Volt Typhoon is the name assigned by Microsoft to a cyber-espionage cluster that U.S. and allied intelligence agencies attribute to the People's Republic of China. The group was publicly disclosed in a joint advisory on 24 May 2023 issued by Microsoft alongside the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and partner agencies in Australia, Canada, New Zealand, and the United Kingdom (the Five Eyes).
Unlike many Chinese intrusion sets historically focused on intellectual-property theft, Volt Typhoon's targeting profile suggested operational preparation of the environment — quiet, long-dwell access inside U.S. critical infrastructure that could be used to disrupt or destroy services during a future crisis, particularly a conflict over Taiwan. Reported victim sectors include communications, energy, water, transportation, and the maritime base on Guam, a strategically important U.S. military hub in the Pacific.
The group is known for "living-off-the-land" tradecraft: instead of deploying custom malware, operators use built-in Windows tools (PowerShell, wmic, netsh, ntdsutil) and route traffic through compromised small-office/home-office (SOHO) routers — often end-of-life Cisco, NetGear, and Fortinet devices — to blend in with normal network activity and frustrate detection.
In January 2024, the U.S. Department of Justice and FBI announced a court-authorized operation that disrupted the "KV Botnet," a network of hijacked SOHO routers used by Volt Typhoon. In congressional testimony that month, FBI Director Christopher Wray described the campaign as part of Beijing's effort to "wreak havoc" on U.S. infrastructure. China's foreign ministry has denied the attributions and accused Washington of fabricating evidence.
For policy researchers, Volt Typhoon is frequently cited in debates over deterrence in cyberspace, critical-infrastructure resilience mandates, and the security of consumer networking equipment.
Example
In January 2024, the U.S. Department of Justice announced that an FBI-led operation had disrupted a botnet of hundreds of compromised routers used by Volt Typhoon to obscure intrusions into U.S. critical infrastructure.
Frequently asked questions
Microsoft, the NSA, CISA, the FBI, and Five Eyes partner agencies in the UK, Canada, Australia, and New Zealand publicly attributed the activity to a PRC state-sponsored actor in a joint advisory in May 2023.
Keep learning