Dragos reports that Chinese-linked threat actor Volt Typhoon continued compromising U.S. utilities through 2025, embedding in operational technology networks to pre-position for disruptive attacks. Researchers warn many compromises—especially in smaller water-sector utilities—may never be found, with initial access groups like SYLVANITE handing breaches to Volt Typhoon. #VoltTyphoon #SYLVANITE
Keypoints
- Volt Typhoon remained active through 2025, targeting strategic U.S. utilities to map and embed in OT networks.
- Dragos and U.S. officials say some infected sites—particularly smaller water utilities—are unlikely to be discovered or remediated.
- SYLVANITE has been observed gaining initial access and handing compromises off to Volt Typhoon for further activity.
- Threat actors exploited vulnerabilities in Ivanti and Trimble Cityworks to breach local governments and utility networks.
- Exfiltrated GIS, sensor, and operational data can be weaponized to plan precise, disruptive attacks on electric and water infrastructure.
Read More: https://therecord.media/researchers-warn-volt-typhoon-still-active-critical-infrastructure