What is Volt Typhoon? FBI warns of 'threat' from Chinese state-backed hacking network

State-backed hackers may pose a major threat to global systems  (Unsplash )
State-backed hackers may pose a major threat to global systems (Unsplash )

FBI director Christopher Wray recently released a warning about a state-sponsored group of hackers known as Volt Typhoon.

Addressing a US committee, Wray warned that Volt Typhoon was “the defining threat of our generation”, as it aimed to disrupt the US military’s “ability to mobilize”.

Official reports have suggested that the China-backed hacking group has been able to gain access to crucial infrastructure through vulnerable IT networks.

However, instead of stealing information, Volt Typhoon have allegedly “pre-positioned” itself in order to carry out future interference.

Here’s everything we know about Volt Typhoon and the threat it poses.

What is Volt Typhoon?

Volt Typhoon has been identified as a Chinese-backed collective of hackers that have been in operation since around 2021.

It’s an example of one of the many groups of hackers that countries rely on to gather intelligence around the world.

Volt Typhoon appears to work by gaining control of digital devices that have vulnerable security systems, such as modems and routers. The goal, it seems, is to embed in such devices to gain access to more sensitive data and systems.

According to a Microsoft blog released in May 2023, the platform had noticed “malicious” activity linked to the organisation, which suggested “that the threat actor intends to perform espionage and maintain access without being detected for as long as possible”.

Christopher Wray recently addressed the threat of Volt Tycoon (Mandel Ngan / AFP via Getty Images)
Christopher Wray recently addressed the threat of Volt Tycoon (Mandel Ngan / AFP via Getty Images)

What has it affected?

As groups such as Volt Typhoon are so secretive, it’s difficult to say exactly what has been affected by the hackers.

Microsoft’s investigation claimed that infrastructure in the US territory Guam and throughout mainland United States may have been affected, in industries such as “communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors”.

The group could potentially have the ability to disrupt heating, energy and water supplies with the intent of damaging infrastructure.

The assessment appeared to suggest that Volt Typhoon had the potential to affect “critical communications infrastructure between the United States and Asia region”.

This is particularly important because of the current political tensions between China and the US over Taiwan.

The Philippines and the Netherlands have also recently identified incidents linked to Chinese-backed hackers.

US authorities have claimed that some of these stealth digital networks may have been embedded in devices for “at least five years”.

Where did it originate?

A number of countries around the world are believed to work with state-sponsored hackers to gather intelligence and infiltrate foreign systems.

In 2023, the US National Security Agency released an advisory paper bringing awareness to the operations of Volt Typhoon.

In the report, the NSA described the group as a “People’s Republic of China (PRC) state-sponsored cyberactor, also known as Volt Typhoon”.

US Cybersecurity and Infrastructure Agency (CISA) Director Jen Easterly recently told lawmakers what a hypothetical cyberattack by China would look like: “Telecommunications going down — People start getting sick from polluted water. Trains get derailed. This is truly an everything, everywhere, all at once scenario,” said Director Easterly.

What is a ‘living-off-the-land’ attack?

Investigations have identified that Volt Typhoon has adopted a ‘living-off-the-land (LotL)’ strategy for its hacking techniques.

The threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity


‘Living off the land’ is a term used to describe when malicious players access legitimate, built-in networks to carry out their goals. The hackers don’t need to install any extra code in order to carry out their attacks.

One of many nefarious strategies adopted by hackers, it essentially helps the hacker avoid detection by blending into existing systems.