Dragos Reports Volt Typhoon Remains Embedded in US Critical Infrastructure
Dragos’ annual OT threat report warns that the China-linked Volt Typhoon operation (tracked by Dragos as Voltzite) continued compromising US critical infrastructure through 2025, including electric, oil, and gas organizations, by abusing edge devices such as cellular gateways and routers to gain and maintain long-term access. Dragos CEO Robert M. Lee said the activity is oriented toward pre-positioning for future disruption rather than intellectual property theft, with intrusions aimed at achieving persistence and, in some cases, getting “inside the control loop” of industrial processes.
US authorities and Dragos assess the strategic objective as establishing footholds in operational technology environments to enable destructive or disruptive attacks that could impede US response and military mobilization during a crisis. Lee also cautioned that some compromised sites in the US and allied countries may never be identified, particularly among smaller or less mature utilities (notably in the water sector), even as forthcoming US regulations over the next several years may improve detection and remediation capabilities across parts of the energy sector.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Dragos links Poland power-grid attacks to Electrum and names Kamacite
Separately in the same report, Dragos attributed attacks on Poland's power grid to Electrum, which it said overlaps with Russia's GRU-linked Sandworm. It also described Kamacite as Electrum's initial access provider conducting reconnaissance scanning of U.S. industrial devices.
Dragos discloses new OT threat groups Azurite and Pyroxene
Dragos' annual report introduced Azurite, a group overlapping with Flax Typhoon and focused on OT workstation access and operational data theft, and Pyroxene, a group overlapping with Iran-linked Imperial Kitten/APT35 using supply-chain and social-engineering tactics. The disclosure expanded the set of state-linked actors tracked as targeting operational technology environments.
Dragos identifies SYLVANITE as Volt Typhoon's access-enablement partner
In its annual OT threat report, Dragos named SYLVANITE as a new threat group acting as an initial access broker for Volt Typhoon/Voltzite by exploiting edge-device vulnerabilities across sectors and geographies. The company said the group hands off access for follow-on operations against critical infrastructure.
Ivanti and Trimble Cityworks exploitation linked to Volt Typhoon and SYLVANITE
Dragos linked recent exploitation of Ivanti and Trimble Cityworks vulnerabilities to Volt Typhoon and the related access-enablement group SYLVANITE. The activity may have enabled theft of GIS, sensor, and operational data useful for future disruptive attacks on electric and water utilities.
Volt Typhoon remains active in U.S. and allied critical infrastructure through 2025
Dragos said the Volt Typhoon operation continued targeting U.S. utilities throughout 2025 and remained embedded in U.S. and allied critical infrastructure despite prior U.S. military and law-enforcement disruption efforts. Researchers warned some utility compromises may never be fully found or eradicated, especially in less mature sectors such as water.
JDY botnet used to scan infrastructure for Volt Typhoon pre-staging
During 2025, Dragos observed the JDY botnet scanning IP ranges and VPN appliances to identify targets for possible pre-positioning linked to Voltzite/Volt Typhoon activity. The scanning supported access-enablement efforts against critical infrastructure environments.
Volt Typhoon compromises Sierra Wireless devices to reach pipeline OT networks
Dragos reported that the China-linked cluster it tracks as Voltzite used Sierra Wireless AirLink cellular gateways and routers to gain access toward pipeline operational technology networks. The activity affected U.S. electric, oil, and gas organizations and established long-term persistence that could enable later control-system manipulation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Ep. 53 - The Dragon's Shadow: China's Silent Cyber War Has Already Begun | SecuritySenses
securitysenses.com
Open sourceResearchers warn Volt Typhoon still embedded in US utilities and some breaches may never be found | The Record from Recorded Future News
therecord.media
Open sourceChina-linked crew embedded in US energy networks • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Volt Typhoon and Flax Typhoon Use Stealthy Access in Critical Sectors
Microsoft and U.S. officials said China-linked threat groups **Volt Typhoon** and **Flax Typhoon** used living-off-the-land techniques and legitimate software to quietly compromise targets while minimizing detection. Volt Typhoon was tied to intrusions affecting U.S. critical infrastructure, with reporting describing the group as breaching networks through stealthy post-compromise activity rather than malware-heavy tradecraft. U.S. agencies later warned that the campaign appeared aimed at **pre-positioning** inside critical infrastructure for potential disruptive or destructive operations. Microsoft separately reported that **Flax Typhoon** targeted organizations in Taiwan for cyber-espionage, relying on valid credentials, remote access tools, and other trusted utilities to maintain persistence and blend into normal network activity. Subsequent reporting and later tracking indicated that Volt Typhoon remained active against U.S. infrastructure, reinforcing concerns that Chinese state-linked operators are sustaining long-term access across strategically important environments while using native tools and legitimate software to evade defenders.
May 26, 2026
Rising Risk of State-Linked Attacks on Power Grids and Operational Technology
Reporting highlighted growing concern that **state-affiliated and state-linked actors** are positioning for disruptive attacks against **operational technology (OT)** and critical infrastructure, with activity that may be difficult for operators to detect. A Codific analysis described five common pathways seen in disruptive grid-focused intrusions—often beginning with **human error or exposed perimeter services**, then escalating through **credential theft**, **remote access exploitation** (e.g., VPNs/gateways), **ransomware**, and misuse of **legitimate industrial commands** that can delay operations and complicate detection and recovery; it also warned that attacks on virtualized environments can hinder restoration efforts and that cascading impacts could be severe (e.g., Lloyd’s “Business Blackout” scenario estimating losses up to **$1T**). Recommended mitigations emphasized proven controls such as **phishing-resistant MFA** and **IT/OT segmentation**, rather than novel defenses. Separate commentary and media content also pointed to OT becoming a frontline in geopolitical escalation, including claims of a coordinated campaign tied to Iran-linked hacktivist activity targeting OT devices such as **Unitronics PLCs** used in water and industrial facilities, alongside psychological operations and SMS spoofing. Other items in the set were leadership/career/podcast-style content without specific incident or vulnerability detail and do not materially add to the OT/power-grid threat reporting.
Mar 21, 2026
Dragos Annual Review Warns of Mischaracterized OT Ransomware and Nation-State Prepositioning
Dragos’ annual review of cyberattacks targeting **operational technology (OT)** warns of a “silent epidemic” of **ransomware impacting commercial OT environments** that is frequently **mischaracterized as an IT-only incident**, obscuring operational impact and hindering effective response. Dragos CEO **Rob Lee** attributed this to gaps in OT understanding within IT security teams and to insufficient collection of OT network telemetry needed to perform reliable root-cause analysis and accurately scope incidents. The report also highlights concerning evolution in **nation-state OT threat activity**, describing a shift from basic initial-access efforts toward **OT-focused reconnaissance** and **pre-positioning** intended to enable future disruptive or real-world effects. Overall, Dragos frames the combination of limited OT visibility, misclassification of incidents, and increasingly purposeful nation-state operations as key risk drivers for organizations running industrial and other OT systems.
Mar 21, 2026