Salt Typhoon and Volt Typhoon: What Critical Infrastructure Operators Need to Know

There is a category of cyber threat that does not trigger alerts, does not install malware, and does not announce itself until the moment it is activated. For CIOs and CISOs leading energy companies, government agencies, financial institutions, and transportation networks, that category is no longer theoretical. It is operational, and already inside networks you may depend on.

Salt Typhoon and Volt Typhoon are two state-sponsored threat groups attributed to the People's Republic of China. Their campaigns represent one of the most consequential and sustained cyber operations targeting critical infrastructure today. Understanding what these actors are doing and what it means for your organization's operational resilience is now a strategic leadership responsibility.

Two Actors, One Strategic Objective

While Salt Typhoon and Volt Typhoon operate with distinct methods, they serve a coherent strategic purpose: to give Beijing persistent visibility into and potential control over the infrastructure that underpins allied nations' economies, communications, and defense capabilities.

Salt Typhoon is an advanced persistent threat actor believed to be operated by China's Ministry of State Security, focused on counterintelligence targets and data theft across more than 80 countries. Its value is not simply the stolen data; it is persistent visibility into who communicates with whom, when, and from where.

Volt Typhoon operates under a different mandate. U.S. authorities are highly confident that these actors are positioning themselves within IT networks to facilitate lateral movement to OT assets (the systems that physically control critical infrastructure) with the goal of disrupting functions at a chosen time. This is not about intelligence gathering; it is about disruption capability, pre-arranged and ready to activate.

The distinction matters for how you frame risk to your board. Salt Typhoon is a surveillance operation. Volt Typhoon is a sabotage capability. Together, they represent both the means to observe decision-making and the ability to act against the systems those decisions depend on.

The Architecture of Invisibility

What makes these campaigns operationally dangerous is precisely what makes them difficult to counter with conventional security investments: they are designed to be invisible within your existing environment.

Rather than deploying external malware, Volt Typhoon abuses legitimate tools and processes on compromised systems to blend in with normal activities, leveraging both zero-day and known vulnerabilities in internet-facing appliances such as firewalls and VPNs to gain initial access. U.S. authorities have observed Volt Typhoon maintaining access within some victim IT environments for at least five years, tailoring tactics to each target environment over time.

In some instances, actors abstained from using compromised credentials outside normal working hours, specifically to avoid triggering security alerts for abnormal account activity, which is a level of discipline that renders anomaly-based detection unreliable.

For CIOs and CISOs, the implication is direct: your security stack was largely designed to detect what does not belong. These actors use what already belongs.

The Sectors Facing the Highest Exposure

Energy and utilities face the most acute Volt Typhoon exposure. Throughout 2025, Volt Typhoon's operations reflected a shift toward directly interacting with OT network-connected devices and stealing sensor and operational data, moving beyond IT espionage into operational systems.

Government and defense sit at the intersection of both groups. The U.S. Intelligence Community assesses that the PRC is the most active and persistent cyber threat to government institutions, with ambitions to hold critical infrastructure at risk and shape decision-making during a crisis.

Finance and telecommunications face both direct targeting and systemic dependency risk. Salt Typhoon's reach extends beyond telecoms to government, transportation, and military infrastructure networks globally, providing persistent access not just for espionage, but also for monitoring or disrupting essential services during peacetime or crisis.

If your organization operates within any of these sectors or depends on them as part of your supply chain, this threat is within your operational perimeter.

A Strategic Response Framework

The goal is not to achieve perfect visibility. Dragos CEO Rob Lee has stated that there are sites compromised by Volt Typhoon in the United States and NATO countries that "we will never find." The goal is to architect your environment so that access to IT systems cannot be translated into disruption of operational systems.

1. Treat the IT/OT boundary as your primary risk surface. The distance between those two environments — enforced by architecture, not policy — determines how much an existing compromise can be weaponized.

2. Apply the CISA fundamentals without exception. The recommended baseline actions include patching, multi-factor authentication, robust logging, and end-of-life device management: controls that were absent or inconsistently applied in many compromised environments.

3. Move from software-only to hardware-enforced segmentation. Where OT systems control physical operations, the risk profile justifies architectural enforcement. Hardware-level controls eliminate the credential abuse pathway both groups rely on for lateral movement, because they enforce data flow at the physical layer, not the software layer that a credentialed adversary can already traverse.

4. Constrain third-party and vendor access paths. Both groups have exploited managed service provider and vendor credentials as entry points. Review and restrict all external access paths to your operational environment.

Lead Through the Moment of Crisis Before It Arrives

The Typhoon campaigns present a specific and time-sensitive leadership challenge. The access these groups have established was designed to be activated during a crisis — not during routine operations. The window to invest in architectural resilience is now, while the context still allows for deliberate decisions rather than emergency responses.

The organizations that maintain stakeholder confidence through that moment will be those that have already closed the architectural gap between their IT and operational environments with engineering controls that make lateral movement structurally impossible, not merely detectable.

The confidence to sustain operational continuity when adversaries activate pre-positioned access begins with the architectural decisions made before that moment arrives.

DataFlowX provides hardware-enforced cybersecurity solutions for critical infrastructure operators in energy, government, finance, transportation, and defense. To learn how DataDiodeX enforces IT/OT boundary protection at the hardware level, contact our team.