logo svg
logo

July 14, 2026

Updated: July 14, 2026

Salt Typhoon and Volt Typhoon Explained

How the China-linked threat clusters differ in mission, targets, and defensive priorities

Mohammed Khalil

Mohammed Khalil

Featured Image

Verification note: Attribution may change. This article uses public government, court, company, MITRE ATT&CK, and original vendor sources verified through July 14, 2026. Alias mappings require source support.

Quick answer: What is the difference between Salt Typhoon and Volt Typhoon?

Salt Typhoon is principally associated with telecommunications cyberespionage. Volt Typhoon is associated with persistent access to U.S. critical infrastructure and concern that access could support disruption in a future crisis. Both are publicly linked to the PRC, but they are separate analytical labels. Shared weaknesses in edge security, privilege, segmentation, and logging do not make them the same actor.

Executive summary

Salt Typhoon vs Volt Typhoon at a glance

DimensionSalt TyphoonVolt TyphoonConfidence / caveat
Public naming sourceMicrosoft weather-themed label; later used widely in government and industry reportingMicrosoft weather-themed label introduced publicly in May 2023High for labels; a label is not a legal entity
Public attributionFBI, CISA, Treasury, and allied agencies link the activity or overlapping activity to PRC state-sponsored actorsMicrosoft and a multinational government advisory attribute the activity to a PRC state-sponsored actorHigh for the cited public assessments; this article does not independently attribute activity
Primary reported objectiveCyberespionage and communications intelligence collectionPersistent critical-infrastructure access and assessed pre-positioning for possible disruptionHigh for official wording; future disruption is not certain
Main target environmentTelecommunications, internet-service-provider, and communications infrastructure; later guidance describes broader global network targeting with partial overlapU.S. and Guam critical infrastructure, particularly communications, energy, transportation, water and wastewaterHigh for core sectors; broader sector lists depend on source scope
Geographic reachU.S. telecom cases plus multinational reporting of global network targeting; some 2025 activity only partially overlaps the labelPublicly documented U.S. and Guam activity; supporting infrastructure can be distributed globallyModerate to high; do not convert campaign geography into a universal victim list
Commonly reported access layerNetwork edge, routers, administrative systems, and telecom management infrastructureInternet-facing systems, edge devices, enterprise IT, valid accounts, and paths that could reach OTHigh at category level
High-level tradecraftExploitation of exposed devices, credential and account use, configuration access, traffic collection, tunnelling, and persistence on network infrastructureLiving off the land, valid accounts, built-in administration, discovery, lateral movement, and proxying through compromised SOHO devicesHigh for cited behaviours; techniques are not unique identifiers
Persistence patternLong-lived network access intended to support collection and wider visibilityLong-term access designed to remain quiet; agencies reported multi-year persistence in some victimsHigh for general pattern; duration varies by victim
Main defensive concernLoss of communications confidentiality and trust in network managementLoss of operational confidence, continuity risk, and a possible bridge from enterprise IT toward operational functionsHigh as a risk framing, not proof of impact
Most relevant telemetryNetwork-device authentication, configuration history, flow records, privileged actions, routing and tunnelling changesIdentity, command and process context, east-west traffic, edge logs, configuration integrity, remote access, and IT/OT boundary telemetryEditorial synthesis based on official guidance
Official guidanceCommunications infrastructure hardening and enhanced visibility; global network-device mitigationsJoint living-off-the-land advisory, persistent-access advisory, leader guidance, and KV Botnet court actionHigh
Current knowledge limitationPublic sources do not reveal the cluster’s full membership, all victims, or a universal one-to-one alias mapPublic sources do not reveal command structure or prove that disruption will occurHigh

Source notes: FBI and CISA telecommunications statements, 2025 multinational global-network advisory, Microsoft’s original Volt Typhoon disclosure, and the 2024 joint critical-infrastructure advisory.

Comparison of Salt Typhoon’s telecommunications espionage focus with Volt Typhoon’s critical-infrastructure access and living-off-the-land activity.

Figure 1. Publicly reported differences and overlaps between Salt Typhoon and Volt Typhoon.

Source note: Based on current official government advisories and original naming-source research verified before publication.

What is Salt Typhoon?

Salt Typhoon is Microsoft's label for China-linked activity associated with telecommunications cyberespionage. It describes observed activity, not a legal entity or fixed membership list.

