Living in the Walls: Why Volt Typhoon and Salt Typhoon Dwell in Critical Infrastructure for Years

The Two Campaigns

Over the past three years, two Chinese state-sponsored intrusion sets have reshaped how the US government thinks about nation-state cyber operations against critical infrastructure. Both are tracked under the “Typhoon” naming convention used by Microsoft. Both have been the subject of joint advisories from CISA, the NSA, and the FBI. And both share a defining characteristic: they get in, they stay in, and they are rarely evicted quickly.

The alerts were firing the whole time. What didn’t happen — for years — was the investigation.

Volt Typhoon: Pre-positioning for Disruption

Microsoft first publicly disclosed Volt Typhoon on May 24, 2023, describing a Chinese state-sponsored actor conducting stealthy and targeted operations against US critical infrastructure. On February 7, 2024, CISA, the NSA, and the FBI — joined by Five Eyes partners — published joint advisory AA24-038A, which formalized the scope of the campaign. The advisory stated plainly that Volt Typhoon actors were “maintaining access and footholds within some victim IT environments for at least five years.”

The same actor is tracked across the industry as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus. The sector targeting is deliberate: Communications, Energy, Transportation Systems, and Water and Wastewater Systems — including confirmed activity against infrastructure on Guam. CISA’s assessment is explicit: the activity is not traditional espionage. The actors are “pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” a judgment made with high confidence.

Initial access is overwhelmingly via internet-facing edge devices. CVE-2022-42475 — a pre-auth heap overflow in Fortinet FortiGate SSL-VPN — is a confirmed vector. Ivanti Connect Secure, Cisco, NETGEAR, and Citrix devices have also been named. Once inside, the tradecraft shifts entirely to Living off the Land: native Windows binaries (LOLBins), PowerShell, WMI, hands-on-keyboard operator activity, credential extraction from the edge devices themselves, and patient abuse of Active Directory.

Salt Typhoon: Espionage at Global Scale

If Volt Typhoon is pre-positioning, Salt Typhoon is harvest. On August 27, 2025, CISA, the NSA, the FBI, and a coalition of international partners published joint advisory AA25-239A, detailing a sustained Chinese intrusion campaign against global telecommunications, government, transportation, lodging, and military infrastructure networks. The same actor is also tracked as OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, and is assessed to be operated by China’s Ministry of State Security.

The scale is without modern precedent. In August 2025, the FBI publicly stated that Salt Typhoon had compromised more than 200 organizations across 80 countries. The confirmed US telecom victims include Verizon, AT&T, T-Mobile, Spectrum (Charter), Lumen, Consolidated Communications, Windstream, and Viasat. Inside those carriers, the actors gained access to call and text metadata at population scale, and intercepted actual call audio for fewer than 100 high-profile targets — a list that reporting has confirmed includes then-candidate Donald Trump, JD Vance, and staffers on the Harris campaign.

The technique is not endpoint malware. Salt Typhoon operators compromise, and then persistently modify, provider-edge and customer-edge routers — tampering with firmware and running configurations to create long-lived, stealthy access to carrier traffic. These are devices that sit entirely outside the coverage of every endpoint detection and response tool on the market.

Two specific incidents illustrate the dwell-time problem. From March through December 2024 — a full nine months — Salt Typhoon maintained access to a US Army National Guard network in an unnamed state, exfiltrating administrative credentials, network diagrams, and service-member PII. The compromised network was reachable to Guard networks in every state and four US territories. Separately, CISA and partners documented the theft of 1,462 network configuration files from approximately 70 US government and critical-infrastructure entities across 12 sectors between 2023 and 2024.

In February 2026, Senator Maria Cantwell, chair of the Senate Commerce Committee, demanded CEO-level disclosure from the affected carriers. A December 2025 Senate hearing ended with expert consensus that the telecom networks remain vulnerable. As of early 2026, the FBI has stated the threat is “still very, very much ongoing.”

The Shared Playbook

Volt Typhoon and Salt Typhoon are different operations, with different objectives, run by different units. But the tradecraft they use to achieve multi-year dwell time is strikingly consistent — and consistently designed to evade signature-based detection.

Edge-First, Not Endpoint-First

Both campaigns start where EDR isn’t. Volt Typhoon’s documented entry points are Fortinet FortiGate (CVE-2022-42475), Ivanti Connect Secure, Cisco, NETGEAR, and Citrix devices. Salt Typhoon operates directly on provider- and customer-edge routers. These are not workstations. They are not servers with a CrowdStrike or Defender agent installed. They are network appliances that sit outside the telemetry boundary of the modern SOC — and the adversary knows it.

Living off the Land

Once inside, both actors abandon malware in favor of native administrative tooling. PowerShell. WMI. wmic. netsh. ntdsutil. PsExec. Scheduled tasks. Registry queries. Every one of these is a signed, legitimate Windows binary that an IT administrator uses daily. There are no malware signatures to match because there is no malware. The SOC is being asked to distinguish a hostile operator from a tier-3 sysadmin based on behavior alone.

