Get in Touch

How to Hunt for Volt Typhoon Activity in an OT Network 

If you run security for an industrial environment and you have not been losing sleep over Volt Typhoon, you probably have not been paying attention.

CISA, the NSA, and the FBI have been ringing the bell on this group since 2023, and the most recent industry threat intel paired with analysis from the IISS confirms what a lot of us suspected: they never really left.

They are still inside U.S. critical infrastructure networks, and through 2025, their operators shifted from pure IT-side reconnaissance to actually touching OT-connected devices and pulling sensor and operational data.  CISA launched a brand new program called CI Fortify to help operators plan for delivering essential services while assuming an adversary already has a foothold. That tells you where we are. 

So let’s cut to what most folks reading this actually need: how do you hunt for Volt Typhoon, also tracked as VOLTZITE in some industry reporting, inside an OT network you are responsible for?

Here is how our team approaches it when we are pulling on threads with Valkyrie at a customer site. Not theory. Not a checklist somebody wrote in a vacuum. Actual hunt logic that has paid off in real environments. 

What Makes This Group Different 

Most ICS-focused threat actors that get attention are the ones with custom malware. Pipedream. Industroyer. CRASHOVERRIDE. You can write signatures. You can blocklist a hash. You feel like you have something to swing at. 

Volt Typhoon is the opposite problem. There is barely any malware to find. The tradecraft is built around valid accounts, native binaries, and edge devices that the operator owns instead of breaches.

They will sit on a Fortinet appliance you forgot about, harvest an Active Directory credential, log in like a normal admin, and quietly inventory your network for months. CISA has documented cases where this group maintained access for five years before discovery. Five years. Think about how many configuration changes, personnel changes, and patching cycles happen in five years inside a utility. 

If you want a broader primer on why active hunting matters in OT environments, we’d point you to our Active OT Threat Hunting post before you go further, because everything that follows assumes you have accepted that signature-based detection alone is not going to find this adversary. 

Start at the IT/OT Boundary, Not the PLCs 

A mistake we see a lot of newer hunters make is that they want to start with the field devices. They go straight for the controllers and the HMIs because that is the “important” part of the network. With Volt Typhoon, that is the wrong end of the rope to pull on. 

This group enters through internet-exposed infrastructure, almost always on the IT side. From there, they target Active Directory, harvest credentials, and only then start sniffing around for paths into OT. The Massachusetts water utility case at LELWD is a textbook example.

Unpatched FortiGate, credential theft, lateral movement, and eventually access into OT-adjacent systems. The juicy hunt space is everything between the corporate network and your Purdue Level 3, and especially anything sitting in the IT/OT DMZ. 

That means your jump hosts. Your historian servers. Engineering workstations that get domain authentication. The Citrix or remote access broker your integrator uses to reach the plant. Domain controllers that have visibility into OT. That is the terrain. 

Five Hunt Threads That Actually Work 

Here is the framework our team runs through, in order. None of these are silver bullets on their own. The signal comes from stitching them together. 

1. Edge Device Behavior and Misuse 

Volt Typhoon loves perimeter gear. SOHO routers, end-of-life firewalls, exposed management interfaces. They use these as proxies and as pivot points. If you have any internet-facing device that touches your OT network or shares credentials with anything that does, treat it as a hunt priority. 

Things we look for: 

  • Outbound connections from edge devices to residential IP space, ISP-owned dynamic blocks, or hosting providers that have no business reason to be in your traffic. Volt Typhoon routes through compromised SOHO routers globally to obscure origin. 
  • Management interface logins from unexpected source IPs, especially outside normal admin hours. 
  • Configuration changes that nobody in your change management system can explain. 
  • Logging gaps. If a firewall stopped sending logs for a window, that is a hunt lead, not a forwarder problem to ignore. 

2. Living Off the Land Patterns on IT/OT Adjacent Hosts 

This is where most defenders get stuck, because LOTL is by definition the abuse of stuff that is supposed to be there. The trick is not to ask “Did PowerShell run?” It is to ask, “Did PowerShell run in a way that does not fit this host’s role?” 

An engineering workstation should not be running ntdsutil. A historian should not be calling wmic to query remote process trees. A DMZ jump box should not be invoking cmd.exe with encoded PowerShell payloads. The hunt is about role-based anomaly, not binary blocklisting. 

Specific behaviors worth chasing: 

  • ntdsutil.exe is being invoked anywhere, ever, outside of a known domain controller maintenance window. This group has been observed using it to dump NTDS.dit and then mine it for credentials, including credentials that work on domain-joined OT assets. 
  • vssadmin or wmic process call create from non-administrator workstations. 
  • netsh portproxy commands setting up local relays. 
  • Encoded PowerShell command lines, especially with base64 or compressed arguments. 
  • Reg save targeting the SAM, SECURITY, or SYSTEM hives. 
  • csvde.exe is used to enumerate Active Directory. CISA called this out as a Volt Typhoon technique, and it is not common in routine admin work. 

If you do not have endpoint visibility into IT/OT adjacent Windows hosts, that is the first gap we’d close. Our Host Data post goes deeper into what telemetry to pull and how to use it. Good network detection plus poor host detection still leaves you blind to a lot of what this group does inside a workstation. 

volt typhoon hunt

3. East-West Movement Patterns 

Once they have credentials, Volt Typhoon moves like an admin. SMB and RDP do the heavy lifting. Public threat intel reporting has flagged SMB traversal and RDP lateral movement as Volt Typhoon signatures during their OT-adjacent intrusions. 

