{ "id": "076b2ee5-478d-4d60-b852-5fbb5db78d43", "created_at": "2026-04-06T00:16:30.239539Z", "updated_at": "2026-04-10T03:34:44.549008Z", "deleted_at": null, "sha1_hash": "daa53ef943b6a9d15927a2212912608f7d1c4ea8", "title": "Volt Typhoon's future war", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95025, "plain_text": "Volt Typhoon's future war\r\nBy Barracuda Networks\r\nPublished: 2024-03-14 · Archived: 2026-04-05 21:02:47 UTC\r\nThere are many dangerous threat actors out there, but Volt Typhoon could be the most dangerous to our physical\r\nsafety and well-being. We already know that cyberattacks have an impact beyond the digital realm. Colonial\r\nPipeline and JBS Foods suffered ransomware attacks that disrupted critical supply chains in the United States.\r\nThreat actors have already interfered with the U.S. economy and critical infrastructure. Most of this cybercrime is\r\nmotivated by financial gain. Lockbit and ALPHV both claimed to be apolitical and only interested in money.\r\nOther threat actors engage in cyber espionage and cyber warfare. Traditional cyber espionage refers to attacks that\r\ngive the threat actors a competitive edge over another company or government entity. One example of cyber\r\nespionage is the string of attacks on universities that conduct research and development activities for military\r\napplications. Espionage usually involves the work of Advanced Persistent Threats (APTs) that stay in the system\r\nand gather information or perform destructive activities for as long as possible. In contrast, cyber warfare is likely\r\nto be a fast attack intended to disrupt activities and create chaos for strategic purposes. The 2017 Russian attack on\r\nUkrainian targets (WannaCry, NotPetya) was an act of cyber warfare.\r\nWe’re all familiar with cyberattacks, cyber espionage, and cyber warfare. So, what’s the big deal about Volt\r\nTyphoon?\r\nWhat is Volt Typhoon?\r\nVolt Typhoon is also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and\r\nInsidious Taurus. This group is an APT actor sponsored by the People’s Republic of China (PRC). Volt Typhoon\r\nhas been conducting traditional cyber espionage activities against U.S. targets since mid-2021, though. U.S.\r\nofficials have since discovered that Volt Typhoon has been “maintaining access and footholds within some victim\r\nIT environments for at least five years.” These victim organizations operate primarily in\r\ncommunications, energy, transportation, and water/wastewater sectors in the United States. Targeting critical\r\nsectors is nothing new, but Volt Typhoon’s targets hint at a different type of attack. From Reuters:\r\nhttps://blog.barracuda.com/2024/03/14/volt-typhoon-future-war\r\nPage 1 of 5\n\n“We are extraordinarily concerned about malicious cyber activity from the PRC state-sponsored actor that\r\nindustry calls Volt Typhoon,” a senior CISA official, Eric Goldstein, referring to the People’s Republic of China,\r\ntold Reuters ahead of the statement’s release. “Most of the victims we have identified have no legitimate\r\nespionage value.”\r\nThis brings us to the Cybersecurity Advisory published in February, alerting U.S. entities and the public about\r\nsomething called ‘pre-positioning.’\r\nTraditional cyber espionage vs. pre-positioning.\r\nPre-positioning attacks are attempts to infiltrate critical systems for potential future sabotage. This differs from\r\ntraditional cyber espionage motivated by immediate data theft or intelligence gathering. When Volt Typhoon\r\ncompromises a system, a human threat actor begins hands-on-keyboard activity and uses living-off-the-land\r\ntechniques to move laterally through the network, avoid detection, and establish a long-term hidden and dormant\r\nthreat. The group rarely uses malware in its attacks. The hands-on activity and the absence of malware show a\r\nhigh level of engagement and sophistication by Volt Typhoon.\r\nPre-positioning represents a strategic shift by a PRC threat actor to prepare for future tensions or military\r\nconflicts. Although U.S. officials now have evidence of long-term pre-positioning activity, this Center for\r\nStrategic and International Studies (CSIS) research on Chinese espionage does not mention pre-positioning in any\r\nattack. The CSIS research studied attacks on U.S. entities during the years 2000–2023. This is a partial\r\ndemographic breakdown of that data:\r\n49% of incident directly involved Chinese military or government employees.\r\n46% of incidents involved cyber espionage, usually by State-affiliated actors.\r\nhttps://blog.barracuda.com/2024/03/14/volt-typhoon-future-war\r\nPage 2 of 5\n\n29% of incidents sought to acquire military technology.\r\n54% of incidents sought to acquire commercial technologies.\r\n17% of incidents sought to acquire information on U.S. civilian agencies or politicians.\r\nThis research only analyzed attacks that were known to the public. Unreported attacks and classified information\r\nare excluded.\r\nThe ability of state-sponsored actors to embed themselves within essential systems poses a direct physical threat\r\nto the people of the United States and other targeted countries. A disruption in the critical systems in the U.S.\r\ncould force a federal response that consumes a significant portion of U.S. resources. This could then reduce U.S.\r\ncapability to assist foreign allies. In June 2022, the PRC denied any involvement in cyber espionage:\r\nA spokesman for the Chinese embassy in Washington, Liu Pengyu, rejected the allegations from the western\r\nleaders, saying in an emailed statement to the Associated Press that China “firmly opposes and combats all forms\r\nof cyber-attacks” and calling the accusations groundless.