Seven Years Inside: What Volt Typhoon Is Actually Doing in the US Power Grid

The Phone Call

On a Friday afternoon in November 2023, the FBI called the assistant general manager of the Littleton Electric Light and Water Department, a small municipal power and water utility in Massachusetts, to deliver an unusual message. Chinese state-sponsored hackers had been living inside the utility's systems for nearly ten months. The security firm Dragos, brought in to investigate, later found evidence of lateral movement and data theft dating back to February 2023, with the intruders quietly mapping the network and building persistent access that no one had detected.

Sit with the shape of that. Not a Fortune 500 company. Not a defense contractor. A local power and water department, the kind of utility that exists in every county in America, with the kind of budget and staffing that implies. The hackers were not there to steal money or extort a ransom. They were there to map the network and stay. The data they took was operational data, the kind that tells you how the utility runs, not the kind you sell.

That utility is one known instance of a campaign the US intelligence community has been tracking for years under the name Volt Typhoon. Understanding what that campaign actually is, and what it is not, is the difference between a board that is asking the right questions and one that is comfortable for the wrong reasons.

What Volt Typhoon Is

Volt Typhoon is a Chinese state-sponsored hacking group, also tracked under names including Vanguard Panda, Bronze Silhouette, and Voltzite. It was first publicly attributed by Microsoft in May 2023, after compromising critical infrastructure networks in Guam and the continental United States across the communications, utility, transportation, manufacturing, maritime, and government sectors. US and Five Eyes assessments believe the activity began around 2021.

In February 2024, CISA, the FBI, the NSA, and Five Eyes partners issued joint advisory AA24-038A, which confirmed Volt Typhoon had maintained persistent access inside US critical infrastructure for at least five years before that advisory was published. Reckon from the believed 2021 start date to today and the campaign has been running for roughly seven years.

What makes the group categorically different from ordinary cybercrime is its purpose. The intelligence community has been unusually direct about this. CISA's own assessment is that the activity carries limited espionage value and is instead an effort to pre-position to disrupt US infrastructure, particularly in the event of a conflict in the Pacific over Taiwan. The FBI director has described it as pre-positioning to cause real-world harm to American citizens in the event of conflict. The NSA has called it pre-positioning for disruption or destruction, not espionage.

That word, pre-positioning, is the whole story. Volt Typhoon is not breaking in to take something and leave. It is establishing quiet, durable access and holding it in reserve, so that on the day it matters, it can disrupt rather than observe. It is the digital equivalent of special forces placed behind enemy lines years in advance, doing nothing visible, waiting for an order that may never come and may come tomorrow.

Why a Clean Security Scan Means Nothing Against It

Here is the part that should reshape how every board thinks about its own security reporting. Volt Typhoon is built, specifically and deliberately, to be invisible to the tools most organizations rely on.

The group's signature technique is what defenders call living off the land. Rather than deploying custom malware that a scanner can recognize and flag, it uses the legitimate administrative tools already present on the network, the same utilities the real administrators use every day, operating with valid stolen credentials. To a monitoring system watching for malicious software, there is no malicious software. To a system watching for unusual logins, the logins look like the authorized staff, because they are using the authorized staff's access. The intrusion does not look like an attack. It looks like Tuesday.

Its preferred way in compounds the problem. Volt Typhoon favors edge devices, the routers, firewalls, and VPN concentrators at the boundary of a network, exploiting outdated firmware, weak or default credentials, and misconfigurations. These are exactly the devices that the smaller organizations running critical services are least likely to have patched, monitored, or in many cases logged into in years. The small utility, the regional logistics firm, the mid-market manufacturer: each has an edge device that is functionally a front door nobody is watching.

Put those two facts together and you arrive at the uncomfortable conclusion. A standard security assessment that comes back clean, no malware found, no unusual alerts, is not evidence that Volt Typhoon is absent. It is exactly what a successful living-off-the-land intrusion is engineered to produce. The absence of an alarm and the absence of an intruder are not the same thing, and against this adversary they can look identical.

The Proof of Concept Already Happened

The reason defense planners treat this as urgent rather than theoretical is that the playbook has already been run, successfully, in a real war. Russia's Sandworm group spent years pre-positioned inside Ukrainian power-grid infrastructure before the 2022 invasion. The access sat quiet and undetected. Then, in the opening days of the invasion, it was activated, and the power went out. The pre-positioning was not the attack. It was the preparation for the attack, executed long in advance, invisible until the moment it was used.

Volt Typhoon is the same logic, aimed at the United States, by an adversary with substantially greater resources than Russia and a specific scenario in mind. The US defense community is not imagining what activated pre-positioning would look like. It has already watched a version of it take down a power grid on day one of a war.

Is It Still Inside? The Honest Answer.

This is where the piece has to be careful, because the public record is genuinely mixed and anyone telling you otherwise is selling certainty that does not exist.

In mid-2025, NSA officials said Volt Typhoon had largely failed to achieve durable persistence, that the government, working with the private sector, had found the intruders and disrupted their access. The US government has stated the group was largely contained and eradicated from affected networks. That is the optimistic reading, and it comes from the people with the best visibility.

Against that, the security firm Dragos reported continued Volt Typhoon activity against US utilities through 2025, and the group remains active by independent accounts. The International Institute for Strategic Studies framed the situation precisely: irrespective of whether the group's presence has been fully removed from any given network, it continues to jeopardize US and Western interests and to generate strategic benefit for Beijing. China has rejected the attribution entirely.

The honest synthesis is this. The government may well have evicted Volt Typhoon from the specific networks it found. But eviction from known intrusions is not the same as confidence that no unknown intrusions remain, and against a living-off-the-land adversary, the unknown ones are the entire point. The uncertainty is not a footnote. It is the threat. An organization cannot prove the absence of an intruder who, by design, leaves nothing to find. That is why CI Fortify, CISA's spring 2026 guidance, tells operators to assume some access exists rather than to wait for proof of it.

What a Board Should Actually Do

The instinct, reading this, is either to panic or to assume it is someone else's problem. Neither is useful. The right response is specific and unsentimental.

First, recognize that detection has to change shape. If the threat uses legitimate tools and valid credentials, then monitoring for malware and watching for failed logins will not find it. What finds it is behavioral analysis: noticing when a legitimate administrative tool is used in an illegitimate pattern, when valid credentials do something the real user never does. Most mid-market security programs do not have this, and the first honest question for a board is whether yours does.

Second, treat the edge as a first-order priority, not an afterthought. The routers, firewalls, and VPN devices at the boundary of the network are the documented entry path. When were they last patched? Do they still carry default credentials? Is anyone watching them at all? For most organizations the answers are uncomfortable, and that discomfort is the exposure.

Third, and this is the part that matters most for acquirers, abandon the idea that a clean report is reassurance. In a private-equity portfolio of a dozen companies sitting inside the supply chains of larger targets, the relevant question in diligence is not whether a target has had a reported breach. It is whether the target could detect a living-off-the-land intrusion at all, and whether anyone has gone looking for the evidence of access rather than the evidence of alarms. Against Volt Typhoon, the alarms are exactly what the adversary ensures never sound.

Read This With the Rest

This is one of five connected stories from a single sixty-day window in 2026. The cover analysis, Five Warnings in Sixty Days: The Keys to America's Infrastructure Are Not Being Held, connects all five and links to each of the detailed investigations.

Related Reading

• Nine Days After CISA Told America to Lock Down, Its Own Keys Were Sitting on GitHub
• What is Attack Surface Management?
• What is Incident Response?