In October and November 2024, the FBI and CISA described PRC-affiliated access to commercial telecommunications infrastructure and reported theft of call-record data, selected private communications, and certain law-enforcement-request information. In April 2025, the FBI explicitly used the Salt Typhoon label; the U.S. Treasury also sanctioned Sichuan Juxinhe Network Technology for what it described as direct involvement.

The Canadian Centre for Cyber Security described edge-router activity and a telecom compromise. CISA AA25-239A covered wider targeting but said that activity only partially overlaps the Salt Typhoon label; it is not a one-to-one alias. For broader geographic context, DeepStrike separately analyses the countries most targeted by cyberattacks without using geography as proof of actor attribution.

Public sources do not reveal the full victim set, structure, or access routes. The wider risk is loss of metadata, routing, identity, and administrative trust in communications infrastructure.

What is Volt Typhoon?

Volt Typhoon is Microsoft's separate label for a PRC state-sponsored activity cluster. Microsoft disclosed it in May 2023 after observing activity in U.S. critical infrastructure, including Guam, and assessed that the campaign sought capabilities that could disrupt communications during a future crisis.

A February 2024 multinational advisory described compromises in communications, energy, transportation, and water and wastewater organisations. Agencies assessed with high confidence that the actors were pre-positioning in IT networks for possible movement toward OT and future disruption. This is an assessment of potential purpose, not proof that disruption occurred.

Volt Typhoon is also associated with living-off-the-land activity, valid accounts, and traffic proxied through compromised SOHO routers. The January 2024 U.S. Department of Justice action disrupted the KV Botnet, but that botnet was supporting infrastructure—not the whole actor or every victim foothold.

DeepStrike's guide to living-off-the-land techniques explains why identity, command context, network flows, and configuration evidence matter when endpoint telemetry is incomplete.

Are Salt Typhoon and Volt Typhoon the same group?

No authoritative source reviewed here establishes that Salt Typhoon and Volt Typhoon are the same group. They remain separate labels with different core targets and strategic assessments.

Shared PRC attribution, infrastructure targeting, valid accounts, or persistence may reflect common doctrine. They do not prove shared personnel, tooling, or command.

ClaimSupported?Evidence neededCurrent caveat
Both are publicly linked to PRC state-sponsored activityYesDirect government or original naming-source assessmentAttribution scope differs by source and event
Both have targeted network infrastructureYesTechnical advisory or incident recordA common target is not identity evidence
Salt Typhoon is Volt TyphoonNoDirect authoritative mapping supported by evidenceNo such mapping was found in the reviewed sources
Every activity carrying a related vendor label is identicalNoSource-specific one-to-one equivalenceThe 2025 joint advisory explicitly describes partial overlap for some Salt-related labels
Shared techniques prove shared commandNoCorroborating infrastructure, operational, and intelligence evidenceMany actors use the same built-in tools and device classes

For broader context on state-sponsored cyber threats, keep actor labels, campaigns, malware, botnets, vulnerabilities, and victim sets analytically separate.

Why the distinction matters

The distinction changes risk priorities. Salt raises a confidentiality question: which communications, metadata, management systems, and privileged workflows could be observed? Volt raises a continuity question: where could persistent access cross trust boundaries during a crisis?

Telecom teams need visibility into routers, management systems, subscriber platforms, and vendor access. Critical operators must also map IT-to-OT dependencies, engineering access, safety constraints, and recovery. Actor labels cannot replace incident scoping.

Targets and sectors

Sector or environmentSalt Typhoon reportingVolt Typhoon reportingSourceConfidence
Telecommunications and ISPsCore, repeatedly documented target environmentCommunications is a confirmed critical-infrastructure sectorFBI/CISA 2024; CISA 2024High
Network edge and routersConfirmed in Canadian and multinational guidanceSOHO and edge infrastructure used for access or proxyingCanadian Cyber Centre 2025; DOJ 2024High
GovernmentGovernment and political communications were collection targets; broader global advisory includes government networks with partial overlapGovernment organisations appeared in Microsoft’s broader observed sector listFBI/CISA 2024; Microsoft 2023Moderate to high; scopes differ
EnergyEdge-device risk can affect the sector; not established as Salt’s defining missionConfirmed priority sector in the joint advisoryCISA global advisory 2025; CISA 2024High for Volt; limited for Salt-specific attribution
Water and wastewaterNo core Salt-specific sector claim in reviewed sourcesConfirmed sector in the joint advisoryCISA 2024High for Volt
TransportationIncluded in the 2025 global campaign with only partial Salt overlapConfirmed sector in the joint advisoryCISA global advisory 2025; CISA 2024High for Volt; moderate for Salt relationship
Manufacturing, construction, maritime, IT, educationNot treated as core Salt targets hereMicrosoft reported victim organisations across these sectorsMicrosoft 2023Moderate; vendor-observed campaign scope
Lodging and military networksIncluded in broader 2025 global activity that partially overlaps SaltNot part of the core Volt sector statement used hereCISA global advisory 2025Moderate; partial-overlap caveat
Enterprise identity systemsRelevant through privileged and administrative accessCentral to valid-account and living-off-the-land behaviourOfficial technical advisoriesHigh as a defensive environment, not a separate victim sector
OT-adjacent networksPossible downstream dependency; no defining Salt-specific claimAgencies warned about movement from IT toward OTCISA 2024High for Volt assessment; future impact uncertain

