{
	"id": "df652cd4-2b09-4c9a-bb4e-40834d51f0cf",
	"created_at": "2026-04-06T00:13:00.918923Z",
	"updated_at": "2026-04-10T13:13:03.897765Z",
	"deleted_at": null,
	"sha1_hash": "3d2de7c0be5e61ff8ac480167c5c65e5457c6b22",
	"title": "China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1635103,
	"plain_text": "China's Volt Typhoon APT Burrows Deeper Into US Critical\r\nInfrastructure\r\nBy Nate Nelson\r\nPublished: 2023-07-31 · Archived: 2026-04-05 22:47:40 UTC\r\n4 Min Read\r\nSource: RGB Ventures/SuperStock via Alamy Stock Photo\r\nThe US military was reckoning with two major cyber concerns over the weekend — one the widespread and still\r\nunresolved Chinese campaign known as Volt Typhoon targeting military bases, and the other an insider breach\r\naffecting Air Force and FBI communications.\r\nBiden administration officials have confirmed that Volt Typhoon's malware is much more endemic than previously\r\nthought; responders have found it planted inside numerous networks controlling the communications, power, and\r\nwater feeding US military bases at home and abroad, according to The New York Times.\r\nAlso concerning, those same networks also touch run of the mill businesses and individuals as well — and\r\ninvestigators are having a hard time assessing the full footprint of the infestation.\r\nhttps://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure\r\nPage 1 of 4\n\nMeanwhile, a search warrant obtained by Forbes revealed that the Pentagon is dealing with a wholly separate\r\ncyber intrusion — in this case, a communications compromise affecting 17 Air Force facilities, and possibly the\r\nFBI as well, courtesy of an Air Force engineer.\r\nChinese Malware a 'Ticking Time Bomb' Inside Critical US Networks\r\nThe Chinese state-aligned advanced persistent threat (APT) behind Volt Typhoon, aka \"Vanguard Panda,\" came to\r\nattention after Microsoft observed Chinese cyber activity in Guam, the site of a US military base strategically\r\nsignificant to the defense of Taiwan against Chinese aggression. Microsoft posited at the time \"that this Volt\r\nTyphoon campaign is pursuing development of capabilities that could disrupt critical communications\r\ninfrastructure between the United States and Asia region during future crises.\"\r\nThat case, disclosed in May, has turned out to be just one small part of a much broader campaign, and the aim\r\ntowards being in place to carry out destruction now seems increasingly likely as a motivation; sources told the\r\nTimes that the attackers are in a position to handicap military response and supply chains for materiel should a\r\nkinetic conflict kick off.\r\n\"More than a dozen US officials and industry experts said in interviews over the past two months that the Chinese\r\neffort goes far beyond telecommunications systems and predated the May report by at least a year,\" the New York\r\nTimes reported July 29, with one congressman pithily labeling the campaign \"a ticking time bomb.\"\r\nFurther, the Times reported that \"There is a debate inside the administration over whether the goal of the operation\r\nis primarily aimed at disrupting the military, or at civilian life more broadly in the event of a conflict.\"\r\nAustin Berglas, a former FBI Cyber Division special agent, now global head of professional services at\r\nBlueVoyant, isn't surprised that China is buried inside of the US's most critical networks.\r\n\"We've known that China is looking to exploit any sector it could to give them an advantage politically, socially,\r\nor economically. So it's not surprising,\" he says. \"What is surprising is the mention of destructive malware. That's\r\nnot normally seen in their typical toolkit.\"\r\n\"When you look at traditional tactics, techniques, and procedures (TTPs) used by Chinese state actors, they're\r\ndoing espionage,\" he explains. Malware designed to disrupt or destroy critical systems changes the story. \"Is it\r\npositioning them for a retaliatory strike? Is it something that we're going to start seeing more of in the future from\r\nthese guys?\"\r\nAn Insider Attack Takes Flight at the Air Force\r\nAlso on July 29, Forbes revealed that the Pentagon ordered a raid on a 48-year-old engineer from the Arnold Air\r\nForce base in Tullahoma, Tenn.\r\nAccording to the relevant search warrant, the engineer had taken $90,000 worth of radio equipment home, gaining\r\nunauthorized access to radio communications technologies employed by Air Education and Training Command\r\n(AETC), a wing of the Air Force responsible for recruitment and training.