The Latent Storm: Volt Typhoon and Supply Chain Vulnerabilities

Introduction: The Hidden Threat in the Supply Chain

Supply chains have always carried an unavoidable level of unease. No matter how tight your perimeter is, there’s a nonzero chance that something introduced from a trusted partner might be compromised and subsequently end up compromising you. Volt Typhoon more than justifies that unease. Publicly identified by Microsoft¹ on May 24, 2023, they were observed targeting critical infrastructure in the United States.² Since then, they carried on in their prepositioning for future potential destructive attacks, seemingly undeterred by counterattacks such as the FBI’s takedown of their KV botnet.³ Though Microsoft didn’t issue an advisory on Volt Typhoon until 2023, this APT (advanced persistent threat) group has been lurking on the periphery for years now, a latent threat waiting for the opportune moment to strike.

As a state-sponsored threat actor linked to the PRC (People’s Republic of China), Volt Typhoon isn’t interested in the loud theatrics of ransomware or defacement. It’s playing the long game — stealth, persistence, and pre-positioning itself in U.S. critical infrastructure. Not espionage for espionage’s sake, but for the sake of access. And lately, that access has come not through brute force, but through the cracks in our supply chain. Outdated routers still hanging on past their end-of-life dates. Third-party software components with names you’ve never heard of, but that your infrastructure depends on. The scary thing? This isn’t novel — it’s just efficient. The battlefield has shifted, and it’s not in your firewalls. It’s in the update server you whitelisted for expediency—sometimes against your better judgment.

Volt Typhoon’s Method: Exploiting the Supply Chain

As mentioned earlier, Volt Typhoon doesn’t rely on flashy malware, meant to inspire shock and horror. Their real weapon is trust—misplaced trust in systems, vendors, and everyday software tools. What makes them formidable isn’t just technical sophistication—it’s their near-invisible maneuvering through the supply chain, their stealth assisted by using LOTL (living off the land) techniques. Let’s talk about how Volt Typhoon misuses trust and leverages these cracks in the supply chain:

• Repurposed routers from internet-facing networks: Due to their vulnerability caused by neglect and circumstances, Volt Typhoon deftly compromises these routers, proxies their traffic and then sets them up as launch points for their attacks.⁴ By hijacking hundreds of end-of-life Cisco and Netgear privately-owned SOHO (small office/home office) routers, Volt Typhoon quietly converted these overlooked devices into the KV Botnet. These compromised routers—many of them vulnerable, end-of-life devices—had been forgotten by their organizations and were turned into mines in a battlefield only Volt Typhoon controlled. In this case, hardware wasn’t the target, it was the smokescreen that concealed the KV malware that the Chinese state actors set up. Despite the FBI’s major takedown of the KV botnet in January 2024, this attack vector remains a tool frequently used to this day.
• Third-party edge devices and unpatched software: These are supply chain weak links hiding in plain sight. Volt Typhoon doesn’t bash the door in—they let themselves in with the keys that unwary owners have oh-so-helpfully left under the mat. Their favorite entry points are unpatched VPN appliances and firewalls — software-driven systems like Citrix ADC and Fortinet that are often built and maintained by third-party vendors and deployed at the edge of critical networks. These are not obscure components; they’re foundational elements in our infrastructure that depend on regular updates and vendor-provided patching to remain secure. However, since they’re both easily forgotten and difficult to address if they’re legacy or EOL, these often wind up running outdated firmware long after the last security update. The result is a quiet but potent vulnerability—not so much a product of outright negligence as a consequence of hidden dependencies and limited visibility. And Volt Typhoon exploits this ruthlessly, using “publicly available exploit code for known vulnerabilities”⁵, and, in some cases likely developing or acquiring zero-days of their own. In this context, the supply chain isn’t just an abstract concept—it’s the real-world web of trust we’ve extended to vendors, integrators, and update servers. And that trust has a shelf life.
• Native tools serving as camouflage: PowerShell. WMIC. ntdsutil. These aren’t “malware”—they’re core components of Windows, embedded in enterprise environments by design. Volt Typhoon’s use of these tools lets them blend in completely with IT operations, since they won’t set off alarms. Instead, it looks like business as usual, giving Volt Typhoon plenty of time and space to burrow in and camp out as geopolitical tensions continue to build. This isn’t exploiting a vulnerability—it’s exploiting the normal. And the tools they use to blend in? They’re bundled in with every endpoint, every image, and every software stack your supply chain touches.
• Credential chains as a backdoor to OT: Once inside, they extract domain controller data—the NTDS.dit file—crack it offline, and test which accounts let them pivot into OT environments. Sometimes that’s direct access to a vCenter server sitting next to a PLC, and sometimes it’s default OT vendor credentials that haven’t been changed since deployment.

The Impact on Operational Technology Systems

Once they have access, Volt Typhoon doesn’t immediately start flipping switches or shutting things down. That would be too obvious. Instead, they camp out—sometimes for nearly a year.⁶ In one incident, they quietly moved from a file server to a vCenter system next to OT assets, gathering PuTTY profiles that included login sessions to substations and water treatment plants.

