Volt Typhoon (also known as VANGUARD PANDA, BRONZE SILHOUETTE, Redfly, Insidious Taurus, Dev-0391, Storm-0391, UNC3236, or VOLTZITE) is an

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...

engaged in

cyberespionage Cyber espionage, cyber spying, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers th ...

reportedly on behalf of the

People's Republic of China China, officially the People's Republic of China (PRC), is a country in East Asia. With population of China, a population exceeding 1.4 billion, it is the list of countries by population (United Nations), second-most populous country after ...

. Active since at least mid-2021, the group is known to primarily target

United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...

critical infrastructure. Volt Typhoon focuses on espionage,

data theft Data theft is the unauthorized duplication or deletion of an organization's electronic information. Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database server ...

, and credential access. According to

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

, the group goes to great lengths to avoid detection, and its campaigns prioritize capabilities which enable China to sabotage critical communications infrastructure between the US and Asia during potential future crises. The US government believes the group's goal is to slow down any potential US military

mobilization Mobilization (alternatively spelled as mobilisation) is the act of assembling and readying military troops and supplies for war. The word ''mobilization'' was first used in a military context in the 1850s to describe the preparation of the ...

that may come following a Chinese invasion of Taiwan. Volt Typhoon is believed to be run by a unit of the

People's Liberation Army The People's Liberation Army (PLA) is the military of the Chinese Communist Party (CCP) and the People's Republic of China (PRC). It consists of four Military branch, services—People's Liberation Army Ground Force, Ground Force, People's ...

. The Chinese government denies the group exists.

Names

''Volt Typhoon'' is the name currently assigned to the group by Microsoft, and is the most widely used name for the group. The group has also been variously referred to as: * ''Dev-0391'' (by Microsoft, initially) * ''Storm-0391'' (by Microsoft, initially) * ''BRONZE SILHOUETTE'' (by

Secureworks Secureworks Inc. is an American cybersecurity company. The company has approximately 4,000 customers in more than 50 countries, ranging from Fortune 100 companies to mid-sized businesses in a variety of industries. It became part of Dell, Dell ...

, a subsidiary of

Dell Dell Inc. is an American technology company that develops, sells, repairs, and supports personal computers (PCs), Server (computing), servers, data storage devices, network switches, software, computer peripherals including printers and webcam ...

) * ''Insidious Taurus'' (by

Palo Alto Networks Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to ...

Unit 42) * ''Redfly'' (by

Gen Digital Gen Digital Inc. (formerly Symantec Corporation and NortonLifeLock Inc.) is a multinational software company co-headquartered in both Prague, Czech Republic (European Union, EU) and Tempe, Arizona (United States, USA). The company provides comp ...

, formerly Symantec) * ''UNC3236'' (by

Mandiant Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireE ...

, a subsidiary of

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

) * ''VANGUARD PANDA'' (by

CrowdStrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of seve ...

) * ''VOLTZITE'' (by Dragos)

Methodology

According to a joint publication by all of the cybersecurity and

signals intelligence Signals intelligence (SIGINT) is the act and field of intelligence-gathering by interception of ''signals'', whether communications between people (communications intelligence—abbreviated to COMINT) or from electronic signals not directly u ...

agencies of the

Five Eyes The Five Eyes (FVEY) is an Anglosphere intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are party to the multilateral UKUSA Agreement, a treaty for joint cooperat ...

, Volt Typhoon's core

tactics, techniques, and procedures The tactics of terrorism are diverse. As important as the actual attacks is the cultivation in the target population of the fear of such attacks, so that the threat of violence becomes as effective as actual violence. The different tactics that ...

(TTPs) include living off the land, using built-in

network administration Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managem ...

tools to perform their objectives and blending in with normal

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

system and network activities. This tactic avoids

endpoint detection and response Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" (e.g. a client device such as a mobile phone, laptop, Internet of things devi ...

(EDR) programs which would alert on the introduction of third-party applications to the host, and limits the amount of activity captured in default logging configurations. Some of the built-in tools used by Volt Typhoon are: wmic, ntdsutil,

netsh In computing, netsh, or network shell, is a command-line utility included in Microsoft's Windows NT line of operating systems beginning with Windows 2000. It allows local or remote configuration of network devices such as the interface. Overv ...

, and

Powershell PowerShell is a shell program developed by Microsoft for task automation and configuration management. As is typical for a shell, it provides a command-line interpreter for interactive use and a script interpreter for automation via a langu ...

