In 2025, persistent threat actor campaigns against industrial control systems (ICS) and operational technology (OT) networks continued unabated, driven largely by nation-state actors with strategic geopolitical goals. According to the newly released Dragos annual threat report, a Beijing-linked team tracked as Voltzite — strongly correlated with the China-backed advanced persistent threat (APT) known as Volt Typhoon — maintained deep footholds inside U.S. infrastructure environments for intelligence collection and potential future disruption.
Who Is Volt Typhoon?
Volt Typhoon is a sophisticated, state-sponsored cyber threat actor tied to the People’s Republic of China. Cybersecurity companies and government agencies classify it as an APT focused on long-term, stealth-oriented infiltration of critical infrastructure systems — especially in North America. The group’s capabilities include reconnaissance, credential harvesting, and covert persistence inside victim networks.
Rather than seeking immediate tactical gains, Volt Typhoon’s campaigns are emblematic of strategic “pre-positioning” — establishing covert access that could be leveraged for future disruptive or destructive operations if geopolitical conditions deteriorate. This pattern aligns with warnings from U.S. cybersecurity authorities that PRC cyber actors are positioning inside industrial and IT networks to enable lateral movement into OT environments.
Findings from the 2025 Dragos Report
Continued Embeddedness in Critical Networks
Dragos’ assessment for 2025 highlights that Voltzite (Volt Typhoon) “continued embedding its malware inside strategic American utilities to maintain long-term persistence.” What distinguishes this recent activity from more conventional espionage is the focus on control-loop access — meaning the adversary isn’t just stealing data or credentials, but is interacting with systems close to the operational core of energy, oil & gas, and water facilities.
By compromising devices such as cellular gateways and industrial routers, the actors built paths into critical OT networks where they could both observe and potentially manipulate the process logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems that manage physical operations.
This type of access isn’t transient: attackers appear intent on maintaining long-term presence and understanding of network topologies. Data stolen in these intrusions — such as engineering configurations, alarm logs, and sensor outputs — can significantly enhance an adversary’s ability to disrupt operations at scale.
What Makes Volt Typhoon Particularly Worrisome?
Living Off the Land and Evading Detection
Volt Typhoon doesn’t rely on flashy malware or noisy exploits. Instead, it leverages “living off the land” techniques, exploiting legitimate administrative tools within compromised environments to evade detection. Commands are issued via native utilities like PowerShell, WMIC, and system services, leaving minimal anomalous signatures for typical endpoint detection systems to flag.
This blend of stealth and persistence is a hallmark of advanced threat actors, enabling them to remain hidden for months — or even years — inside victim networks. Previous incidents have shown Volt Typhoon campaigns going undetected within U.S. infrastructure for extended periods, underscoring the challenge defenders face in OT environments where visibility is limited by design.
Expanded Targeting Beyond Espionage
Where many state-linked actors historically focused on data collection and traditional espionage, Volt Typhoon’s activity suggests intent to influence or disrupt physical infrastructure if strategic conditions warrant. Dragos CEO Robert M. Lee noted in his briefing that the intrusive presence was not merely about access, but about “access to take down” systems — indicating a shift from clandestine intelligence gathering toward operational disruption capabilities.
This aligns with broader threat intelligence assessments: U.S. agencies have repeatedly warned that Chinese cyber actors are positioning inside critical systems to be able to mount destructive cyberattacks in a crisis, particularly involving geopolitical flashpoints like Taiwan.
Broader Implications for OT Security
New Adversaries and Shifting Playbooks
The Dragos report doesn’t limit its findings to Volt Typhoon alone. It highlights three new OT-focused threat groups observed in 2025, bringing the total number of tracked intrusion squads to over two dozen. Many of these newcomers appear to specialize in early-stage access — scanning and exploiting internet-exposed industrial devices — and then passing that access to deeper intrusion teams.
This modular threat landscape signals a maturation of state-linked offensive cyber capabilities, with specialized teams focusing on initial compromise, lateral movement, and deep OT access. For defenders, this means threat hunting must evolve accordingly: from perimeter defense toward continuous monitoring, behavior analytics, and anomaly detection within OT traffic flows.
Operational Technology Risks
Industrial environments are inherently challenging for cybersecurity:
- OT protocols often lack built-in security;
- System uptime is prioritized over patching;
- Visibility into east-west traffic is limited;
- Legacy devices cannot be easily hardened.
In this context, adversaries like Volt Typhoon that can blend into noise while probing ICS networks pose a significant risk — not just to data integrity, but to physical safety, reliability, and national infrastructure resilience.
Conclusion: A Strategic Threat, Not a Tactical Glitch
Volt Typhoon’s continued activity in 2025 — and its deep embedding in U.S. industrial environments — points to a broader evolution in how nation-state cyber actors approach critical infrastructure. No longer satisfied with mere espionage, China-linked teams appear intent on shaping future conflict options by positioning themselves inside the very systems that keep society functioning.
Defenders must respond by adopting OT-centric security controls, improving threat visibility, investing in behavioral analytics, and fostering closer collaboration between IT, OT, and national cybersecurity agencies. Without such adaptive defenses, the door remains ajar for adversaries whose long-term strategy could one day translate into short-term disaster.
