AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

Volt Typhoon Living-Off-The-Land Intrusions Against Critical Infrastructure

Volt Typhoon activity highlights long-term access to critical infrastructure using legitimate accounts, built-in administration tools, network discovery, and operational stealth rather than heavy malware deployment.

MITRE ATT&CKConfidence: high
T1078T1059.003T1016T1105

How The Activity Unfolds In ATT&CK

Volt Typhoon is useful because the activity unfolds through ordinary administrative surfaces. The ATT&CK chain starts with valid access, then uses native command execution, discovery, and selective tool movement.

  1. T1078 Valid Accounts. Legitimate accounts provide access that can look like normal administration.
  2. T1059.003 Windows Command Shell. Built-in shells support execution without needing custom malware at every step.
  3. T1016 System Network Configuration Discovery. The actor learns routing, interfaces, and environment shape.
  4. T1105 Ingress Tool Transfer. Tools are introduced when native functionality is not enough.

Defender Readout

This activity is a top case because it pushes defenders toward identity, remote access, administrative command, and network discovery telemetry rather than malware-only detection.

Evidence And Mapping Rationale

T1078Valid Accounts
Valid Accounts

MITRE maps Volt Typhoon to use of legitimate accounts for access and persistence.

T1059.003Windows Command Shell
Windows Command Shell

MITRE lists Windows command shell execution as part of the actor's operational tooling.

T1016System Network Configuration Discovery
System Network Configuration Discovery

MITRE maps the actor to network configuration discovery used to understand victim environments.

T1105Ingress Tool Transfer
Ingress Tool Transfer

MITRE maps the actor to transferring tools into compromised environments.