. The group initially uses malicious software that penetrates internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and devices that have not been updated regularly. Once they gain access to a target, they put a strong emphasis on stealth, almost exclusively relying on living-off-the-land techniques and hands-on-keyboard activity. Volt Typhoon rarely uses

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

in their post-compromise activity. Instead, they issue commands via the

command line A command-line interface (CLI) is a means of interacting with software via command (computing), commands each formatted as a line of text. Command-line interfaces emerged in the mid-1960s, on computer terminals, as an interactive and more user ...

to first collect data, including credentials from local and network systems, put the data into an

archive file In computing, an archive file stores the content of one or more files, possibly compressed, with associated metadata such as file name, directory structure, error detection and correction information, commentary, compressed data archives, sto ...

to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence. Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office network equipment, including routers, firewalls, and

VPN Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not c ...

hardware. They have also been observed using custom versions of

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

tools to establish a command and control (C2) channel over proxy to further remain hidden. In many ways, Volt Typhoon functions similarly to traditional

botnet A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, distributed denial-of-service (DDoS) attacks, steal data, send Spamming, sp ...

operators, taking control of vulnerable devices such as routers and security cameras to hide and establish a beachhead in advance of using that system to launch future attacks. Operating this way makes it difficult for cybersecurity defenders to accurately identify the source of an attack. According to

(a division of

), Volt Typhoon's interest in

operational security Operations security (OPSEC) is a process that identifies critical information to determine whether friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to th ...

"likely stemmed from embarrassment over the drumbeat of US indictments f Chinese state-backed hackersand increased pressure from Chinese leadership to avoid public scrutiny of its cyberespionage activity." According to cybersecurity researcher Ryan Sherstobitoff, "Unlike attackers who vanish when discovered, this adversary digs in even deeper when exposed".

Notable campaigns

Attacks on US Navy

The US government has repeatedly detected activity on systems in the US and

Guam Guam ( ; ) is an island that is an Territories of the United States, organized, unincorporated territory of the United States in the Micronesia subregion of the western Pacific Ocean. Guam's capital is Hagåtña, Guam, Hagåtña, and the most ...

designed to gather information on U.S. critical infrastructure and military capabilities, but Microsoft and the agencies said the attacks could be preparation for a future attack on U.S. critical infrastructure.

Singtel breach

In June 2024,

Singtel Singapore Telecommunications Limited, trading as Singtel, is a Singaporean telecommunications conglomerate, the country's principal fixed-line operator and one of the four major mobile network operators operating in the country. Overview T ...

was breached by Volt Typhoon. Following a report by

Bloomberg News Bloomberg News (originally Bloomberg Business News) is an international news agency headquartered in New York City and a division of Bloomberg L.P. Content produced by Bloomberg News is disseminated through Bloomberg Terminals, Bloomberg T ...

in November 2024, Singtel responded that it had "eradicated" malware from the threat.

Responses

In January 2024, the

FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...

announced that it had disrupted Volt Typhoon's operations by undertaking court-authorized operations to remove malware from US-based victim routers, and taking steps to prevent reinfection. In March 2025, the

United States House Committee on Homeland Security The U.S. House Committee on Homeland Security is a standing committee of the United States House of Representatives. Its responsibilities include U.S. security legislation and oversight of the Department of Homeland Security. Role of the committ ...

requested that the

Department of Homeland Security The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior, home, or public security ministries in other countries. Its missions invol ...

turn over documents on the federal government's response to the hacking.

Response from China

The Chinese government denied any involvement in Volt Typhoon and stated that Volt Typhoon is a misinformation campaign by U.S. intelligence agencies, according to

state media State media are typically understood as media outlets that are owned, operated, or significantly influenced by the government. They are distinguished from public service media, which are designed to serve the public interest, operate independent ...

outlet

Xinhua News Agency Xinhua News Agency (English pronunciation: ),J. C. Wells: Longman Pronunciation Dictionary, 3rd ed., for both British and American English or New China News Agency, is the official state news agency of the People's Republic of China. It is a ...

and China's National Computer Virus Emergency Response Center (CVERC). In April 2025, ''

The Wall Street Journal ''The Wall Street Journal'' (''WSJ''), also referred to simply as the ''Journal,'' is an American newspaper based in New York City. The newspaper provides extensive coverage of news, especially business and finance. It operates on a subscriptio ...

'' and other outlets reported that Chinese officials had made an indirect "tacit admission" of China's involvement in Volt Typhoon at a meeting in Geneva in December 2024.

References

{{Reflist Cyberespionage units of the Ministry of State Security (China) Chinese advanced persistent threat groups Cyberwarfare by China Chinese information operations and information warfare Espionage in the United States Cyberwarfare in the United States China–United States relations Hacking in the 2020s