Volt Typhoon and the U.S. Grid: Living-Off-the-Land Threats to Utilities, and How to Defend

U.S. agencies have warned that a People's Republic of China state-sponsored actor is pre-positioning inside critical infrastructure networks, using legitimate tools instead of malware to stay hidden. For utilities, the lesson is not panic. It is disciplined visibility, identity control, and segmentation. Z Cyber runs that program for you on Glance, our AI-native GRC platform, so detection and remediation happen continuously rather than in an annual scramble.

Z Cyber is a cybersecurity operating partner. We do not hand a utility a tool and walk away. We embed a dedicated, forward-deployed security team that implements and runs Glance, our AI-native GRC platform, on your behalf. For electric, water, and wastewater operators, the Volt Typhoon advisories from CISA, the NSA, and the FBI are a direct test of whether your program can see an adversary that brings no malware and leaves few traces. This post explains what the public reporting actually says, why living-off-the-land tradecraft defeats traditional defenses, and the specific controls a utility should put in place now.

What the joint advisory actually says

In February 2024, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Federal Bureau of Investigation, and partner agencies published a joint Cybersecurity Advisory describing PRC state-sponsored cyber activity attributed to the group tracked as Volt Typhoon. The central finding is that these actors have compromised and maintained persistent access to the IT environments of U.S. critical infrastructure organizations. You can read the advisory directly at CISA's advisory page.

Two points deserve emphasis because they shape every defensive decision that follows. First, the assessed intent is pre-positioning. The agencies describe the activity as enabling disruptive or destructive cyberattacks against critical infrastructure in the event of a major crisis or conflict with the United States, rather than espionage or immediate disruption. Second, the actors achieved long dwell times and conducted extensive pre-compromise reconnaissance, which means access was established quietly and held for an extended period before any consequence would become visible.

Why living-off-the-land defeats traditional defenses

The defining characteristic of this activity is its reliance on living-off-the-land, or LOTL, techniques. Rather than dropping custom malware that a signature-based tool might catch, the actors use built-in administrative and network tools already present on the systems, combined with valid accounts. Native utilities, legitimate remote management interfaces, and credentials harvested from the environment let the actor operate inside the normal flow of administrative activity.

This matters because most utility security programs were built to catch the wrong thing. Antivirus, signature detection, and indicator-of-compromise matching look for known-bad files and hashes. When the adversary uses the same tools your own administrators use, there is no malicious file to flag and no novel binary to quarantine. The malicious activity blends in with routine operations. Detection therefore has to shift from "is this file known-bad" to "is this behavior normal for this account, on this host, at this time."

Which sectors are in scope, and why utilities sit at the center

The public reporting names communications, energy, transportation systems, and water and wastewater systems among the targeted sectors. Energy utilities and water and wastewater operators therefore appear directly in the threat picture. These are not abstract targets. They are operators of the physical systems that the assessed pre-positioning is meant to threaten.

For utilities, the additional risk is the seam between information technology and operational technology. The advisory describes compromise of IT environments, and the concern for grid and water operators is that IT access can become a stepping stone toward the operational systems that control physical processes. That is why utility security programs cannot treat IT and OT as separate problems owned by separate teams. The boundary between them is exactly where an adversary that has established quiet IT persistence will look to move next.

Mapping defenses to NERC CIP and IEC 62443

The defensive guidance in the advisory aligns closely with controls utilities are already accountable for under NERC CIP and, for industrial systems, IEC 62443. The value of that alignment is practical. The same investments that close the Volt Typhoon exposure also satisfy mandatory compliance obligations, so detection capability and audit readiness advance together. The table below maps observed tradecraft to defensive controls and the standards that govern them.