Objectives and strategic risk

Collection, reconnaissance, persistence, pre-positioning, and disruption are distinct. Collection seeks information; persistence preserves access; pre-positioning preserves an option. Potential disruption is not proof of destructive action.

Risk dimensionSalt TyphoonVolt TyphoonExecutive implication
Assessed objectiveCommunications-focused espionage and intelligence collectionLong-term access and assessed pre-positioning for potential disruption during crisis or conflictFund controls against the mission most relevant to the environment
Information at riskCall records, selected private communications, administrative and network data, and other intelligence-rich telecom information where supportedCredentials, network topology, configurations, remote access, and operational dependencies that can support persistenceTreat management data and metadata as sensitive assets
Operational riskLoss of confidentiality and trust in communications infrastructure; response actions can affect serviceBusiness-continuity, safety, and service-delivery risk if access reaches critical functionsPlan containment with service and safety owners
Strategic uncertaintyPublic victim scope and cluster boundaries are incompleteIntent is assessed; timing and decision to disrupt remain unknownUse scenario planning without presenting prediction as fact
Assurance emphasisPrivileged-access review, network-device logging, configuration integrity, traffic visibility, and telecom segmentationIT/OT boundary validation, edge security, detection of legitimate-tool abuse, safe isolation, and recoveryAsk for evidence that controls work under realistic constraints

Salt requires evidence to scope communications collection. Volt requires testing whether quiet access could survive credential resets, cross critical boundaries, or delay recovery.

Flowchart connecting Salt Typhoon and Volt Typhoon objectives to target environments, visibility gaps, risks, and defensive actions.

Figure 2. How strategic objectives change defensive priorities for Salt Typhoon and Volt Typhoon risk.

Source note: Original DeepStrike synthesis based on the cited public advisories.

Tactics, techniques, and procedures

Tactics, techniques, and procedures (TTPs) describe observed behaviour, but no single technique proves attribution. The table includes only selected behaviours supported by official advisories or current MITRE ATT&CK pages and omits exploit steps, payloads, and evasion instructions.

ATT&CK phase or security functionSalt TyphoonVolt TyphoonEvidence sourceConfidenceDefensive relevance
Initial accessExploitation of public-facing network devices (T1190)Exploitation of internet-facing systems and use of stolen credentialsMITRE Salt G1045; Microsoft 2023HighInventory exposure, patch supported devices, restrict management paths
Valid and added accessAccount creation and SSH authorised-key changes are ATT&CK-mapped for Salt (T1136; T1098.004)Valid accounts (T1078) are central to documented persistenceMITRE group pages and joint advisoriesHighReview account provenance, key changes, privilege, and authentication context
Network-device discovery and collectionConfiguration dumping (T1602.002) and network sniffing (T1040)Network and system discovery using built-in capabilitiesMITRE Salt G1045; MITRE Volt G1017HighPreserve configs, commands, flow records, and management sessions
Command executionRemote administration on network infrastructure, including SSH (T1021.004)PowerShell and Windows command shell (T1059.001; T1059.003) where ATT&CK-mappedMITRE group pagesHighCorrelate tool use with identity, host, change window, and network destination
Lateral movementTunnelling and administrative access can extend reachValid accounts and remote services support movement within enterprise networksJoint advisories and MITREModerate to highSegment management networks and alert on trust-boundary crossings
CollectionTelecom traffic and configuration access can enable intelligence collectionDiscovery and credential access support long-term positioning; collection is not the only concernFBI/CISA and MicrosoftHighProtect sensitive data paths and record privileged access
Defense evasionQuiet device-level access and use of legitimate functions reduce obvious malware signalsLiving off the land and proxy infrastructure can blend with normal activityOfficial advisoriesHighDetect behavioural deviations; do not rely on malware indicators alone
Proxy and relay infrastructureTunnelling (T1572) and compromised network infrastructure are reportedCompromised SOHO routers and the KV Botnet concealed source trafficMITRE Salt; DOJ KV Botnet actionHighExamine destination history, relay patterns, device ownership, and egress context
PersistenceAccount, key, and device configuration changes can preserve accessLong-lived valid-account and edge access was documented in some victimsOfficial advisoriesHighRebuild trust through configuration comparison, credential plans, and re-entry monitoring

