The Threat in Plain English
Volt Typhoon is a Chinese state-sponsored hacking operation that U.S. intelligence agencies describe not as espionage, but as pre-positioning for disruption. FBI Director Christopher Wray put it bluntly: these actors are "pre-positioning to cause real-world harm" to American infrastructure in the event of a geopolitical conflict.
Unlike typical cyberattacks that steal data and disappear, Volt Typhoon operators are gaining access to critical systems — energy, water, communications, transportation — and staying hidden for years, waiting.
This isn't theoretical. In March 2026, Dragos reported that Voltzite (linked to Volt Typhoon) was actively manipulating engineering workstations inside U.S. energy and pipeline networks, mapping what conditions would trigger process shutdowns.
Why Mid-Market Companies Should Care
"We're not critical infrastructure." You might not be — but your vendors, customers, or partners might be. And Volt Typhoon specifically targets the supply chain to reach larger targets.
Here's how it works:
1. Compromised SOHO Routers
Volt Typhoon hijacks small office and home office network equipment (routers, firewalls, VPNs) to hide their traffic. In January 2024, the FBI disrupted the KV Botnet — hundreds of compromised routers the group was using as relay infrastructure.
If your remote workers use consumer-grade equipment, you could be part of their infrastructure without knowing it.
2. Access Brokers Working in Tandem
Related groups like Sylvanite specialize in rapidly exploiting edge devices — Ivanti, F5, Palo Alto, Citrix VPNs — and handing access off to Volt Typhoon for deeper infiltration.
In May 2025, Sylvanite exploited an Ivanti EPMM zero-day at a U.S. utility before Ivanti issued a patch. That unpatched appliance in your network? It's a doorway.
3. Living Off the Land
These attackers don't drop obvious malware. They use PowerShell, legitimate admin tools, and stolen credentials to blend in with normal activity.
Here's the sobering reality: fewer than 5% of environments have the PowerShell logging needed to detect this activity.
The Bottom Line
Your company isn't the destination. It's the doorway.
A compromised mid-market firm becomes a stepping stone to larger targets — and a legal and reputational liability when the breach is traced back to you.
What's Changed Recently
| Date | Development |
|---|---|
| Jan 2024 | FBI disrupts KV Botnet — hundreds of compromised routers used by Volt Typhoon |
| Feb 2024 | CISA, FBI, NSA issue joint advisory warning of "pre-positioning" in critical infrastructure |
| May 2025 | Sylvanite exploits Ivanti EPMM zero-day at U.S. utility before patch released |
| Mar 2026 | Dragos reports Voltzite actively mapping U.S. energy/pipeline networks, manipulating engineering workstations |
The threat has escalated from access to active reconnaissance for disruption.
Five Things to Do This Week
1. Audit Your Edge Devices
Inventory all internet-facing appliances — VPNs, firewalls, routers. Check firmware versions against known vulnerabilities. Prioritize Ivanti, F5, Fortinet, Palo Alto, and Citrix.
2. Patch Aggressively
Volt Typhoon-linked groups weaponize zero-days within days of disclosure. If you're waiting for a maintenance window, you're already behind.
3. Enable PowerShell Logging
Most organizations lack visibility into living-off-the-land techniques. Enable Script Block Logging, Module Logging, and forward logs to a SIEM. This is table stakes for detecting this type of activity.
4. Review Remote Access Security
Require corporate-managed devices for VPN access. Consumer routers are actively targeted as relay infrastructure. Your remote workforce could be the weak link.
5. Assess Your Supply Chain Risk
If you provide services to critical infrastructure, energy, or defense sectors, you are part of their attack surface. Document your security posture and be ready to prove it.
The Conversation to Have with Your Board
Volt Typhoon isn't about if — it's about when. The question isn't whether nation-state actors are targeting companies your size. The questions are:
- Can we detect living-off-the-land activity in our environment today?
- Are we a liability to our enterprise customers and partners?
- What's our exposure if we become a headline?
These aren't IT questions. They're business risk questions.
Need Help Assessing Your Exposure?
At VISO Group, we provide virtual CISO services for mid-market companies that need enterprise-grade security guidance without enterprise budgets.
Our threat-informed approach evaluates your environment against real-world threats like Volt Typhoon — not just compliance checkboxes.
Sources: CISA Joint Advisory AA24-038A, Microsoft Threat Intelligence, Dragos 2026 ICS/OT Cybersecurity Report, FBI/DOJ KV Botnet Disruption Announcement