The Chinese state-sponsored threat group known as Volt Typhoon has shifted its targeting to water utility infrastructure in the United States, according to a joint advisory from the FBI, NSA, and CISA. The group has been observed conducting reconnaissance and establishing persistent access in operational technology networks at water treatment facilities in at least six states.
Unlike traditional espionage operations that seek to exfiltrate data, Volt Typhoon's activity appears focused on pre-positioning for potential disruptive attacks. The group leverages living-off-the-land techniques, using legitimate administrative tools like PowerShell and WMI to avoid detection by security software.
The advisory urges water utilities to implement network segmentation between IT and OT environments, enforce multi-factor authentication on all remote access points, and monitor for anomalous use of administrative tools. Many small and mid-sized water utilities lack dedicated cybersecurity staff, making them particularly vulnerable to sophisticated nation-state threats.
