The Silent Dragon: Volt Typhoon

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 7

China (PLA-linked)

G1017

★★★★★

risk 5/5

✦ The Silent Dragon ✦

Volt Typhoon

BRONZE SILHOUETTE · Vanguard Panda · DEV-0391

CommunicationsEnergyWaterTransportationUS critical infrastructure

Active since ~2021 · Pre-positioning for conflict, Critical infrastructure disruption, Espionage

It does not come to steal your secrets. It comes to be ready. Volt Typhoon burrows into power grids and water systems not to disrupt them now, but to hold the trigger for the moment it is needed.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1078

Valid Accounts

Defense Evasion

T1133

External Remote Services

Initial Access

T1090.002

External Proxy

Command and Control

T1036

Masquerading

Defense Evasion

T1087

Account Discovery

Discovery

T1134

Access Token Manipulation

Privilege Escalation

Notable Operations

◆US critical infrastructure pre-positioning (2021-present)
◆Guam military communications targeting
◆Five Eyes joint advisory (2023)
◆SOHO router botnet for traffic proxying

Defenses

▸
Behavioral baselining for LOLBin and admin tool usage
NIST CSF: DE.AE ↗
▸
SOHO router firmware patching and replacement lifecycle
CIS Control 7 ↗
▸
Network flow analysis for unusual outbound connections
CIS Control 13 ↗
▸
Critical infrastructure asset inventory and exposure reduction
NIST CSF: ID.AM ↗

Reversed: Their Weakness

Living off the land means your presence is only as hidden as the baseline you're mimicking. In environments with strong behavioral baselines, Volt Typhoon's use of native tools becomes the anomaly.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Ten Thousand Next →The Specter

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.