This wasn’t a crime of convenience; it was meticulously staged. Think: access points to HVAC controllers in server rooms or camera systems in water utilities—not because they needed those things immediately, but because they might someday. A fuse tucked away in your basement until the day someone decides to light it.

Dragos and CISA both confirmed Volt Typhoon’s exfiltration of SCADA and relay documentation. That kind of intelligence isn’t useful for reselling or bragging rights; it’s useful for planning outages, foreshadowing the damage they can deal once the fuse is lit.

General Strategies for Strengthening Supply Chain Security

Despite Volt Typhoon’s dormant behavior so far, it’s all too obvious that securing the supply chain won’t be a matter of hypothetical ideal best practices for long. It is now operational defense that needs to be firmly nailed down before it’s too late. Here are a few things that need to change while there’s still time to make the changes:

Vendor Due Diligence
Scrutinize not just who your vendors are, but who they trust. Know what security protocols are in place . CISA now recommends vetting for foreign ownership, control, or influence (FOCI), especially for anything touching critical systems.

Software Bill of Materials (SBOMs)
Know what’s running in your environment—including open-source dependencies bundled in by third parties. If a critical vulnerability or a severe incident from your supplier drops tomorrow, you don’t want to waste precious time painstakingly hunting through changelogs to find out if you’re affected.

Patching Discipline — Even for Legacy Tech
SOHO routers and firewall devices were Volt Typhoon’s bread and butter. These devices can’t be upgraded because they are either EOL or because their OT environment limits them. If you can’t upgrade, virtual patching can act as a shield—buying time and preventing exploits without requiring reboots or risking downtime. For cutting-edge patching strategies, you can consult our recently published security report for its chapter on patching.⁷

Segmentation Between IT and OT
It’s 2025. If your PLCs are one RDP (remote desktop protocol) hop away from your internet-facing HR portal, you are inviting trouble. Firewalls, jump boxes, and DMZs are not optional—they’re par for the course at minimum for containing the blast radius.

Adopt Secure-by-Design Procurement
OT software needs to be secure out of the box. Not every vendor gets that. Push for
security as part of product design, and do not settle for a patch slapped on post-sale. CISA’s Secure by Design guidelines⁸ offer a good starting point.

Your Own OT Defense Playbook: Visibility, Verification, and Vigilance

Volt Typhoon’s playbook isn’t flashy—it’s slow, careful, and methodical. Which means the best counter isn’t flashy either. It’s about removing their hiding places, denying them footholds, and catching the faint ripples before the splash.

• Behavioral Detection Where It Matters: You’re not looking for malware—you’re looking for unexpected change. TXOne Networks’ CPSDR (Cyber-Physical Systems Detection and Response) model offers agent-level fingerprinting to detect when device behavior starts to drift. If a bot slips past the firewall, it should still trip an alarm the moment it tries to tweak relay behavior or reconfigure logic blocks. TXOne Stellar doesn’t rely on signatures or threat intel that might show up three weeks too late. In environments where Volt Typhoon blends in with native tools, Stellar gives defenders a baseline to measure against and something actionable to move on.
• Deep Visibility and Segmentation for OT: TXOne Edge provides the eyes and barriers that air-gapped networks were supposed to give us—before we connected everything. From Layer 2 to Layer 7, Edge maps traffic, inspects ICS protocols, and enforces least privilege. That means when a compromised update server or third-party vendor tries to reach deeper than it should, you’ll know—and it won’t get far.
• Don’t Trust, Inspect: The supply chain isn’t just upstream code or firmware. Sometimes it brazenly strolls in through the front gate. Portable Inspector lets you screen third-party assets before they’re introduced to your environment, providing fast, policy-driven assessment and threat detection—no assumptions, no blind spots. These tools aren’t about paranoia—they’re about clarity and control. The more you know what should be there, the sooner you’ll know something’s off. And when your adversary’s strategy is to blend in and wait, clarity isn’t a luxury—it’s your saving grace.

Conclusion: Proactive Measures for a Resilient Future

Volt Typhoon doesn’t need to be in a hurry. It’s already inside. The question isn’t if it will act, but when, and with what magnitude of destruction. Supply chain compromise is no longer a theoretical vector—it’s the foothold of choice for patient, state-aligned actors. That means organizations concerned with OT cybersecurity need to stop thinking of supply chains as just a matter of procurement. It’s an operational concern. The faster we approach it correctly as such, the harder it’ll be for intruders to pluck the keys from under the mat, stroll in, and make themselves at home.

[1] https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

[2] https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

[3] https://www.justice.gov/archives/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical

[4] https://www.tenable.com/blog/volt-typhoon-u-s-critical-infrastructure-targeted-by-state-sponsored-actors

[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

[6] https://www.dragos.com/wp-content/uploads/2025/03/Dragos_Littleton_Electric_Water_CaseStudy.pdf

[7] https://digital.txone.com/media/txone-networks-2024-annual-ics-ot-cybersecurity-report/prioritizing-vulnerabilities-and-overcoming-patching-challenges

[8] https://www.cisa.gov/securebydesign