ATT&CK mappings change. Verify the current Salt Typhoon G1045 and Volt Typhoon G1017 pages before building analytics.

Why living off the land matters

Living off the land uses built-in administration, system utilities, and valid accounts. It can resemble maintenance, but initial access may still involve exploitation.

Detection depends on identity, parent activity, destination, change window, and network path. For Volt Typhoon and agentless edge devices, authentication, configuration, flow, and firewall evidence must fill endpoint gaps.

Telecommunications-specific risk

Telecommunications networks reveal relationships among people, devices, services, and locations. Officials reported stolen call-record data, selected private communications, and certain law-enforcement-request information—not universal access to every provider or subscriber.

Protect routers, controllers, authentication systems, orchestration tools, and vendor portals as a management plane. Restrict administrative paths, use attributable accounts, centralise configuration and flow records, segment sensitive zones, and test recovery.

Critical-infrastructure-specific risk

Critical infrastructure connects enterprise IT, remote access, engineering systems, and OT through dependencies often missing from endpoint inventories. Volt guidance warns of possible movement toward OT, not proven disruption at every victim.

Map identity, name services, virtualisation, backup, network management, and vendor access supporting critical functions. Validate segmentation, make remote access revocable, preserve known-good configurations, and rehearse safe isolation and recovery. Energy operators can also review DeepStrike's cybersecurity in the power sector guide for additional SCADA, OT, and resilience context.

Timeline of major public disclosures

DateThreat clusterPublic eventSourceWhy it mattersStatus
Since at least mid-2021; disclosed May 24, 2023Volt TyphoonMicrosoft reported activity affecting U.S. critical infrastructure and GuamMicrosoftEstablished the public label, LOTL pattern, and disruption concernVendor assessment; activity date differs from disclosure date
May 24, 2023Volt TyphoonU.S. and allied agencies issued joint LOTL guidanceCISA AA23-144AAdded multinational technical and defensive contextOfficial advisory
December 2023 operation; announced January 31, 2024Volt TyphoonU.S. authorities disrupted the KV BotnetDepartment of JusticeDistinguished supporting router infrastructure from victim accessCourt-authorised law-enforcement action
February 7, 2024Volt TyphoonJoint advisory described persistent access and assessed pre-positioningCISA AA24-038AClarified sectors, long-term access, and possible IT-to-OT riskOfficial assessment; future disruption not certain
September 2024 awareness; filed February 2025Salt TyphoonVerizon said it became aware it was one of several telecom providers attacked and later contained the incidentVerizon 2024 Form 10-KProvides a named, company-confirmed case with limited public scopeCompany filing; not a complete victim account
October 25, 2024Salt Typhoon-related activityFBI and CISA acknowledged an investigation into PRC-affiliated access to commercial telecom infrastructureFBI/CISAFirst concise U.S. public confirmation of the telecom investigationOfficial statement; did not name every victim
November 13, 2024Salt Typhoon-related activityFBI and CISA described stolen call records, selected private communications, and certain law-enforcement-request informationFBI/CISADefined confirmed data categories without claiming universal exposureOfficial statement
December 3, 2024Salt Typhoon-related activityU.S. agencies published enhanced visibility and hardening guidance for communications infrastructureCISA guidanceShifted public guidance from incident acknowledgement to durable defensesOfficial guidance
January 17, 2025Salt TyphoonU.S. Treasury sanctioned Sichuan Juxinhe for direct involvementU.S. TreasuryAdded a named company and official attribution languageU.S. government assessment and sanctions action
April 24, 2025Salt TyphoonFBI sought information about global telecom targetingFBIExplicitly used the public Salt Typhoon label and repeated collection categoriesOfficial public notice
April–June 2025Salt Typhoon-associated activityCanada published edge-router observations and a telecom-specific bulletinCyber Centre edge guidance; telecom bulletinAdded public evidence outside the U.S. and device-focused defensesOfficial Canadian assessment
August 27–28, 2025; revised September 3Partial Salt Typhoon overlapMultinational agencies exposed a broader global espionage system targeting networks worldwideCISA AA25-239AExpanded sectors and geography while explicitly warning that commercial labels only partially overlapOfficial advisory; not a one-to-one Salt alias statement

The timeline separates observed activity, discovery, disclosure, advisory publication, and law-enforcement action where sources allow. A public announcement is not the campaign start date.

