gives you an idea of the persistence that led to their infamous exploits.
The Challenge for Security Teams
Traditional security models focus on stopping malware and blocking known attack vectors, and detecting anomalies, but Volt Typhoon’s tactics highlight a critical weakness: security tools that rely on signature-based or anomaly detection are ineffective against adversaries who use legitimate IT tools against their victims.
To counter these threats, security teams need to take a proactive approach, focusing on detection mechanisms beyond malware signatures.
Adapting to a Stealthier Threat
Defending against Volt Typhoon requires additional security measures beyond malware detection and perimeter defenses. Their ability to blend in with legitimate activity makes them invisible to most security tools, which is why organizations need proactive, real-time detection strategies that go beyond static rules and signatures.
Why Traditional Security Falls Short
Many existing security solutions struggle to detect Volt Typhoon because they focus on known threats, static indicators, and malware signatures. Even advanced anomaly detection often fails because Volt Typhoon moves like an insider, leveraging stolen credentials. Perimeter defenses? They use them as entry points instead of barriers.
Closing the Gaps with Intent-Based Security
To truly combat threats like Volt Typhoon, organizations need to assume adversaries are already inside and focus on real-time behavioral monitoring and adaptive security controls. This is where Keystrike changes the game.
Keystrike’s approach to intent-based security detects stealthy threats operating within trusted environments—even those that bypass SIEMs, evade endpoint detection, and abuse legitimate IT tools. Instead of relying on outdated security models that miss identity-based threats, Keystrike continuously analyzes session integrity, access patterns, and privilege escalations to identify adversaries hiding in plain sight.
What’s Next?
Volt Typhoon is just one piece of a larger puzzle. Alternative efforts like Salt Typhoon specialize in deep-cover espionage, ensuring persistent access, while Flax Typhoon takes a different approach—rapidly compromising as many networks as possible through credential theft. Their goal isn’t patience; it’s scale, overwhelming defenses through sheer volume.
No matter the method, these attackers exploit identity-based weaknesses and evade traditional security tools and methods. Perimeter defenses and signature-based detection can’t stop them, but analyzing session integrity, privilege escalations, and access behaviors can.
Despite our best efforts, security threats are already inside. With real-time detection and adaptive security controls, organizations don’t just react; they prevent attacks before damage is done.
To learn more about how Keystrike helps organizations detect and stop stealthy adversaries, join the Keystrike webinar, "APT Group Attack Method Commonalities Against Critical Infrastructure" on May 22, 2025 to learn more and see it in action.