The Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation issued a joint advisory on January 11, 2026, warning that Chinese state-sponsored threat actor Volt Typhoon has been discovered pre-positioned in previously unreported segments of US critical infrastructure. The advisory reveals persistent access in the water, energy, and transportation sectors, with some compromises undetected for 12-18 months.
Advisory overview
| Attribute | Details |
|---|---|
| Advisory date | January 11, 2026 |
| Issuing agencies | CISA, NSA, FBI |
| International partners | Five Eyes (Australia, Canada, NZ, UK) |
| Threat actor | Volt Typhoon |
| Attribution | Chinese state-sponsored (PRC) |
| Mission | Pre-positioning for potential future disruption |
Newly discovered compromises
Incident response engagements between August 2025 and January 2026 uncovered Volt Typhoon footholds across multiple sectors:
Water and wastewater
| Finding | Details |
|---|---|
| Affected facilities | Municipal water treatment in 4+ states |
| Access level | Operational technology (OT) networks |
| Capability | Control of chemical treatment processes |
| Dwell time | 12-18 months undetected |
Energy sector
| Finding | Details |
|---|---|
| Affected utilities | Regional electric utilities (Midwest, Southeast) |
| Access level | IT and OT environments |
| Populations served | Multiple states |
| Dwell time | 12-18 months undetected |
Transportation
| Finding | Details |
|---|---|
| Affected systems | Port authority networks, freight rail signaling |
| Geographic focus | East Coast |
| Access level | Logistics management platforms |
| Dwell time | 12-18 months undetected |
Assessment: Pre-positioning, not espionage
The advisory emphasizes a critical distinction:
“During investigations, the agencies discovered that Volt Typhoon activity did not align with cyber espionage purposes. The U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.”
| Traditional Espionage | Volt Typhoon Behavior |
|---|---|
| Data exfiltration | Minimal data theft |
| Intelligence gathering | Access maintenance |
| Active operations | Dormant footholds |
| Immediate objectives | Future disruption capability |
The assessment indicates preparation for potential sabotage during a future geopolitical crisis, not current intelligence collection.
Living-off-the-land tradecraft
Volt Typhoon’s operational tradecraft relies almost exclusively on legitimate system tools, making detection exceptionally difficult.
Techniques observed
| Category | Technique |
|---|---|
| Initial access | Exploiting vulnerabilities in internet-facing appliances |
| C2 infrastructure | Compromised SOHO routers and VPN appliances as relay nodes |
| Credential harvesting | ntdsutil, volume shadow copies for AD database extraction |
| Lateral movement | PowerShell, WMI, Remote Desktop Protocol |
| Persistence | Native Windows scheduled tasks, services |
| Defense evasion | Log deletion, timestamp manipulation |
Exploited appliances
| Vendor | Product |
|---|---|
| Fortinet | FortiGuard |
| Ivanti | Connect Secure |
| NETGEAR | ProSAFE devices |
Why LOTL works
| Factor | Effect |
|---|---|
| No custom malware | Signature-based detection fails |
| Legitimate tools | Activity blends with admin operations |
| Domestic IP proxies | Traffic appears to originate from US |
| Minimal artifacts | Forensic investigation hindered |
“Traditional signature-based security tools are largely ineffective against these techniques. Detection requires behavioral analytics capable of identifying anomalous patterns in the use of legitimate administrative tools.”
Historical context
Timeline
| Date | Event |
|---|---|
| May 2023 | Microsoft discloses Volt Typhoon targeting Guam, US territories |
| 2024 | CISA advisories confirm telecom, ISP, MSP compromises |
| February 2024 | CISA reports 5+ years of access in some networks |
| January 2026 | Water, energy, transportation compromises revealed |
Expanding footprint
| Phase | Targets |
|---|---|
| 2023 | Guam, Pacific territories |
| 2024 | Telecommunications, ISPs, IT providers |
| 2026 | Water, energy, transportation (continental US) |
The threat has expanded from strategic Pacific locations to mainland critical infrastructure.