Alias and naming map

NameOrganisation using the nameSalt or Volt relationshipConfidenceNotes
Salt TyphoonMicrosoft; later public government and industry useSalt public nameHighActivity-cluster label, not a self-declared organisation
OPERATOR PANDA, GhostEmperor, FamousSparrowMicrosoft cross-reference lists other tracking labelsMicrosoft-listed relationship to SaltModerate to highVendor scopes and historical periods may not be identical; validate before merging records
RedMike, UNC5807Industry labels cited by the 2025 joint advisoryPartial overlap with broader activity associated with SaltModerateThe advisory explicitly says commercial labels partially overlap; not confirmed one-to-one aliases
JumbledPathMITRE ATT&CK software entryTool associated with Salt activityHigh as software relationshipSoftware name, not an actor alias
Volt TyphoonMicrosoftVolt public nameHighSeparate activity-cluster label
Vanguard Panda, BRONZE SILHOUETTE, DEV-0391, UNC3236, Voltzite, Insidious TaurusCISA/NSA/FBI and partners“Also known as” labels for Volt in the 2024 joint advisoryHigh for advisory mappingIndividual vendors may retain different analytical boundaries
DazedToadMITRE ATT&CKAssociated Volt labelModerate to highMITRE cross-reference; confirm in the source used by the local intelligence platform
KV BotnetDOJ, FBI, and industrySupporting campaign and compromised-router botnet used by VoltHighNot an actor alias and not the whole Volt operation
SYLVANITEMITRE ATT&CKSeparate initial-access cluster that transferred access to Volt/VOLTZITE in cited reportingModerate to highDo not merge with Volt as an alias

Naming sources: Microsoft threat-actor naming, CISA AA24-038A, CISA AA25-239A, and current MITRE ATT&CK group pages. The map remains intentionally narrower than many vendor alias lists. For broader actor context, DeepStrike's overview of leading hacking groups is kept separate from this Salt-versus-Volt comparison.

How defenders should prioritise controls

Defensive prioritySalt Typhoon relevanceVolt Typhoon relevancePrimary ownerEvidence of completion
Asset and external exposure inventoryIdentify telecom, edge, and management systems that can expose traffic or configurationIdentify internet-facing systems and paths toward critical servicesNetwork engineering; security architectureReconciled inventory with owner, support state, exposure, and last validation
Edge-device lifecycle managementReduce exposure from unpatched or misconfigured routers and appliancesRemove end-of-life devices that can become access or proxy infrastructureNetwork engineering; procurementSupport dates, patch status, replacement plan, and exception approvals
Management-interface restrictionsLimit direct access to routing, controllers, and orchestrationLimit administrative entry points into enterprise and operational support networksNetwork securityAllowlist or brokered paths, tested from outside, with denied-access evidence
Privileged-access controlsMake telecom administration attributable and detect unusual keys or accountsReduce valid-account abuse and unauthorised lateral movementIdentity team; platform ownersNamed accounts, phishing-resistant MFA where supported, session and approval records
Network segmentationSeparate management, subscriber-supporting, vendor, and enterprise zonesEnforce IT/OT and critical-service boundariesArchitecture; operations engineeringTested rules, dependency map, exception review, and safe isolation procedure
Centralised loggingPreserve device, identity, configuration, and flow evidence off-deviceCorrelate legitimate-tool use with identity and network contextSOC; platform ownersSearchable logs, monitored ingestion health, retention, and time-sync checks
Configuration-change monitoringDetect routing, tunnelling, account, key, and collection-related changesDetect persistence or boundary changes on edge and infrastructure systemsNetwork operations; SOCVersioned configs, authorised-change correlation, and alert tests
Egress control and flow visibilityDetect unusual destinations and traffic relays from management networksFind proxying and low-volume outbound patterns that endpoint tools may missNetwork security; SOCNetFlow or equivalent coverage, destination baselines, and review workflow
Backup configuration and recoveryRestore network trust after device compromiseRebuild edge and management systems without carrying persistence forwardInfrastructure; continuity teamsProtected known-good configs, restore test, firmware/image provenance
Incident-response accessEnsure responders can collect device evidence without relying on compromised administrationEnable safe containment while protecting operationsIncident response; network/OT ownersOut-of-band access, tools, credentials, authority matrix, and exercise record
Vendor-access governanceControl third-party paths into telecom managementControl remote maintenance into critical and OT-adjacent environmentsVendor risk; system ownerNamed sponsor, time bounds, logging, revocation test, and contract controls
Detection and recovery exercisesTest telecom-specific collection and management-plane scenariosTest LOTL, edge, IT/OT boundary, isolation, and recovery scenariosSOC; red/purple team; continuityScenario results, gaps, owners, retest dates, and executive decisions

