{ "id": "607050f7-5cc1-446c-a18c-c040e6273acc", "created_at": "2026-04-06T00:15:22.238498Z", "updated_at": "2026-04-10T03:35:48.369615Z", "deleted_at": null, "sha1_hash": "631b3385adedffab0810c6128364db0224b36b85", "title": "NSA: Volt Typhoon was ‘not successful’ at persisting in critical infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78434, "plain_text": "NSA: Volt Typhoon was ‘not successful’ at persisting in critical\r\ninfrastructure\r\nBy Jonathan Greig\r\nPublished: 2025-07-15 · Archived: 2026-04-05 21:59:59 UTC\r\nSenior cybersecurity officials at the National Security Agency and FBI said the agencies have been successful in\r\naddressing some of the Chinese cyber campaigns targeting critical infrastructure in the U.S.\r\nDuring the International Conference on Cyber Security at Fordham University in New York City on Tuesday,\r\nexperts spoke at length about Beijing’s so-called Typhoon campaigns — which have involved Chinese\r\ngovernment and private sector groups launching attacks on U.S. government agencies and companies.\r\nKristina Walter, director of the NSA’s Cybersecurity Collaboration Center, focused on Volt Typhoon, an effort by\r\nChinese actors to preposition themselves on U.S. critical infrastructure for disruptive or destructive cyberattacks\r\nin the event of a kinetic conflict centered around Taiwan.\r\n“The good news is, they really failed. They wanted to persist in domestic networks very quietly for a very long\r\ntime so that if and when they needed to disrupt those networks, they could. They were not successful in that\r\ncampaign,” she said. \r\n“We, with private sector, with FBI, found them, understood how they were using the operating systems, how\r\nthey're using legitimate credentials to maintain persistence, and frankly, we equipped the entire private sector and\r\nU.S. government to hunt for them and detect them.”\r\nWalter did not offer further details about those efforts. She said that after the NSA and other agencies released a\r\npublic advisory in 2024, owners of critical infrastructure reached out to them to confirm that they found evidence\r\nof Volt Typhoon and ask for help. \r\nBrett Leatherman, who was recently appointed assistant director for cyber at the FBI, echoed those remarks and\r\nnoted that Volt Typhoon was specifically focused on critical infrastructure centered around the U.S. Navy —\r\nparticularly in island communities like Guam. \r\nLeatherman said U.S. efforts to shine a light on the campaign forced Chinese actors to pull back, adapt their\r\ntactics and burn previous methods they used to breach critical infrastructure systems. \r\nThe publicity fostered by U.S. agencies forced Chinese groups to come up with new ways to breach organizations\r\nwhile also providing ways for private industry to better defend themselves, he said. \r\n“Even if you're not dismantling that network — we're never going to dismantle the CCP hacking apparatus — but\r\nif you can bring real relief to victims, you're also protecting national security by doing that, and that's why public\r\nattribution is so important when it comes to PRC hacking activity,” he said. \r\nhttps://therecord.media/china-typhoon-hackers-nsa-fbi-response\r\nPage 1 of 4\n\n‘True cyberwarfare’\r\nPublicity is not the only card the U.S. government has played in response to Chinese hacking campaigns.\r\nLeatherman walked the audience through an incident that he called “one of the first times that the FBI engaged in\r\ntrue cyberwarfare in real time against CCP actors.”\r\nLeatherman described a past FBI effort to take down a botnet used by China’s Flax Typhoon — a campaign that\r\nwas being backed by a now-indicted Chinese cybersecurity company named Integrity Technology Group.\r\nLeatherman said the FBI was initially successful in pulling down the command and control infrastructure for those\r\nbots and redirecting them to FBI-controlled infrastructure. \r\nBut Integrity Technology Group fought back, launching a distributed denial of service (DDoS) against the FBI’s\r\ninfrastructure and were able to gain control of their bots again. \r\nLeatherman said it did not appear that the hackers knew they were attacking the U.S. government. Over the course\r\nof a weekend, the FBI and Integrity Technology Group went back and forth — attacking each other and trying to\r\nwrest control over the bot network. \r\n“Finally, we published our splash page, which had the FBI and our partners on it, to let them know it was us, and\r\nit was at that point that the Flax Typhoon actors realized that they had actually DDoSed U.S. government\r\ninfrastructure, and then they actually burned down their own infrastructure at that point,” he said. \r\n“We didn't have to do it. We were going to continue to remove those capacity and capability systems from them,\r\nbut they burned it down as soon as they saw that. So that demonstrates where the U.S. stands, as far as cyber\r\ncapabilities, in our willingness to punch back at the bad actors.” \r\nLeatherman said that traditional law enforcement activities are also part of the response, including  last week’s\r\narrest in Italy of a Chinese hacker allegedly involved in the Silk Typhoon campaign.\r\nLeatherman and Walter compared the Chinese government’s association with cyber companies like iSoon and\r\nIntegrity Technology Group as an example of what the U.S. needed to do in terms of partnering with the private\r\nsector to defend U.S. networks. \r\n“When we look at the China cyber ecosystem, it is not the Chinese government targeting the United States,”\r\nWalter said. “It's this giant ecosystem of industry who has been unleashed to frankly do whatever they want to get\r\naccess that's of interest to the government. It's academia. It's looking for zero-day vulnerabilities with contests and\r\nthen feeding them into the government. So it's a whole ecosystem.”\r\nU.S. agencies and companies have to work harder to expose the tools and infrastructure used by Chinese\r\norganizations to force them into expending more resources to start over. \r\nVolt Typhoon’s failure forced China’s government to “drop back to the drawing board,” according to Walter. \r\n“They had to yell at their companies who potentially were overly sloppy when targeting networks. They had to\r\nreassess how they were going to go after the United States,” she explained. \r\nhttps://therecord.media/china-typhoon-hackers-nsa-fbi-response\r\nPage 2 of 4\n\n“All of that puts sand in the gears and puts friction in their spaces, and that's really our goal, at least from an\r\nintelligence perspective. Exposure makes them have to go back to the drawing board.”\r\nThe U.S. officials did not mention Salt Typhoon, the Chinese operation accused of hacking U.S.\r\ntelecommunications companies. On Tuesday, national security transparency nonprofit Property of the People\r\nreleased a Department of Homeland Security memo from June that said Salt Typhoon breached an unidentified\r\nstate's National Guard network.\r\nNo previous article\r\nNo new articles\r\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nhttps://therecord.media/china-typhoon-hackers-nsa-fbi-response\r\nPage 3 of 4\n\nSource: https://therecord.media/china-typhoon-hackers-nsa-fbi-response\r\nhttps://therecord.media/china-typhoon-hackers-nsa-fbi-response\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/china-typhoon-hackers-nsa-fbi-response" ], "report_names": [ "china-typhoon-hackers-nsa-fbi-response" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/631b3385adedffab0810c6128364db0224b36b85.pdf", "text": "https://archive.orkl.eu/631b3385adedffab0810c6128364db0224b36b85.txt", "img": "https://archive.orkl.eu/631b3385adedffab0810c6128364db0224b36b85.jpg" } }