Legitimate Credentials

After the initial foothold, both actors move to operating with real, valid accounts — frequently privileged ones — harvested from the edge devices themselves or from Active Directory. To a signature engine, an authenticated session from a valid domain admin account is, by definition, legitimate. The anomaly is not who logged in. The anomaly is the combination of where from, when, what they touched, and how it relates to activity from weeks earlier.

Hands-on-Keyboard, Slow and Patient

Both actors favor interactive, operator-driven intrusion over automated tooling. They reconnoiter slowly. They wait. They log in, pull one configuration file, and log out. Days or weeks later, they come back and pull another. In an environment producing tens of thousands of alerts a day, patience itself is an evasion technique. Patience is the weapon.

Why Detection Alone Doesn’t Close the Gap

It would be comforting to conclude that Typhoon-class actors are undetectable. They are not. Every behavior described above generates signal in a reasonably instrumented environment:

• Anomalous PowerShell execution on a host that has no business running PowerShell.
• A new administrative logon from an IP range never previously associated with that account.
• RDP or SMB between two hosts that have never communicated before.
• A service account reading domain controller configuration or pulling ntds.dit.
• A read of a network diagram or router configuration file outside any change window.
• An authentication event from a VPN concentrator immediately followed by access to a sensitive internal system.

These are not exotic detections. They are standard content in any mature SIEM or XDR deployment. The signals exist. The problem is that in a queue of 11,000 alerts a day, each of those individual signals looks pedestrian. None of them, in isolation, screams “Chinese state-sponsored actor.” It is only when they are correlated across time, across systems, and across identities that the pattern becomes legible — and that correlation requires investigation, not just detection.

What Thorough Investigation Would Have Caught

The forensic reports on Volt Typhoon and Salt Typhoon, when read carefully, describe intrusions that were detectable but uninvestigated. Specifically, an investigation discipline capable of catching these actors earlier would correlate across long windows and across system boundaries:

• Cross-time correlation: A successful authentication to an edge VPN device on Day 1, an anomalous PowerShell execution on an internal host on Day 12, and a read of a domain controller configuration file on Day 34 look like three unrelated low-severity alerts. They are the same intrusion. Investigation has to span weeks, not hours.
• Admin-account behavioral baselines: A privileged account that normally logs in from three specific workstations during business hours now authenticates at 03:00 from a jump host it has never touched. That is not a rule to write. That is a baseline to learn and a deviation to investigate.
• Anomalous config and network-diagram reads: The 1,462 stolen Salt Typhoon configuration files had to be read by someone, using some account, at some moment. Reads of router configs, AD topology exports, and network diagrams outside a change-management window are high-signal events that rarely survive triage as standalone alerts.
• Edge-device-to-internal lateral movement: Traffic originating from a Fortinet, Ivanti, or Cisco appliance IP that lands on a domain controller or a jump host is a sequence worth investigating on its own merit — even if neither endpoint event, viewed alone, would warrant escalation.
• Credential use outside established patterns: Not “this account failed to authenticate.” Rather: “this account succeeded, but from a source, at a time, and against a resource that does not match any prior behavior for this identity.”

None of this is novel detection engineering. All of it requires that every alert receive genuine investigation — including cross-referencing against the preceding weeks of activity — rather than being closed in 90 seconds by an overloaded analyst.

What Critical Infrastructure Operators Should Do Now

The FBI has stated that Salt Typhoon activity is still ongoing. CISA’s assessment of Volt Typhoon pre-positioning for disruption has not been rescinded. For any operator of communications, energy, transportation, or water infrastructure, the prudent baseline is to assume some level of Typhoon-adjacent interest in your environment, and to close the investigation gap accordingly.

Pull Network-Device Telemetry Into the SOC

Routers, VPN concentrators, firewalls, and load balancers are the primary entry and persistence surface for both Typhoon campaigns. If your SOC is ingesting endpoint and identity telemetry but not authentication events, configuration changes, and administrative logins from your edge devices, you have a visibility gap that maps exactly to the adversary’s tradecraft. Close it first.

Instrument Identity

Anomalous authentication — new source geographies, new device fingerprints, new resource targets, and privilege escalation or drift in admin accounts — is where Typhoon activity surfaces after initial access. Identity telemetry from Active Directory, Entra ID, and privileged access management systems needs first-class treatment in the SOC, not a lower-priority feed.

Assume Compromise; Hunt for Dwell Indicators

Given a documented five-year dwell time, the operating assumption for any critical-infrastructure SOC should be that a foothold may already exist. That shifts the hunting question from “did someone get in today?” to “is someone already here, and have we seen the quiet evidence?” Hunt queries should target the low-and-slow indicators: rare admin-account behavior, edge-device authentication anomalies, reads of sensitive configuration objects, and reverse-directional traffic from network appliances.

Close the Investigation Gap With AI-Powered Triage

The investigation bottleneck is structural. It cannot be hired out of; the 4M+ workforce gap is growing. AI-powered alert investigation — capable of correlating a single alert against weeks of prior telemetry across identity, endpoint, network, and edge-device data — directly addresses the failure mode that allowed five-year dwell times in the first place. Every alert investigated, every time, with full context.