\r\n“We will never encourage, support or condone cyber-attacks,” the statement said.\r\nThe U.S. isn’t the only target of Volt Typhoon and other PRC threat actors. Volt Typhoon has attacked critical\r\ninfrastructure and economic sectors in Australia, Canada, and the United Kingdom. It has also conducted\r\nextensive reconnaissance attacks on electric transmission and distribution organizations in African nations. The\r\nintent of these attacks in Africa is unknown, though experts speculate the threat actors were looking for\r\ngeographic information systems (GIS) data, which would help Volt Typhoon infiltrate clusters of Industrial\r\nControl Systems (ICS) and other Internet of Things (IoT) devices. There may also be a connection to China's\r\nDigital Silk Road Initiative, which aims to offer infrastructure assistance and other aid to recipient nations. The\r\nPeople’s Republic of China has strategic interests around the world.\r\nChina routinely denies any involvement in state-sponsored hacking, and has promised the U.S. that it would not\r\ninterfere with 2024 elections. Despite these denials, law enforcement agencies around the world have compiled\r\ndecades of evidence of PRC-sponsored cyber espionage. Federal Bureau of Investigation (FBI) Director\r\nChristopher Wray believes “China’s cyber operatives outnumber all FBI agents by at least 50 to 1.”\r\nKV Botnet\r\nVolt Typhoon uses the KV Botnet, a covert network, to conceal malicious traffic by blending it with regular\r\ninternet traffic. The botnet uses routers and VPN devices that are ‘end of life’ and no longer receive security\r\nupdates from the manufacturer. The U.S. Department of Justice (DoJ) recently announced a successful disruption\r\nof the botnet, though Volt Typhoon is attempting a rebuild.\r\nVolt Typhoon moves its traffic through two separate KV Botnet clusters known as KV and JDY. This table\r\noutlines the purposes of these clusters and the key differences between them.:\r\nAspect KV Cluster JDY Cluster\r\nhttps://blog.barracuda.com/2024/03/14/volt-typhoon-future-war\r\nPage 3 of 5\n\nPrimary\r\nPurpose\r\nProxying manual operations against high-profile\r\ntargets\r\nScanning and reconnaissance\r\nactivities\r\nComplexity of\r\nWork\r\nSophisticated, targeted efforts\r\nLess sophisticated, automated\r\ntasks\r\nType of Infected\r\nDevices\r\nSmall office/home office routers and certain IP\r\ncameras\r\nCisco RV320 and RV325\r\nrouters\r\nUse of Infected\r\nNodes\r\nEffective use for manual covert operations\r\nEffective for automated\r\nscanning and reconnaissance\r\nRisk\r\nManagement\r\nLower risk of detection for manual\r\noperations. Higher-risk JDY activities do\r\nnot endanger KV cluster activities.\r\nHigher risk of detection due to \r\nautomated widespread activities\r\nThe technical breakdown of the KV Botnet is here.\r\nConclusion\r\nVolt Typhoon is a sophisticated, state-sponsored threat actor that will find its way into any opening of any system.\r\nThey have the skills and resources to attack any weakness they find. A good defense against them is to make sure\r\nthey do not find any weaknesses. U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen\r\nEasterly recently stated that the U.S. has made it easy for PRC threat actors to attack. “The truth is that, in many\r\ncases, the PRC is taking advantage of known product defects.” The KV Botnet is the perfect example of how\r\nthreat actors take advantage of neglected security risks.\r\nProtecting your systems from sophisticated threat actors like Volt Typhoon requires a multi-layered approach to\r\ncybersecurity that defends the entire system, including remote workers and edge devices:\r\n1. Strong Access Controls and Authentication Measures – Enforce policies that require multi-factor authentication\r\n(MFA) and good password hygiene. Use the principle of least privilege to ensure that users have only the access\r\nrights they need to perform their work.  \r\n2. Regular Software and System Updates – Regularly update all software, operating systems, and firmware using\r\nautomated patch management tools when possible. Conduct regular scans to identify any vulnerabilities in the\r\nenvironment.\r\nhttps://blog.barracuda.com/2024/03/14/volt-typhoon-future-war\r\nPage 4 of 5\n\n3. Advanced Security Measures – Deploy cybersecurity solutions that protect your email, network, applications,\r\nand data. Barracuda Email Protection and Barracuda SecureEdge defend your systems, backup your Microsoft\r\n365 data, and provide security awareness training to help employees spot phishing attacks and other scams.  \r\nContinuous monitoring, regular updates to your security protocols, and staying informed about the latest threats\r\nare crucial to maintaining robust security.\r\nBarracuda Cybersecurity Platform\r\nOnly Barracuda provides multi-faceted protection that covers all the major threat vectors, protects your data, and\r\nautomates incident response. Over 200,000 customers worldwide count on Barracuda to protect their email,\r\nnetworks, applications, and data.\r\nSource: https://blog.barracuda.com/2024/03/14/volt-typhoon-future-war\r\nhttps://blog.barracuda.com/2024/03/14/volt-typhoon-future-war\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.barracuda.com/2024/03/14/volt-typhoon-future-war" ], "report_names": [ "volt-typhoon-future-war" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434590, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/daa53ef943b6a9d15927a2212912608f7d1c4ea8.pdf", "text": "https://archive.orkl.eu/daa53ef943b6a9d15927a2212912608f7d1c4ea8.txt", "img": "https://archive.orkl.eu/daa53ef943b6a9d15927a2212912608f7d1c4ea8.jpg" } }