Volt Typhoon is a state-sponsored advanced persistent threat (APT) group, attributed to China, that’s been quietly targeting critical infrastructure — including energy, water, transportation and telecoms — since at least 2021. According to CISA’s advisory (AA24-038A), their tactics prioritize stealth over speed: Exploiting zero-day vulnerabilities, leveraging valid credentials and using “living-off-the-land” techniques like PowerShell and WMI to avoid detection.
While the group’s known targets have been primarily in the U.S., the risk extends globally. In an interconnected infrastructure ecosystem, a breach in one region can quickly ripple across supply chains, affecting North America and Europe alike.
Combating modern identity-centric threats requires more than perimeter defences and EDR. Security teams need deep, continuous visibility into access across human and non-human identities — and the ability to act on that insight in real time. An identity threat detection approach built on access intelligence is key to identifying and disrupting campaigns like Volt Typhoon.
How Enterprises Can Defend Against Volt Typhoon
- Detecting Abuse of Legitimate Credentials and Living-Off-the-Land Binaries (LOLBins)
APT groups like Volt Typhoon are adept at avoiding detection by using legitimate tools, such as PowerShell, WMI and command-line interfaces, to operate under the radar. This tactic, known as “living off the land,” evades traditional EDR and SIEM alerts.
An access intelligence platform can correlate identity permissions with behaviour to surface anomalies, such as unauthorized use of administrative tools from rarely used accounts, enabling earlier threat detection.
- Eliminating Overprivileged Access to Limit Lateral Movement
Overprivileged access remains a leading cause of lateral movement in cyber intrusions. Attackers often exploit dormant or excessive permissions to pivot across systems and escalate privileges.
Organizations need to apply least privilege principles consistently across users, service accounts and non-human identities, limiting the blast radius of compromised credentials and preventing unauthorized lateral movement to operational technology (OT) environments.
- Continuous Monitoring to Disrupt Long-Term Persistence
Long-term persistence is a hallmark of Volt Typhoon’s strategy. Rather than install malware, they often rely on rarely used or dormant accounts to maintain covert access.
Identity-first monitoring tools continuously analyze account usage patterns, enabling teams to detect anomalies such as privilege escalations or reactivated service accounts before attackers can exploit them.
- Securing Non-Human Identities
Non-human identities — like service accounts, SSH keys and API tokens — often fly under the radar of traditional security controls, yet they’re a prime target for groups like Volt Typhoon.
Identity-first technology helps organizations discover and govern these identities across cloud, SaaS and on-prem environments, ensuring they are actively used, properly scoped and owned. This visibility helps eliminate orphaned or overprivileged accounts that could otherwise serve as entry points for command-and-control (C2) operations.
- Unified Identity Governance Across Fragmented Infrastructure
Across both North America and the EU, critical infrastructure environments are increasingly complex, hybrid and fragile — spanning cloud, SaaS, on-prem and OT systems. This fragmentation makes identity governance even more challenging.
Enterprises need a single source of truth to secure access across all identity types and platforms.
Why it Matters — and What to Do Next
Volt Typhoon isn’t just another APT. It represents a shift in the threat landscape where identities, not malware, are the weapon of choice. These adversaries exploit visibility gaps in identity systems to move undetected, bypassing traditional defences.
Securing identities must now be treated with the same urgency and rigour as endpoint or network protection. Security leaders who adopt an identity-first approach are better equipped to detect stealthy campaigns, reduce exposure and build resilience into critical systems.
In the era of identity-driven threats, proactive identity security is paramount. Equip your organization with the capabilities to detect, respond to and mitigate these evolving risks.
