ACTIVE ADVISORIES
CVE-2026-1142CRITICALVolt Typhoon pre-positioning observed in five additional US utility networks— CISA AA26-148ACVE-2025-58801HIGHIvanti EPM unauthenticated SQLi — exploitation in the wild— Ivanti SAKEVAMBERCISA adds two Fortinet flaws to Known Exploited Vulnerabilities catalog— KEV-2026-05-26CVE-2026-0488CRITICALCisco IOS XE web UI RCE — patch released, mass-scanning detected— Cisco PSIRTBULLETINAMBERNCSC-UK warns of credential-stuffing wave targeting NHS supplier portals— NCSC UKCVE-2026-0991HIGHApache Tomcat path-traversal — proof-of-concept public— ASF securityKEVLOWPAN-OS GlobalProtect CVE-2024-3400 — vendor reports >98% patched— Palo Alto NetworksCVE-2026-1142CRITICALVolt Typhoon pre-positioning observed in five additional US utility networks— CISA AA26-148ACVE-2025-58801HIGHIvanti EPM unauthenticated SQLi — exploitation in the wild— Ivanti SAKEVAMBERCISA adds two Fortinet flaws to Known Exploited Vulnerabilities catalog— KEV-2026-05-26CVE-2026-0488CRITICALCisco IOS XE web UI RCE — patch released, mass-scanning detected— Cisco PSIRTBULLETINAMBERNCSC-UK warns of credential-stuffing wave targeting NHS supplier portals— NCSC UKCVE-2026-0991HIGHApache Tomcat path-traversal — proof-of-concept public— ASF securityKEVLOWPAN-OS GlobalProtect CVE-2024-3400 — vendor reports >98% patched— Palo Alto Networks
Raj "CipherGuard" Kumar Blog

Appearance

By Raj Kumar@cipherguard
Senior Threat Reporter · CipherGuard Investigations
Filed 2026-05-284 min read · 800 words
Volt-Typhooncritical-infrastructurestate-actorMITRE-ATTACK

Inside the Volt Typhoon playbook: a year of pre-positioning inside US critical infrastructure

In April 2025, a network engineer at a mid-sized water utility in the Pacific Northwest noticed something strange in their edge router. The configuration backup, taken nightly to an internal Subversion server for the past six years, suddenly began to diverge from the running config — but only on Tuesdays, and only between 02:14 and 02:31 UTC. By the time the team's MSSP completed its quarterly assurance review eight weeks later, the operator had already been doing the diffing themselves, by hand, every morning.

What they found is the subject of this report.

Over the past twelve months, CipherGuard has reviewed sealed FBI court filings unsealed under 18 U.S.C. § 1822, interviewed five US utility operators across three sectors under condition of anonymity, and analysed router configuration artefacts shared by two of those operators. The picture that emerges is consistent with — and in places more detailed than — the public reporting CISA issued in its AA24-038A joint advisory on the threat group tracked as Volt Typhoon.

What Volt Typhoon is, and what it is not

Volt Typhoon (also tracked as BRONZE SILHOUETTE by Secureworks, VANGUARD PANDA by CrowdStrike, and Voltzite by Dragos) is a Chinese state-aligned group whose tradecraft is defined less by exploits than by absences. There are no signatures. There is no malware. There is, in the strict sense, almost no code.

The group's defining technique — what MITRE ATT&CK catalogues under T1078 (Valid Accounts) and T1133 (External Remote Services) — is simply to use what is already there. Stolen credentials from edge devices (FortiGate VPNs, Cisco IOS XE management interfaces, end-of-life small-office routers) provide the foothold. From there, the group lives on the box: PowerShell, wmic, netsh, certutil, ntdsutil, and the routers' own ageing toolchains.

Compare that to a typical ransomware affiliate operation. A Conti or BlackCat intrusion in 2023 left behind a Cobalt Strike beacon, a rclone.exe, a few staged .7z archives in C:\PerfLogs, and — usually — an mimikatz.exe somewhere obvious. Volt Typhoon leaves none of those. In the cases we reviewed, the longest dwell time before any detection was 428 days; the shortest was 209 days. Both were eventually discovered by humans noticing something subtle — never by an EDR alert.

The water utility, in detail

The operator we spoke to in the Pacific Northwest (whom we will call Operator A) runs treatment and distribution for a customer base of roughly 90,000. Their public-facing infrastructure is, as is standard, very small: a single ASA appliance, a Citrix gateway, a vendor-managed SCADA jump host. The compromised device was none of these. It was a Cisco IOS XE 9300-series switch sitting on the management VLAN of a water-quality lab — a switch that, by policy, was not supposed to be reachable from the internet at all.

It was, however, reachable from the adjacent lab building, which itself was reachable from a vendor's tunnelled connection that had been set up in 2019 for a meter-reading rollout and never torn down. The vendor — a regional integrator — was the actual breach point. Their own audit, conducted after our reporting began, identified credential reuse across seven of their customers: three water utilities, two municipal transit authorities, a regional ISP, and a small natural-gas distributor.

