{ "id": "a047c8a4-8435-449a-9aa9-23a55ef8bf27", "created_at": "2026-04-06T00:14:04.702609Z", "updated_at": "2026-04-10T13:12:24.342025Z", "deleted_at": null, "sha1_hash": "154c5c2d5f3546867e5672bf25ffd780c1e59b66", "title": "Mandiant Intelligence Chief Raises Alarm Over China’s ‘Volt Typhoon’ Hackers in US Critical Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 260001, "plain_text": "Mandiant Intelligence Chief Raises Alarm Over China’s ‘Volt\r\nTyphoon’ Hackers in US Critical Infrastructure\r\nBy Ryan Naraine\r\nPublished: 2023-10-25 · Archived: 2026-04-05 16:35:56 UTC\r\nATLANTA – SECURITYWEEK 2023 ICS CYBERSECURITY CONFERENCE – Chief analyst at\r\nMandiant Intelligence John Hultquist says defenders in the critical infrastructure trenches should urgently\r\nwork on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught\r\nin a series of eyebrow-raising attacks against targets in Guam and the United States.\r\nSpeaking at a keynote fireside chat at SecurityWeek’s 2023 ICS Cybersecurity Conference in Atlanta on Tuesday,\r\nHultquist said the Volt Typhoon campaign included “very deliberate targeting of critical infrastructure”\r\ninstallations and represents a major shift by Chinese hacking teams known mostly for economic espionage and IP\r\ntheft.\r\n“This Volt Typhoon activity is a brand-new thing for them. We have not seen a lot of deliberate targeting in the\r\ncritical infrastructure space from China,” Hultquist said. “Occasionally, we’ll catch them probing into power, but\r\nthis is a deliberate, long-term attempt to infiltrate a lot of critical infrastructure in a way that stays below the\r\nradar.”\r\nThe Volt Typhoon campaign was first flagged by Microsoft with deliberate targeting of critical infrastructure in\r\nGuam, a discovery that raised eyebrows because the tiny island is considered an important part of a future\r\nChina/Taiwan military conflict.\r\n“They were found in Guam but they were also discovered all over the continental United States, including in\r\ntelecommunications and logistics. Microsoft indicated that they’ve also been found in power and water sectors,”\r\nHultquist noted.\r\n“The NSA indicated that their theory behind this is that they are digging in for the possibility of creating a\r\ndisruptive event in the event of a wartime scenario. While I don’t have the intelligence to confirm that, the\r\ndeliberate targeting of critical infrastructure makes it a priority for us. This is especially concerning given how\r\nhard they’re working on their operational security, using botnets and zero-days to stay below the radar,” Hultquist\r\nadded.\r\nAdvertisement. Scroll to continue reading.\r\nhttps://www.securityweek.com/mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructure/\r\nPage 1 of 3\n\nVolt Typhoon has been publicly documented as “stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery.”\r\n“Microsoft assesses with moderate confidence that this [Chinese cyberespionage] campaign is pursuing\r\ndevelopment of capabilities that could disrupt critical communications infrastructure between the United States\r\nand Asia region during future crises,” the software giant said in a note documenting the APT discovery.\r\nThe group, active since mid-2021, has compromised a wide variety of organizations spanning communications,\r\nmanufacturing, utility, transportation, construction, maritime, government, information technology, and the\r\neducation sectors. \r\nhttps://www.securityweek.com/mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructure/\r\nPage 2 of 3\n\nHultquist urged defenders to prioritize patching and mitigations for internet-facing edge devices and network\r\nrouters that provide a major entry point for high-end attackers. \r\nIn the case of Volt Typhoon, he noted that the attackers are leveraging botnets for command and control with\r\nminimal use of malware, making it really hard to hunt them.\r\n“You should really be keeping your eye on two things right now. One is the Volt Typhoon situation; it’s all over\r\nthe United States. They are clearly dug in, and we’re going to have to root them out.  The second one is the current\r\nsituation in the Middle East. The United States is heavily involved, and because of that, the likelihood of some\r\nsort of response, possibly from Iran, is legitimate. We have to keep that in mind as well. You’re starting to see\r\nsome telemetry; they are at play without a doubt.”\r\nSessions from SecurityWeek’s ICS Cybersecurity Conference can be watched in both live stream and on demand\r\nthis week.\r\nRelated: AWS Using MadPot Decoy System to Disrupt APTs, Botnets\r\nRelated: Microsoft Says Chinese .Gov Hackers Targeting US Critical Infrastructure\r\nRelated: Fortinet Warns of Possible Zero-Day Exploited in Limited Attacks\r\nSource: https://www.securityweek.com/mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructur\r\ne/\r\nhttps://www.securityweek.com/mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructure/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.securityweek.com/mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructure/" ], "report_names": [ "mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructure" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434444, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/154c5c2d5f3546867e5672bf25ffd780c1e59b66.pdf", "text": "https://archive.orkl.eu/154c5c2d5f3546867e5672bf25ffd780c1e59b66.txt", "img": "https://archive.orkl.eu/154c5c2d5f3546867e5672bf25ffd780c1e59b66.jpg" } }