Judge controls by evidence, not policy text. Centralised logging is incomplete until the SOC can show current ingestion, sufficient retention, correct time, and a tested analytic for the expected behaviour.

The DeepStrike Typhoon Defense Lens

The DeepStrike Typhoon Defense Lens is an editorial synthesis, not an official government model. It connects actor objectives to the assets, visibility, controls, ownership, and assurance evidence required for a defensible decision.

LensKey questionSalt Typhoon concernVolt Typhoon concernRequired evidenceOwnerReview cadence
ObjectiveWhat outcome would make our environment valuable?Communications intelligence and sensitive network visibilityPersistent access and a future option to disruptThreat scenario tied to business services and dataCISO; threat intelligence; business ownerQuarterly and after material advisories
EnvironmentWhich systems and trust paths support that outcome?Telecom core, management systems, edge, identity, and vendor pathsEnterprise IT, edge, remote access, IT/OT boundaries, and critical servicesAsset and dependency map with owners and exposureArchitecture; network; OTMonthly for exposure; quarterly for dependencies
VisibilityCould we reconstruct identity, configuration, and traffic activity?Device auth, config history, flows, routing, and privileged actionsIdentity, command context, east-west traffic, remote access, and boundary eventsCoverage map, retention, ingestion health, time sync, and test resultsSOC; platform ownersContinuous health; quarterly coverage review
ControlWhich controls prevent or contain the likely path?Restricted management, privilege, segmentation, patching, and egressEdge lifecycle, valid-account controls, segmentation, isolation, and recoveryConfigurations, approvals, denied-path tests, and remediation statusControl ownersMonthly exceptions; after major change
AssuranceWhat independent evidence shows the controls work safely?Configuration review, exposure validation, detection validation, and telecom-safe testingThreat-informed testing, purple-team exercises, recovery and safe-isolation validationScope, safety plan, findings, retest results, and accepted residual riskAssurance; red/purple team; auditRisk-based; at least annually for critical paths
Five-layer DeepStrike framework covering threat objectives, target environments, visibility, security controls, and assurance testing.

Figure 3. The DeepStrike Typhoon Defense Lens for evaluating nation-state exposure and assurance priorities.

Source note: Original DeepStrike editorial framework. Not an official government standard.

Detection and threat-hunting considerations

Use current official advisories for time-sensitive indicators, then hunt for durable behaviours. A single indicator match does not prove attribution; the hypothesis, data coverage, and alternative explanations matter.

SignalWhy it mattersRequired data sourceSalt / Volt relevanceCaveat
New or unusual network-device administrative sessionCan reveal access outside normal operationsDevice authentication, AAA, bastion, VPN, and change recordsBoth; especially Salt management planesEmergency maintenance and automation can look similar
New account, key, or privilege on a network deviceMay preserve access beyond a password resetAccount inventory, key fingerprints, privilege and config historyBothValidate approved break-glass and vendor accounts first
Unexpected configuration changeRouting, tunnels, logging, collection, or access policy can be alteredVersioned configs and authorised-change systemBothVendor upgrades may create bulk changes
Unusual outbound destination from management or edge infrastructureCan indicate relay, proxy, or remote-control trafficFirewall, DNS, proxy, and flow recordsBoth; Volt proxying is well documentedShared hosting and update services require context
Dormant, service, or administrator account activity outside baselineValid accounts can support quiet persistenceIdentity provider, directory, VPN, PAM, and host logsBoth; central to Volt LOTL activityBaselines must account for on-call and disaster recovery
Authentication from atypical infrastructureA new source, path, or autonomous system can be meaningfulVPN, bastion, device and identity logs with source contextBothCompromised residential routers can weaken geography-based logic
Endpoint-to-network evidence gapDevice activity may be invisible to EDREDR coverage map, asset inventory, network and device logsBoth; critical for edge devicesAbsence of EDR is not itself malicious
Unexplained routing or tunnelling changeCan redirect, observe, or extend accessRouter configs, routing telemetry, flow and change recordsStrong Salt relevance; also Volt movementPlanned engineering work must be correlated
Firmware or boot-integrity deviationCan undermine trust in an edge deviceVendor integrity features, inventory, firmware provenanceBothCapability varies by platform; validate vendor guidance
Log-source silence or time driftCan hide sequence and frustrate scopingSIEM ingestion health, NTP status, device audit logsBothDevice failure and capacity issues are common alternatives
East-west discovery followed by remote administrationCan indicate movement using legitimate toolsNetwork telemetry, process context, identity, remote-service logsStrong Volt relevanceAdministration and vulnerability scanning can create similar patterns
Re-entry after containmentIndicates incomplete removal or another access pathIdentity, edge, DNS, flow, configuration, and endpoint evidenceBothDefine a clean monitoring period and known-good baseline

