Cybersecurity investigators are warning that the threat actor widely tracked as Volt Typhoon may still have hidden access inside segments of U.S. critical infrastructure, and some compromises could remain undiscovered permanently.
For nearly three years, U.S. military and federal law enforcement agencies have worked to identify and remove intrusions affecting electricity providers, water utilities and other essential service operators in strategically sensitive regions. Despite these sustained efforts, a newly released industry assessment suggests that the full scope of the activity may never be completely known.
In its latest annual threat report, industrial cybersecurity firm Dragos stated that actors associated with Volt Typhoon continued targeting American utility networks into 2025. The company indicated that, even with heightened public scrutiny and coordinated government response, the campaign remains ongoing.
Rob Lee, chief executive of Dragos, said in recent media briefings that the group is actively studying infrastructure environments and establishing footholds not only in the United States but also across allied nations. When asked whether every previously breached organization could ultimately detect and eliminate the intruders, Lee responded that certain compromised sites in both the U.S. and NATO countries may never be identified.
U.S. officials have previously assessed that the objective of Volt Typhoon is to position access within operational technology environments in advance of any geopolitical conflict. Operational technology systems manage physical processes such as electricity transmission, water treatment and industrial production. By embedding themselves in these networks ahead of time, attackers could potentially disrupt or delay U.S. military mobilization during a crisis. Lee added that the group prioritizes strategically significant entities and works to preserve long-term, covert access.
He also noted that regulatory measures expected over the next three to five years may strengthen detection standards across the sector. Larger electricity providers often possess advanced monitoring capabilities and incident response programs that improve their ability to uncover and expel actors. However, many smaller public utilities, particularly in the water sector, lack comparable technical resources. In Lee’s assessment, while investigations are technically possible at such organizations, it is unlikely that all will reach the maturity needed to detect and remove deeply concealed compromises. He suggested that, at the current pace, some portion of infrastructure may remain infiltrated.
China has rejected allegations linking it to Volt Typhoon. Nonetheless, previous U.S. government investigations reported discovering evidence of concealed access in infrastructure systems in Guam and in proximity to American military installations, raising concerns about strategic intent. Officials have also acknowledged that the total number of affected entities is unknown and that any publicly cited figures likely underestimate the scale.
The Dragos report further describes another activity cluster, referred to by the company as SYLVANITE, which allegedly secures initial entry into infrastructure networks before access is leveraged by Volt Typhoon. According to the firm, this activity has targeted operational technology systems across North America, Europe, South Korea, Guam, the Philippines and Saudi Arabia, affecting oil and gas operations, water utilities, electricity generation and transmission entities, and manufacturing organizations.
Lee characterized this second group as facilitating access rather than directly causing operational disruption, effectively preparing entry points for subsequent exploitation.
Researchers also linked recent high-profile vulnerability exploitation campaigns to these actors, including flaws in widely deployed enterprise software from Ivanti and the Trimble Cityworks geographic information system platform developed by Trimble. A year ago, the federal civilian cybersecurity agency instructed government bodies to urgently remediate a Cityworks vulnerability, after which private security firms reported that Chinese-linked actors had used it to compromise multiple local government networks.
Dragos warned that unauthorized access to geographic information system data can provide detailed infrastructure mapping and asset intelligence. Such information, if exploited, could enable adversaries to design targeted and potentially disruptive industrial control system operations. The firm concluded that Volt Typhoon’s more recent activity reflects movement beyond conventional IT data theft toward direct engagement with operational technology devices, including the collection of sensor readings and operational parameters, heightening concerns for essential service resilience.
