Volt Typhoon
A Chinese intrusion campaign was found sitting quietly inside US water utilities and military logistics networks, doing nothing — apparently waiting to do something.
In May 2023, Microsoft and the US, UK, Canadian, Australian, and New Zealand signals intelligence agencies jointly disclosed a Chinese intrusion campaign called Volt Typhoon. Unlike the espionage campaigns the same agencies had been describing for a decade, Volt Typhoon was not collecting documents. It was prepositioning itself inside US critical infrastructure.
Living off the land
The technical tradecraft was deliberately quiet. The operators used built-in Windows utilities — PowerShell, WMI, netsh, ntdsutil — rather than custom malware. Where persistence required something more, they used open-source tools indistinguishable from those used by red teams. The intent was to leave the smallest possible trail in environments that often lacked deep endpoint instrumentation in the first place.
The targets — Guam telecoms, US water utilities, electric distribution companies, transportation hubs near American Pacific bases — were not chosen for what they knew. They were chosen for what they did. CISA's follow-up advisories explicitly characterized the campaign as preparation for "disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States" — a strategic framing rare in public attribution.
What the chronicle remembers
Volt Typhoon moved Chinese cyber operations, in the public discourse, from intellectual property theft to a posture closer to what the US itself had been doing in Russia and Iran. The change reshaped Western critical infrastructure programs around hunting for low-and-slow living-off-the-land activity in environments that had historically not been instrumented for it.