\r\nhttps://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure\r\nPage 2 of 4\n\nIn the raid, investigators found an open computer running a Motorola radio programming software \"which\r\ncontained the entire Arnold Air Force Base (AAFB) communications system,\" the warrant stated, plus evidence of\r\naccess to privileged communications from the FBI and other Tennessee state agencies.\r\nBerglas says that the impact on the other agencies is not surprising. He likens it to his time in the FBI. \"If I was\r\nsitting at my desk at work, I couldn't put a USB drive into my computer. I couldn't put a disc in to make a copy, or\r\ntake that media off of the network any other way, aside from printing,\" he explains.\r\n\"The problem is, as an FBI office, you rely heavily on state and local partners. So you need to give them classified\r\naccess to certain levels of information, depending on the investigation. But when that information gets to that\r\noffice, those task forces and contractors probably don't have the same level of cyber safeguards in place,\" he\r\nexplains.\r\nIt's a lesson for any organization: Even those that practice such stringent zero trust as the FBI and Air Force still\r\nface the same insider threats, and the same supply chain risks, as any other organization.\r\n\"When you're looking at securing classified information,\" he concludes, \"you have to enable those individual and\r\nagency partners to comply. It's about giving resources to the weakest link in the chain, and supporting them to be\r\nmore secure.\"\r\nAbout the Author\r\nContributing Writer\r\nNate Nelson is a journalist and scriptwriter. He writes for \"Darknet Diaries\" — the most popular podcast in\r\ncybersecurity — and co-created the former Top 20 tech podcast \"Malicious Life.\" Before joining Dark Reading,\r\nhttps://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure\r\nPage 3 of 4\n\nhe was a reporter at Threatpost.\r\nSource: https://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure\r\nhttps://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure"
	],
	"report_names": [
		"china-s-volt-typhoon-apt-burrows-us-critical-infrastructure"
	],
	"threat_actors": [
		{
			"id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7",
			"created_at": "2023-06-23T02:04:34.793629Z",
			"updated_at": "2026-04-10T02:00:04.971054Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Bronze Silhouette",
				"Dev-0391",
				"Insidious Taurus",
				"Redfly",
				"Storm-0391",
				"UAT-5918",
				"UAT-7237",
				"UNC3236",
				"VOLTZITE",
				"Vanguard Panda"
			],
			"source_name": "ETDA:Volt Typhoon",
			"tools": [
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a88747e2-ffed-45d8-b847-8464361b2254",
			"created_at": "2023-11-01T02:01:06.605663Z",
			"updated_at": "2026-04-10T02:00:05.289908Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Volt Typhoon",
				"BRONZE SILHOUETTE",
				"Vanguard Panda",
				"DEV-0391",
				"UNC3236",
				"Voltzite",
				"Insidious Taurus"
			],
			"source_name": "MITRE:Volt Typhoon",
			"tools": [
				"netsh",
				"PsExec",
				"ipconfig",
				"Wevtutil",
				"VersaMem",
				"Tasklist",
				"Mimikatz",
				"Impacket",
				"Systeminfo",
				"netstat",
				"Nltest",
				"certutil",
				"FRP",
				"cmd"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b",
			"created_at": "2025-08-07T02:03:24.661509Z",
			"updated_at": "2026-04-10T02:00:03.644548Z",
			"deleted_at": null,
			"main_name": "BRONZE SILHOUETTE",
			"aliases": [
				"Dev-0391 ",
				"Insidious Taurus ",
				"UNC3236 ",
				"Vanguard Panda ",
				"Volt Typhoon ",
				"Voltzite "
			],
			"source_name": "Secureworks:BRONZE SILHOUETTE",
			"tools": [
				"Living-off-the-land binaries",
				"Web shells"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4ed2b20c-7523-4852-833b-cebee8029f55",
			"created_at": "2023-05-26T02:02:03.524749Z",
			"updated_at": "2026-04-10T02:00:03.366175Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"BRONZE SILHOUETTE",
				"VANGUARD PANDA",
				"UNC3236",
				"Insidious Taurus",
				"VOLTZITE",
				"Dev-0391",
				"Storm-0391"
			],
			"source_name": "MISPGALAXY:Volt Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434380,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d2de7c0be5e61ff8ac480167c5c65e5457c6b22.pdf",
		"text": "https://archive.orkl.eu/3d2de7c0be5e61ff8ac480167c5c65e5457c6b22.txt",
		"img": "https://archive.orkl.eu/3d2de7c0be5e61ff8ac480167c5c65e5457c6b22.jpg"
	}
}