"We had a SIEM. We had a SOC contract. We had quarterly tabletops. None of that mattered, because none of it was looking at what was happening on a switch in a lab." — Operator A, network engineering manager

The persistence mechanism Volt Typhoon used on the switch is, in retrospect, almost banal: a modified event manager applet that, on a particular pattern of inbound packets, would briefly enable a temporary line VTY with a generated password, accept a single SSH session from a specific source address, and then erase itself from the running config — but not the startup config. The startup config was being rsynced nightly to the operator's backup server. The discrepancy was visible to anyone who looked.

How a year of pre-positioning works in practice

Three things distinguish pre-positioning from a conventional cyber-espionage campaign:

  1. No data is exfiltrated, or only de minimis quantities. In the cases we reviewed, exfiltration totalled less than 14 megabytes over a 12-month window — a fraction of what a single misconfigured S3 bucket would leak in a week. The data that was taken was operational topology: router configs, MAC address tables, BGP peering tables, and screenshots of SCADA HMIs.
  2. The footprint stays small and stays still. The compromised devices were almost never used for lateral movement. They sat, sometimes for months, as nothing more than a re-entry point. When the group did move laterally, it was always to map, never to extract.
  3. The objective is option value. What Volt Typhoon appears to be building is the optionality to do something destructive at a moment of geopolitical inflection — most analysts cite a Taiwan contingency, but the targeting (Guam, Pacific Northwest, Texas grid edges) is broader than that.

This is consistent with the FBI's public statements in February 2024, and with the NSA / CISA / FBI joint cybersecurity advisory of February 7, 2024. What our reporting adds is granularity: the specific dwell times, the specific persistence techniques, and the specific role of third-party integrators as the initial foothold.

What worked, in the cases we documented

Three defensive practices stood out across the operators we spoke to. None of them are new. All of them were under-resourced.

Config diffing as a primary control

Two of the five operators had implemented ciscoconfparse2-based nightly diffing of running config against startup config and against the previous night's running config. Both detected the Volt Typhoon persistence within 24 hours of the first deployment. Neither of those detections originated from a security tool; both were operations engineers reviewing diffs in the morning, as a routine hygiene practice.

The other three operators had backups but no diff routine. Two of them were notified of the compromise by the FBI; one was notified by their ISP.

Out-of-band management

The single operator whose lateral movement was contained had moved their device management onto an out-of-band network three years earlier — not for security reasons, but to simplify their MPLS overhaul. The compromised edge devices could not reach the SCADA environment because they were not on the same physical infrastructure. The investment had paid back twice: once on the day of the MPLS cutover, and once during the breach.

Vendor-account inventory

The water utility's breach was, again, downstream of a vendor with stale credentials. Of the five operators we interviewed, only one maintained a current inventory of which vendors had which credentials on which devices. Four of the five discovered the breach through a vendor's own systems — and in three of those cases, the vendor itself learned of the issue from CISA, not from internal monitoring.

A practical SBOM-style inventory of vendor access, refreshed quarterly, would have closed the loop for every operator in the sample. We cover an analogous workflow for software dependencies in An SBOM workflow that would have caught log4j in 45 minutes; the principles map directly.

What did not work

Several controls that were marketed to these operators as "Volt Typhoon-grade" detection — including a recently-launched "OT XDR" SKU from a major vendor — did not detect any of the intrusions in our sample, despite being deployed in three of the five environments at the time of breach. The reason is the same in every case: the tools were monitoring for malware, lateral movement and exfiltration, and Volt Typhoon was not doing any of those things at observable scale.

This is the trap that most critical-infrastructure defenders are in. The tooling pipeline assumes the adversary will eventually do something noisy. Pre-positioning is the negation of that assumption.

Where this reporting goes next

CipherGuard is continuing to track Volt Typhoon activity, with a particular focus on:

  • The role of small-office and home-office (SOHO) routers as initial access infrastructure. CISA's KV-Botnet takedown of January 2024 addressed one slice of this; the broader pattern remains.
  • The geographic distribution of compromised vendor integrators in the United States, particularly in the Pacific Northwest and along the I-10 corridor.
  • The overlap, if any, between Volt Typhoon's targeting and the targeting we documented in What we found in the leaked Conti chats, two years later — specifically, whether the access-broker ecosystem that fed ransomware groups in 2022–2023 is now feeding state-aligned ones.

If you are a utility operator, integrator or vendor with material information, you can reach the desk via [email protected]. PGP key is on the About page. We will not publish anything that materially identifies a victim without the victim's explicit consent.

Reporting: Raj Kumar and Sana Mehta. Editing: desk. Sources: CISA AA24-038A, NSA Cybersecurity Advisory U/OO/124680-24, FBI Cyber Division statements, MITRE ATT&CK group G1017, plus interviews with five utility operators under condition of anonymity. Court filings: unsealed under 18 U.S.C. § 1822 in EDVA and WDWA, March–May 2025.

Powered by VitePress - 1.6.3