Full Report
Plus 3 new goon squads targeted critical infrastructure last year Three new threat groups began targeting critical infrastructure last year, while a well-known Beijing-backed crew - Volt Typhoon - continued to compromise cellular gateways and routers, and then break into US electric, oil, and gas companies in 2025, according to Dragos' annual threat report published on Tuesday.…
Analysis Summary
# Threat Actor: Voltzite (Volt Typhoon)
## Attribution & Identity
* **Actor Identification:** Voltzite
* **Aliases:** Volt Typhoon, "Beijing-backed crew," "PRC-backed crew."
* **Known Associations:**
* **Sylvanite:** Functions as an initial access broker for Voltzite.
* **Azurite:** Overlaps with Mint Sandstorm; focuses on engineering workstation access.
* **State Affiliation:** Attributed to the People's Republic of China (PRC) / Beijing.
## Activity Summary
Voltzite maintained continuous operations throughout 2025, focusing on long-term persistence within U.S. critical infrastructure. Unlike espionage-focused groups, Voltzite's 2025 activities were characterized by "getting inside the control loop" of industrial processes. Key operations included compromising cellular gateways to bridge into OT networks and utilizing a botnet for large-scale reconnaissance of energy and defense targets.
## Tactics, Techniques & Procedures
* **Living off the Land:** Compromising SOHO/edge devices (cellular gateways and routers) to mask traffic.
* **Initial Access Brokerage:** Utilizing sister groups (Sylvanite) to weaponize vulnerabilities in internet-facing products.
* **OT Lateral Movement:** Moving from compromised edge devices (e.g., Sierra Wireless AirLink) directly into pipeline OT networks.
* **Industrial Process Interference:** Accessing engineering workstations to steal configuration files, alarm data, and "force stop" instructions.
* **Reconnaissance:** Utilizing the **JDY botnet** to scan for public-facing IP ranges and VPN appliances.
* **Rapid Exploitation:** Weaponizing N-day vulnerabilities (F5, Ivanti, SAP) within 48 hours of public disclosure.
## Targeting
* **Sectors:** Electric power (generation, transmission, distribution), Oil and Gas (pipeline operations), Water and Sewage, Defense, Manufacturing, and Automotive.
* **Geography:** Primarily North America (United States), with additional activity in the UK, Europe, Asia, the Middle East, and the Asia-Pacific region.
* **Victims:** US electric, oil, and gas companies; US pipeline operators; undisclosed defense and government organizations.
## Tools & Infrastructure
* **Malware:** Custom malware designed for long-term persistence in OT environments; data-wiping malware (noted in related Iranian/Pyroxene activity but part of the broader 2025 threat landscape).
* **Infrastructure:**
* **JDY Botnet:** Used for scanning and pre-staging.
* **Compromised Edge Devices:** Sierra Wireless AirLink devices, cellular gateways, and routers.
* **Vulnerable Appliances:** F5, Ivanti, and SAP internet-facing products.
## Implications
Voltzite’s shift from IP theft to "disruptive and destructive" preparation represents a strategic pivot. By embedding in the "control loop" and stealing alarm/configuration data, the actor is pre-positioning to disable or destroy physical infrastructure during a geopolitical conflict. The use of specialized access brokers (Sylvanite) suggests a highly matured, modular organizational structure within Chinese state cyber operations.
## Mitigations
* **Harden Edge Infrastructure:** Prioritize patching of internet-facing appliances (F5, Ivanti, SAP) within a 24-hour window of vulnerability disclosure.
* **OT Segmentation:** Implement strict hardware-based isolation between IT networks and OT control loops to prevent lateral movement from compromised gateways.
* **Credential Management:** Audit VPN appliances and engineering workstations for unauthorized access; implement multi-factor authentication (MFA) that is resistant to bypass.
* **Asset Monitoring:** Monitor Sierra Wireless and other cellular gateway logs for unusual outbound traffic or unauthorized configuration changes.
* **Alarm/Config Protection:** Encrypt and restrict access to PLC configuration files and alarm logic data within engineering workstations.