Document the data searched, time range, hypotheses, results, and blind spots. Revalidate IP addresses and domains before turning them into lasting detection rules.

Incident-response priorities

  1. Confirm scope, authority, affected services, and telecom or OT safety constraints.
  2. Preserve sessions, routing state, configurations, authentication records, flows, and other volatile evidence.
  3. Protect off-device logs, retention, time synchronisation, access controls, and legal holds.
  4. Review privileged, service, vendor, key, token, and emergency-account activity.
  5. Identify direct and indirect internet-facing management and remote-access paths.
  6. Compare routing, tunnelling, logging, account, key, and policy changes with approved baselines.
  7. Coordinate legal, privacy, regulatory, law-enforcement, insurer, sector, and government engagement.
  8. Avoid rushed resets that destroy evidence, disrupt service, or reveal the investigation.
  9. Rotate credentials in a sequenced plan covering dependent systems and certificates.
  10. Validate segmentation, rebuild or replace affected devices, and verify supported baselines.
  11. Monitor identity, edge, DNS, flow, configuration, and endpoint evidence for re-entry.
  12. Separate confirmed facts, assessments, unknowns, decisions, and confidence levels.

Follow current official incident-response guidance and use qualified assistance. Telecom and OT containment requires specialist safeguards because aggressive action can affect service continuity or safety.

How threat-informed security testing can help

Authorised threat-informed testing can validate external exposure, management interfaces, privileged access, segmentation, identity controls, cloud, web and API paths, detection coverage, and recovery. The goal is to test selected controls—not to reproduce a nation-state operation.

Testing must reflect asset criticality and safety constraints. A penetration test cannot prove Salt Typhoon or Volt Typhoon is absent, replace continuous monitoring, or guarantee future protection. Telecom and OT exercises need approved windows, stop conditions, and remediation retesting.

A scoped red-team assessment can test approved attack paths and detection controls against the organisation's threat model.

Common misconceptions

“They are the same group.” They are separate labels; shared attribution or techniques do not prove common command.

“Every China-linked intrusion is a Typhoon operation.” Naming and cluster boundaries differ, and wider campaigns may only partially overlap Salt.

“Living off the land means no exploit or malware.” Initial access may exploit vulnerabilities, and operations may combine legitimate tools with malware.

“EDR covers edge devices.” Many routers lack agents, so device, identity, configuration, and network telemetry are essential.

“The KV Botnet was the whole Volt operation.” It was supporting router infrastructure; disruption did not remove every victim foothold.

“IOC lists provide lasting protection.” Infrastructure changes; use current indicators for bounded investigations and durable behaviour-based detection.

“A penetration test certifies safety.” Testing validates selected paths and controls but cannot guarantee absence, prevention, or complete coverage.