Five-year persistence
Prior CISA advisories confirmed that Volt Typhoon actors maintained access to some victim IT environments for at least five years without detection.
| Persistence Factor | Volt Typhoon Approach |
|---|---|
| Detection avoidance | LOTL techniques, no malware |
| Long-term access | Minimal activity, dormant footholds |
| Redundancy | Multiple access paths per target |
| Patience | Strategic positioning over years |
Geopolitical context
Taiwan tensions
The advisory arrives amid heightened tensions in the Taiwan Strait. US intelligence consistently assesses that Volt Typhoon’s pre-positioning provides China capability to:
- Disrupt military logistics during potential Taiwan conflict
- Impact civilian infrastructure to create domestic pressure
- Degrade emergency response capabilities
FBI Director assessment
“The defining cyber challenge of our generation… Volt Typhoon’s access to critical infrastructure was designed to cause real-world harm to American citizens at a time and place of China’s choosing.” — FBI Director Christopher Wray
China’s denial
China has repeatedly denied involvement:
- Ministry of Foreign Affairs calls attribution “groundless and irresponsible”
- State media alleges Volt Typhoon narrative is fabricated
- Claims US intelligence seeks to justify surveillance spending
Sector responses
Water ISAC
- Emergency bulletin issued within hours of advisory
- Sector-specific detection guidance provided
- Emergency briefings for water utility operators
Electricity sector (ESCC)
- Emergency meeting convened with DOE
- Discussion of OT-specific monitoring tools
- Focus on LOTL detection in industrial control systems
Congressional response
Bipartisan legislation introduced in the Senate would authorize $2.5 billion in grants for small and mid-sized utilities to improve cybersecurity posture.
Mitigation guidance
The advisory includes detailed guidance co-authored by CISA, NSA, FBI, and Five Eyes partners.
Priority actions
| Priority | Action |
|---|---|
| Critical | Implement comprehensive logging (admin tools, PowerShell, remote access) |
| Critical | Network segmentation between IT and OT |
| Critical | Patch internet-facing appliances immediately |
| Critical | Replace EOL SOHO routers and VPN appliances |
| High | Proactive threat hunting using published IOCs |
| High | Phishing-resistant MFA on all admin/remote access |
Detection focus
| Indicator | Detection Method |
|---|---|
| LOTL tool abuse | Behavioral analytics, baseline deviation |
| Unusual admin activity | SIEM correlation, time-based anomalies |
| SOHO router compromise | Network traffic analysis, firmware verification |
| Lateral movement | Authentication pattern analysis |
CISA resources
| Resource | Description |
|---|---|
| Free vulnerability scanning | For critical infrastructure operators |
| Assessment services | On-site security evaluation |
| Sector ISACs | Industry-specific threat sharing |
Key assessment
The advisory concludes with a stark warning:
“The US government assesses with high confidence that Volt Typhoon actors maintain active, undiscovered access to additional critical infrastructure networks beyond those identified to date.”
Organizations in all critical infrastructure sectors should treat the threat as ongoing.
Recommendations
For critical infrastructure operators
| Timeframe | Action |
|---|---|
| Immediate | Review and patch internet-facing appliances |
| Immediate | Implement IT/OT network segmentation |
| This week | Enable comprehensive logging |
| This month | Conduct threat hunting using CISA indicators |
| Ongoing | Participate in sector ISAC |
For all organizations
| Control | Purpose |
|---|---|
| Behavioral analytics | Detect LOTL technique abuse |
| SOHO device inventory | Identify and replace vulnerable equipment |
| Admin activity monitoring | Baseline and alert on anomalies |
| Incident response planning | Prepare for potential infrastructure disruption |
Context
Volt Typhoon represents a paradigm shift in nation-state cyber operations. Rather than traditional espionage focused on stealing information, the campaign appears designed to create options for future disruption.
The 12-18 month dwell times in newly discovered compromises—combined with prior reports of 5-year persistence—demonstrate that detection of sophisticated LOTL operations remains extremely challenging.
The advisory’s “high confidence” assessment that additional undiscovered compromises exist should prompt every critical infrastructure operator to assume they may be targeted and implement detection capabilities accordingly.
The $2.5 billion in proposed Congressional funding reflects the scale of the challenge: defending distributed critical infrastructure against a patient, well-resourced nation-state adversary requires sustained investment in capabilities that most utilities currently lack.