How China Pre-Positioned Inside American Water, Power, and Telecom Systems — and Why the Kill Switch Is the Point
On February 7, 2024, CISA, NSA, FBI, and their Five Eyes counterparts issued a joint advisory confirming that Volt Typhoon — a People's Republic of China state-sponsored cyber group — had maintained persistent access to multiple U.S. critical infrastructure networks for at least five years.[1] The compromised sectors included water treatment, power generation, oil and gas pipelines, transportation systems, and telecommunications.[2]
FBI Director Christopher Wray was unequivocal: "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities."[2] CISA Director Jen Easterly added: "This threat is not theoretical. CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors, and what we've found to date is likely the tip of the iceberg."[3]
China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities.
Volt Typhoon's operational security is exceptional — and deliberate. Unlike conventional APTs that deploy custom malware, Volt Typhoon almost exclusively uses built-in Windows administration tools: PowerShell, WMI, netsh, ntdsutil.[5] This technique — "living off the land" — means their activity is nearly indistinguishable from legitimate system administration. No malware signatures to detect. No anomalous binaries to flag. Just native commands executed by apparently authorized users.
The group routes traffic through compromised small office and home office (SOHO) routers, firewalls, and VPN hardware — converting the everyday networking equipment of American homes and small businesses into a proxy infrastructure for espionage.[5] In January 2024, the FBI conducted court-authorized operations to remove Volt Typhoon malware from hundreds of compromised U.S. routers, disrupting the botnet they used to mask their origin.[4]
Secureworks assessed that Volt Typhoon's obsessive operational security "likely stemmed from embarrassment over the drumbeat of US indictments [of Chinese state-backed hackers] and increased pressure from Chinese leadership to avoid public scrutiny."[6] But the operational security serves a dual purpose: it also ensures the access survives discovery. According to cybersecurity researcher Ryan Sherstobitoff: "Unlike attackers who vanish when discovered, this adversary digs in even deeper when exposed."[7]
The U.S. intelligence community assesses that Volt Typhoon's purpose is not espionage in the traditional sense. The group is not exfiltrating classified documents or stealing intellectual property. It is pre-positioning destructive capability inside infrastructure that would be critical during a Taiwan contingency.[1]
Microsoft's original May 2023 analysis concluded that Volt Typhoon's campaigns "prioritize capabilities which enable China to sabotage critical communications infrastructure between the US and Asia during potential future crises."[5] The geographic targeting supports this: Guam — the forward staging base for any U.S. Pacific military response — was among the first confirmed targets.[5]
The logic is grimly elegant. If the PLA moves on Taiwan, the United States mobilizes. That mobilization depends on communications, power, water, fuel, and transportation networks functioning normally. If those networks are simultaneously disrupted — water treatment plants shut down, power grids destabilized, pipeline SCADA systems manipulated, telecom networks degraded — the mobilization slows. Military logistics collapse. Public panic diverts government attention. And the window for a fait accompli in the Taiwan Strait widens.
This is not a cyberattack. It is a pre-installed kill switch — dormant until the moment it provides maximum strategic leverage.
Multiple water treatment facilities compromised. Manipulation of water treatment SCADA systems could contaminate municipal water supplies or disable treatment processes. The operational technology (OT) environments in these facilities are notoriously under-secured — many run decades-old industrial control systems never designed for network connectivity.[2]
Electric utilities and oil/gas pipeline operators confirmed compromised. In February 2026, Dragos reported that Voltzite — the group "highly correlated" with Volt Typhoon — remained active in U.S. energy networks, with 11 of 26 tracked OT-focused threat groups active in 2025.[8] Three new OT-focused groups were identified in the same period.
In June 2024, Singapore's Singtel — a major regional telecom — was breached by Volt Typhoon.[9] In November 2025, Australian intelligence confirmed Chinese government hackers had probed Australian telecommunications networks, identifying both Volt Typhoon and the related group Salt Typhoon.[10] The campaign extends well beyond U.S. borders.
Transportation systems including maritime ports and logistics networks confirmed in the target set.[2] Disruption of port operations and logistics during a military mobilization would compound the effects of energy and communications disruption — a cascading failure designed to paralyze the entire mobilization chain.
Volt Typhoon does not operate in isolation. U.S. intelligence has identified multiple PRC-linked groups targeting critical infrastructure in a coordinated campaign, each with distinct tactics and targets:
Salt Typhoon targeted U.S. telecommunications providers including AT&T, Verizon, and T-Mobile, intercepting real-time communications and accessing lawful intercept systems — the same wiretapping infrastructure used by U.S. law enforcement. This means Chinese intelligence potentially had access to the communications of targets under active FBI surveillance.[10]
Flax Typhoon operated a botnet of compromised IoT devices — cameras, routers, NAS devices — used as proxy infrastructure across Taiwan and the broader Indo-Pacific. The FBI disrupted this botnet in September 2024.[4]
The pattern is clear: these are not independent hacking groups pursuing separate objectives. They are components of a unified pre-positioning campaign, each preparing a different layer of infrastructure disruption capability for activation during a potential Taiwan conflict.
Volt Typhoon represents a fundamental shift in how nation-states prepare for conflict. This is not intelligence collection. It is not espionage. It is the pre-installation of destructive capability inside an adversary's civilian infrastructure, designed to activate at the moment of maximum strategic impact.[1]
The tradecraft — living off the land, routing through SOHO devices, avoiding custom malware — is optimized not for data theft but for persistence. The goal is to be inside the network when the order comes, not to extract value in peacetime. Five years of access with no exfiltration is not patience. It is pre-positioning.[5]
The strategic connection to Taiwan is assessed with high confidence by the U.S. intelligence community. Every compromised water plant, power grid, and telecom network is a node in a distributed denial-of-service attack against American society itself — timed to coincide with the moment the U.S. military needs that society functioning at full capacity.[1]
Operation Absolute Resolve demonstrated what CYBERCOM can do to an adversary's infrastructure offensively. Volt Typhoon is the mirror image: what China has already done to American infrastructure, waiting to be activated. The asymmetry is that the U.S. demonstrated its capability publicly. China's capability is designed to remain invisible until the moment it isn't.
Unlike attackers who vanish when discovered, this adversary digs in even deeper when exposed.