Executive decision checklist

Executive questionWhy it mattersEvidence to requestOwner
Do we know every externally managed network device?Unknown edge systems can bypass endpoint visibilityReconciled inventory, exposure scan, owner, support and patch stateCIO; network leader
Are internet-facing management interfaces restricted?Direct administration expands the initial-access surfaceApproved access paths and independent denied-access testNetwork security
Can we investigate network devices without relying only on EDR?Routers and appliances often lack agentsDevice auth, configs, flows, logs, retention, and collection procedureSOC; network operations
Do privileged accounts have clear ownership?Shared or dormant access weakens attribution and containmentNamed owner, purpose, last use, MFA, privilege, and reviewIdentity leader
Are telecom or critical-service dependencies mapped?Incident decisions can affect services beyond the compromised assetCurrent service and trust dependency mapArchitecture; business continuity
Can the SOC retain and search the relevant logs?Detection and scoping depend on history and time alignmentCoverage, ingestion health, searchable period, and tested analyticsSOC manager
Can we isolate compromised segments safely?Containment without dependency knowledge can create harmRunbook, authority, safety review, and exercise recordIncident response; operations
Are vendor remote-access paths governed?Third-party routes can become persistent, weakly owned entry pointsSponsor, time bounds, logging, approved path, and revocation testVendor risk; system owner
Have we tested recovery from loss of network-management trust?Configurations, credentials, and tools may all be suspectKnown-good backups, clean admin path, rebuild and restore exerciseInfrastructure; continuity
Have we validated controls against threat-informed scenarios?Policy does not show whether controls work togetherTest scope, findings, detection evidence, remediation, and retestAssurance; SOC
Are reporting and escalation obligations documented?Sector, privacy, contractual, and national duties differDecision tree, contacts, thresholds, and counsel reviewLegal; compliance; CISO

Frequently asked questions

What is Salt Typhoon?

Salt Typhoon is Microsoft's label for PRC-linked telecommunications espionage. U.S. agencies reported access to telecom infrastructure and theft of call-record data, selected communications, and certain law-enforcement-request information.

What is Volt Typhoon?

Volt Typhoon is Microsoft's label for PRC state-sponsored activity involving persistent critical-infrastructure access, valid accounts, living-off-the-land behaviour, and edge infrastructure. Agencies assess that access could support future disruption.

What is the difference between Salt Typhoon and Volt Typhoon?

Salt centres on telecom espionage. Volt centres on persistent critical-infrastructure access and possible disruptive pre-positioning. Shared techniques do not make them the same group.

Are Salt Typhoon and Volt Typhoon the same group?

No. Authoritative sources track them separately; shared attribution or infrastructure targeting does not prove shared personnel or command.

Is Salt Typhoon a Chinese state-sponsored group?

U.S., Canadian, and allied agencies link Salt Typhoon or associated activity to PRC state-sponsored actors. It remains an analytical cluster, not a disclosed legal organisation.

Is Volt Typhoon a Chinese state-sponsored group?

Yes, according to Microsoft and allied governments. The assessment does not identify every participant or prove that disruption occurred.

What industries does Salt Typhoon target?

Telecommunications and ISP infrastructure are the clearest targets. Broader guidance lists other sectors only as partial overlap with the Salt label.

What industries does Volt Typhoon target?

Official guidance identifies communications, energy, transportation, and water organisations, with more sectors in Microsoft's original disclosure. Scope varies by source and date.

Why does Volt Typhoon use living-off-the-land techniques?

Valid accounts and built-in tools can resemble normal administration, so detection needs identity, command, network, and configuration context.

How can organisations detect Salt Typhoon or Volt Typhoon activity?

Prioritise device authentication, account and key changes, configuration history, flows, unusual outbound traffic, remote administration, and identity anomalies. A single indicator match does not prove attribution.

Can penetration testing detect a nation-state intrusion?

Penetration testing can expose management, segmentation, privilege, and detection weaknesses. It is not forensics unless scoped that way and cannot certify that an actor is absent.

What should an organisation do if it suspects compromise?

Activate incident response, preserve network and identity evidence, protect logs, assess privileged access, and coordinate containment. Avoid resets that destroy evidence or disrupt critical operations.

Conclusion

Salt Typhoon and Volt Typhoon are separate PRC-linked clusters: Salt is associated with communications espionage; Volt with persistent critical-infrastructure access and possible disruptive pre-positioning. Defenders should preserve that distinction while addressing shared edge, identity, segmentation, and visibility weaknesses.

Priorities are restricted management interfaces, attributable privilege, supported edge devices, tested segmentation, centralised logs, configuration monitoring, and rehearsed recovery. Telecom teams should protect management-plane trust; critical operators should protect IT/OT boundaries and continuity.

DeepStrike supports authorised threat-informed assessments across infrastructure, networks, cloud, identity, web applications, APIs, and critical paths. Testing should follow asset risk, safety constraints, remediation, and ongoing monitoring.

Primary sources and further reading

About the author

Mohammed Khalil is a DeepStrike Cybersecurity Architect specialising in penetration testing, application and cloud security, and threat-informed assurance. He holds CISSP, OSCP, and OSWE certifications and focuses on attack paths, control validation, and remediation.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us