Network-side hunt ideas: 

  • Build a baseline of which hosts normally talk SMB to which other hosts, then look for first-time pairs, especially anything talking SMB toward Level 3 or Level 3.5 systems. 
  • RDP sessions originating from user workstations into server-class machines, particularly off-hours. 
  • Authentication events showing valid logons to multiple servers from a single workstation in a short window which is classic credential testing. 
  • Service creation events on remote hosts via SMB (\\target\IPC$ followed by service registration). Impacket-style behavior. 
  • Kerberos ticket requests for service accounts that should never be used interactively. 

The IT/OT firewall logs are gold here, assuming the firewall is actually inspecting north-west traffic and not just acting as a routing layer. A lot of plants we have walked into have a “DMZ” that is really just two VLANs with an open rule between them. If that describes you, hunt is going to be harder than it needs to be, and that is also the first thing we’d fix. 

4. Credential Abuse and AD Reconnaissance 

Active Directory is the prize, because it gives the operator the keys to the kingdom across both IT and OT. Volt Typhoon’s pattern is steal credentials, test them quietly, expand access, repeat. 

What we watch for: 

  • Domain controller event 4662 with property access of the DRSUAPI flavor that indicates DCSync attempts. 
  • Account logon failures from a single source against many destinations (password spray pattern). 
  • Successful logons to OT-relevant accounts from hosts that have never used them before. 
  • Default vendor credentials being tested against domain-joined OT systems. CISA explicitly noted Volt Typhoon doing this. If you have a Rockwell, GE, Siemens, or Schneider system that is domain-joined and still has any default account enabled, assume it is in play. 
  • BloodHound-style LDAP enumeration. Heavy LDAP queries from a workstation that does not normally do AD admin work. 

If your OT assets pull authentication from the same forest as IT, you need to assume Volt Typhoon’s IT-side credential theft maps directly to your control system access. NTDS.dit is the connective tissue. Treat it accordingly. 

5. Data Staging and OT-Adjacent Collection 

Recent reporting was a wake-up call for anyone who thought this group was only interested in IT data, or pre-positioning themselves for OT data. Operators have been observed pulling SCADA data, OT device configurations, historian data, GIS data, and operational sensor readings. Network diagrams. P&IDs. Anything that maps the environment. 

Hunt indicators: 

  • Creation of password-protected archives. Microsoft documented Volt Typhoon staging collected data in encrypted ZIPs. Look for 7zip, WinRAR, or makecab activity producing files on systems that have no business creating archives. 
  • Unusual reads against historian databases, especially bulk exports outside of business hours. 
  • File shares are being browsed by a user account that has never accessed them. 
  • GIS data is being copied or queried from systems that store utility asset information. Water and electric folks, this one is for you. 
  • Outbound transfers, even small ones, to cloud storage providers that your environment does not use. Stage-and-exfil does not have to be big to be meaningful. 

The Dwell Time Problem 

Here is what we want you to internalize. Volt Typhoon’s whole point is to be there when something happens, not to make noise now. The intent, based on what CISA and ODNI have published, is pre-positioning for disruption during a geopolitical crisis. That means the absence of impact is not evidence of absence. Quiet is the goal. 

Some of the public reporting has suggested that for portions of the water sector and smaller municipal utilities, this access may never get fully rooted out. That is a tough thing to read, and it is the right reason to take hunting seriously, even if you have no incident on your hands today. Assume compromise. Hunt anyway. 

This is also why we are genuinely glad to see CISA’s CI Fortify program. The premise of designing OT to operate while isolated from IT, with manual procedures and resilient backups, is the kind of thinking that should have been happening for years. If you are an operator, that program is worth tracking. 

Where Valkyrie Fits 

We’ll keep this short, because nobody likes a sales pitch in the middle of a hunt blog. Valkyrie is the OT security monitoring platform our team runs when we are doing this work. Three reasons it matters for a Volt Typhoon hunt specifically. 

First, the platform is built for OT network data, which means we can pivot from a suspicious east-west SMB session to the actual protocol context from an engineering workstation to a PLC and then investigate the consequent OT communications without leaving the tool. When the hunt requires correlating IT-side telemetry with OT-side traffic at the boundary, that workflow matters. 

hunt for volt typhoon

Second, Valkyrie supports active hunting at the host layer, which is the gap most network-only OT tools leave wide open. LOTL on a jump box is invisible to a passive sensor. Pairing the host context with the network context is how you close that. 

Third, for sites that cannot accept cloud connectivity or even sustained internet access, we have Cygnet, which is the flyaway kit version of Valkyrie. Our team has taken Cygnet into the air-gapped substations and remote pump stations where there is no chance of running a cloud-connected tool. Same hunt capability, all local, packed into a case we can carry.

For an assessment engagement against a Volt Typhoon-style adversary at a site with no internet, that is the right kit. Our professional services team uses it routinely on hunt and assessment engagements, so if you want help running this kind of hunt rather than building it from scratch yourself, that is an option. 

Where to Start Tomorrow 

If we had one hour and a customer asked where to begin, here is what we would do: 

  1. Pull a list of every host in your environment that bridges IT and OT in any way. Jump hosts, historians, engineering workstations, AV servers, and remote access infrastructure. That is your hunt surface. 
  1. Check the last 90 days for ntdsutil, csvde, vssadmin, and encoded PowerShell on any of those hosts. 
  1. Audit which accounts on OT systems are domain-joined and which still have vendor defaults. Document and remediate. 
  1. Confirm your edge devices are patched, management interfaces are not exposed, and you actually have logs flowing from them. 

None of that requires a new tool. It requires the discipline to actually look. Volt Typhoon is counting on people not looking. 

If you want a hand running through any of this, or you want to talk about what a hunt engagement looks like with Valkyrie or Cygnet at a site, reach out. This is the kind of work we do, and right now is the time to be doing it. 

Share:

Interested in building your OT Cyber Foundations? Take our free course here. 

More Posts