Adversary technique	Defensive control	Standard alignment
Use of valid accounts and harvested credentials	Phishing-resistant MFA, least privilege, credential rotation, removal of stale accounts	NERC CIP-004, CIP-005, IEC 62443 IAC requirements
Living-off-the-land use of built-in tools	Behavioral and anomaly detection, centralized log review, command-line and PowerShell logging	NERC CIP-007 (system security and logging)
Abuse of remote management interfaces	Hardened and restricted management access, electronic security perimeters, jump-host enforcement	NERC CIP-005 (electronic security perimeters and remote access)
Lateral movement toward sensitive systems	Network segmentation, strict IT and OT separation, zone and conduit design	IEC 62443 zones and conduits, NERC CIP-005
Long dwell time before any consequence	Tested incident response, threat hunting, and E-ISAC coordination	NERC CIP-008 (incident reporting and response)

The defensive priorities a utility should act on now

Translating the advisory into action comes down to a short list of priorities, each of which directly counters LOTL tradecraft.

Comprehensive, centralized logging. You cannot hunt for behavior you do not record. Command-line activity, PowerShell, authentication events, and network flows need to be captured and aggregated where they can be reviewed together. Logs sitting unread on individual hosts are not a detection capability. This is the single most important investment against an adversary that leaves no malware behind.

Behavioral and anomaly detection. With centralized telemetry in place, the goal is to baseline what normal administrative activity looks like and alert on deviation. An administrator account authenticating from an unusual host, at an unusual hour, running an unusual sequence of built-in tools is the kind of signal that distinguishes an intruder from routine operations.

Strong identity and credential hygiene. Because the actors rely on valid accounts, identity is the control plane. Phishing-resistant MFA on remote access, least privilege so a compromised account yields little, prompt removal of stale and orphaned accounts, and disciplined credential rotation all reduce both the likelihood and the blast radius of credential abuse.

Segmentation and IT and OT separation. Network segmentation limits how far quiet IT access can travel. The IT to OT boundary deserves particular rigor, since that is the path from a compromised business network toward the systems that run physical processes. Our guide to IT and OT convergence security for utilities goes deeper on segmenting that boundary without breaking operations.

Hardened management interfaces. Remote management and administrative interfaces are high-value to an actor abusing legitimate tools. Restricting where they can be reached from, enforcing jump hosts, and hardening their configuration shrinks the surface that LOTL tradecraft depends on.

How Z Cyber runs this on Glance

Reading an advisory is straightforward. Sustaining the controls it recommends, across IT and OT, while staying audit-ready for NERC CIP, is the hard part for a lean utility security team. That is the work Z Cyber takes on as your operating partner. Our forward-deployed team implements the logging, detection baselines, identity controls, and segmentation above, then operates them continuously on Glance.

Glance gives the program a single place to track control coverage, evidence, and gaps against the standards that matter. Rather than discovering during an annual assessment that logging was incomplete or that stale accounts accumulated, the program surfaces drift as it happens and our team remediates it. The result is a posture that treats Volt Typhoon not as a headline to react to once, but as a permanent design constraint your program is built to withstand. To benchmark where you stand today, start with our NERC CIP compliance checklist for 2026.

Frequently asked questions

Who is Volt Typhoon? Volt Typhoon is the name used for a People's Republic of China state-sponsored cyber threat actor. In a February 2024 joint Cybersecurity Advisory, CISA, the NSA, the FBI, and partner agencies described the group compromising and maintaining persistent access to the IT environments of U.S. critical infrastructure organizations, with an assessed intent of pre-positioning for potential disruptive or destructive attacks in a future crisis or conflict.

What are living-off-the-land (LOTL) techniques? Living-off-the-land techniques use the legitimate, built-in tools and valid accounts already present in a target environment rather than custom malware. Because the activity uses the same utilities administrators use, it produces no malicious file for signature-based tools to catch and blends in with normal operations, which makes it difficult to detect and is why behavioral detection and centralized logging are essential.

What critical infrastructure does Volt Typhoon target? The public reporting names communications, energy, transportation systems, and water and wastewater systems among the targeted sectors. Energy utilities and water and wastewater operators are therefore directly in scope, which places the threat squarely in front of grid and water operators.

How can utilities defend against Volt Typhoon? The advisory and standard practice point to comprehensive centralized logging, behavioral and anomaly detection, phishing-resistant MFA with strong credential hygiene and least privilege, network segmentation with strict IT and OT separation, and hardened management interfaces, supported by tested incident response. These map directly to NERC CIP-005, CIP-007, and CIP-008 and to IEC 62443. Z Cyber implements and operates these controls for you on Glance.