Volt Typhoon’s Persistent Threat to U.S. Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA), in a joint advisory with the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), has detailed the activities of a People’s Republic of China (PRC) state-sponsored cyber actor. This group, identified as Volt Typhoon, has been observed compromising and maintaining persistent access to U.S. critical infrastructure networks. The group’s primary objective is to pre-position itself within these networks, establishing long-term, undetected footholds.

Volt Typhoon’s operational tactics involve targeting public-facing network devices from manufacturers such as Cisco and NetGear. The actors gain initial access by conducting extensive brute force attacks against these devices. Once inside a network, the group employs living-off-the-land techniques, using built-in network administration tools to blend in with normal activity and evade detection. This approach allows them to maintain access for extended periods.

BRICKSTORM Malware Capabilities

A key tool in Volt Typhoon’s arsenal is a custom malware known as BRICKSTORM. This malware functions as a Remote Access Trojan (RAT) designed specifically for post-compromise activities. CISA’s analysis reveals that BRICKSTORM provides the actors with a range of capabilities to control compromised systems and exfiltrate data. Its functions include file transfer, command execution, and the ability to establish an interactive shell on the target device.

The joint cybersecurity advisory provides network defenders with specific indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with Volt Typhoon’s operations. The information is intended to help organizations detect and mitigate this threat. The agencies have confirmed that the actors have successfully compromised organizations across multiple U.S. critical infrastructure sectors, including Communications, Energy, Transportation Systems, and Water and Wastewater Systems.

Source: https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html