TroutTrout

Volt Typhoon OT Defense Stop Lateral Movement from IT to OT.

Volt Typhoon compromises IT, hides as legitimate administrative activity, and pivots to OT through whatever access path exists. CISA's April 2026 guidance names this attack pattern explicitly. The defense is identity-bound access at the IT/OT boundary, not network segmentation alone. This page covers what works.

Who Volt Typhoon Targets and Why.

Volt Typhoon is a state-sponsored threat group attributed to the People's Republic of China that has been active against US critical infrastructure since at least 2021. CISA, NSA, FBI, and allied intelligence agencies have issued multiple joint advisories naming the group. The group's distinguishing tradecraft is living-off-the-land: avoiding malware in favor of legitimate administrative tools that make detection by signature-based defenses nearly impossible. Targets include water and wastewater utilities, energy operators, transportation, and manufacturing. The objective is pre-positioning, not immediate disruption. Trout maintains a public threat intelligence portal at https://threat-intelligence.trout.software/ with per-actor profiles and indicators.

Visit the Trout Threat Intelligence Portal
The Attack Pattern

How the IT-to-OT Pivot Works.

Every published Volt Typhoon investigation follows a similar shape. Initial compromise on the IT side. Credential harvesting from common stores. Use of built-in administrative tools (PowerShell, WMI, RDP) for movement. Identification of the IT/OT boundary. Pivot through the path of least resistance. The defense lives at that pivot point.

What CISA Says

The April 2026 Position.

CISA's joint guidance published April 29, 2026 with the Department of War, DOE, FBI, and Department of State names Volt Typhoon as the canonical example of why network segmentation alone is insufficient. The recommendation is to assume the IT side is already compromised and design the OT boundary accordingly. Every IT-to-OT session must be authenticated, authorized, and logged. Inventory of paths is not a control. Identity-bound access is.

Read our full analysis of the CISA guidance
Defenses That Work

Mapped to Volt Typhoon TTPs.

Each defense below addresses a specific stage of the documented Volt Typhoon attack chain. Network segmentation is necessary but not sufficient because Volt Typhoon moves through paths that are explicitly permitted by segmentation policy.

1. Initial Compromise
Volt Typhoon TTP

Phishing, exposed VPN/RDP, or unpatched edge device on the IT side.

Access Gate Defense

MFA on every external-facing service. Access Gate enforces MFA at the proxy boundary for any session that will eventually reach OT, regardless of the entry point.

2. Credential Harvesting
Volt Typhoon TTP

Mimikatz, LSASS dumps, or extraction from password managers and AD. Sometimes credentials are stored in plaintext in jump-host scripts.

Access Gate Defense

No shared credentials reach the OT boundary. Identity is presented to Access Gate from your IdP (Entra ID, Okta, etc.) per-session. Static OT credentials never sit on a workstation that can be compromised.

3. Lateral Movement (IT)
Volt Typhoon TTP

PowerShell remoting, WMI, RDP, SMB. Movement looks like normal admin activity. Signature-based defenses miss it.

Access Gate Defense

Detection on the IT side is necessary but not sufficient. The cut-off point is the IT/OT boundary, where Access Gate enforces explicit per-user policy regardless of where the connection originated.

4. IT/OT Boundary Discovery
Volt Typhoon TTP

Map of historian replication paths, vendor remote-access tunnels, dual-homed engineering workstations, file transfer servers.

Access Gate Defense

Every IT/OT path terminates at Access Gate. There is no dual-homed shortcut, no forgotten vendor tunnel that bypasses enforcement. The path inventory is the policy inventory.

5. OT Pivot
Volt Typhoon TTP

Use of legitimate OT credentials (often shared, often static) to reach SCADA, HMIs, or PLCs. Establishment of persistence.

Access Gate Defense

OT-side authentication enforced at Access Gate. The connecting user's identity is bound to the session, not the asset's local credential. A flagged session is denied, not just logged.

6. Pre-Positioning
Volt Typhoon TTP

Remain dormant. Avoid actions that would trigger anomaly detection. Wait for activation.

Access Gate Defense

Full session recording with replay. Even a dormant adversary's reconnaissance creates an audit trail. Anomaly detection on session patterns surfaces low-and-slow activity that signature defenses miss.

FAQ

Frequently Asked Questions

Who is Volt Typhoon?
Volt Typhoon is a state-sponsored threat group attributed by US intelligence agencies to the People's Republic of China. It has been active against US critical infrastructure since at least 2021. The group's tradecraft emphasizes living-off-the-land techniques that avoid malware in favor of legitimate administrative tools, making signature-based detection nearly impossible.
Why does Volt Typhoon target OT specifically?
Volt Typhoon targets US critical infrastructure operators, including water and wastewater utilities, energy producers, transportation systems, and manufacturers. The objective is pre-positioning for potential future disruption during a geopolitical conflict. OT systems are the actionable layer; IT compromise is the means of reaching them.
What does CISA recommend for Volt Typhoon defense in OT?
The April 2026 joint CISA guidance recommends assuming IT compromise and designing the OT boundary accordingly: every IT-to-OT session must be authenticated, authorized, and logged. Network segmentation alone is insufficient because Volt Typhoon moves through paths that segmentation explicitly permits. Identity-bound access at the boundary is the control.
Is network segmentation enough to stop Volt Typhoon?
No. CISA explicitly addresses this in the April 2026 guidance. Volt Typhoon's tradecraft involves moving through legitimate paths that segmentation policy permits. A flat or lightly segmented network leaves the path open; a segmented network with shared credentials or unmanaged vendor remote access leaves the path open in a different shape. The control is per-session identity binding, not segment isolation.
What specific Trout Access Gate capability addresses Volt Typhoon?
Every IT-to-OT session terminates at the appliance, where authentication with MFA is enforced against your identity provider. The session is bound to a named user, not a service account or shared credential. Full session payload is logged when configured and is replayable for forensic review. The path is denied by default unless an explicit policy permits it. This is the every-session-attributed-and-recorded pattern that closes the lateral-movement path Volt Typhoon relies on.
Where can I track Volt Typhoon and other named OT threat groups?
Trout maintains a public threat intelligence portal at https://threat-intelligence.trout.software/ with per-actor profiles, observed TTPs, and indicators. Government sources include CISA's threat advisories at cisa.gov and the Dragos OT threat intelligence reports.
Next Step

Stress-Test Your IT/OT Boundary.

Request a working session. We will walk through your IT/OT access paths, identify where shared credentials or unmanaged remote access leave a Volt Typhoon path open, and show how Access Gate closes it.

Request a Working Session

Related