July 14, 2026
Updated: July 14, 2026
How the China-linked threat clusters differ in mission, targets, and defensive priorities
Mohammed Khalil

Verification note: Attribution may change. This article uses public government, court, company, MITRE ATT&CK, and original vendor sources verified through July 14, 2026. Alias mappings require source support.
Salt Typhoon is principally associated with telecommunications cyberespionage. Volt Typhoon is associated with persistent access to U.S. critical infrastructure and concern that access could support disruption in a future crisis. Both are publicly linked to the PRC, but they are separate analytical labels. Shared weaknesses in edge security, privilege, segmentation, and logging do not make them the same actor.
| Dimension | Salt Typhoon | Volt Typhoon | Confidence / caveat |
|---|---|---|---|
| Public naming source | Microsoft weather-themed label; later used widely in government and industry reporting | Microsoft weather-themed label introduced publicly in May 2023 | High for labels; a label is not a legal entity |
| Public attribution | FBI, CISA, Treasury, and allied agencies link the activity or overlapping activity to PRC state-sponsored actors | Microsoft and a multinational government advisory attribute the activity to a PRC state-sponsored actor | High for the cited public assessments; this article does not independently attribute activity |
| Primary reported objective | Cyberespionage and communications intelligence collection | Persistent critical-infrastructure access and assessed pre-positioning for possible disruption | High for official wording; future disruption is not certain |
| Main target environment | Telecommunications, internet-service-provider, and communications infrastructure; later guidance describes broader global network targeting with partial overlap | U.S. and Guam critical infrastructure, particularly communications, energy, transportation, water and wastewater | High for core sectors; broader sector lists depend on source scope |
| Geographic reach | U.S. telecom cases plus multinational reporting of global network targeting; some 2025 activity only partially overlaps the label | Publicly documented U.S. and Guam activity; supporting infrastructure can be distributed globally | Moderate to high; do not convert campaign geography into a universal victim list |
| Commonly reported access layer | Network edge, routers, administrative systems, and telecom management infrastructure | Internet-facing systems, edge devices, enterprise IT, valid accounts, and paths that could reach OT | High at category level |
| High-level tradecraft | Exploitation of exposed devices, credential and account use, configuration access, traffic collection, tunnelling, and persistence on network infrastructure | Living off the land, valid accounts, built-in administration, discovery, lateral movement, and proxying through compromised SOHO devices | High for cited behaviours; techniques are not unique identifiers |
| Persistence pattern | Long-lived network access intended to support collection and wider visibility | Long-term access designed to remain quiet; agencies reported multi-year persistence in some victims | High for general pattern; duration varies by victim |
| Main defensive concern | Loss of communications confidentiality and trust in network management | Loss of operational confidence, continuity risk, and a possible bridge from enterprise IT toward operational functions | High as a risk framing, not proof of impact |
| Most relevant telemetry | Network-device authentication, configuration history, flow records, privileged actions, routing and tunnelling changes | Identity, command and process context, east-west traffic, edge logs, configuration integrity, remote access, and IT/OT boundary telemetry | Editorial synthesis based on official guidance |
| Official guidance | Communications infrastructure hardening and enhanced visibility; global network-device mitigations | Joint living-off-the-land advisory, persistent-access advisory, leader guidance, and KV Botnet court action | High |
| Current knowledge limitation | Public sources do not reveal the cluster’s full membership, all victims, or a universal one-to-one alias map | Public sources do not reveal command structure or prove that disruption will occur | High |
Source notes: FBI and CISA telecommunications statements, 2025 multinational global-network advisory, Microsoft’s original Volt Typhoon disclosure, and the 2024 joint critical-infrastructure advisory.

Figure 1. Publicly reported differences and overlaps between Salt Typhoon and Volt Typhoon.
Source note: Based on current official government advisories and original naming-source research verified before publication.
Salt Typhoon is Microsoft's label for China-linked activity associated with telecommunications cyberespionage. It describes observed activity, not a legal entity or fixed membership list.
In October and November 2024, the FBI and CISA described PRC-affiliated access to commercial telecommunications infrastructure and reported theft of call-record data, selected private communications, and certain law-enforcement-request information. In April 2025, the FBI explicitly used the Salt Typhoon label; the U.S. Treasury also sanctioned Sichuan Juxinhe Network Technology for what it described as direct involvement.
The Canadian Centre for Cyber Security described edge-router activity and a telecom compromise. CISA AA25-239A covered wider targeting but said that activity only partially overlaps the Salt Typhoon label; it is not a one-to-one alias. For broader geographic context, DeepStrike separately analyses the countries most targeted by cyberattacks without using geography as proof of actor attribution.
Public sources do not reveal the full victim set, structure, or access routes. The wider risk is loss of metadata, routing, identity, and administrative trust in communications infrastructure.
Volt Typhoon is Microsoft's separate label for a PRC state-sponsored activity cluster. Microsoft disclosed it in May 2023 after observing activity in U.S. critical infrastructure, including Guam, and assessed that the campaign sought capabilities that could disrupt communications during a future crisis.
A February 2024 multinational advisory described compromises in communications, energy, transportation, and water and wastewater organisations. Agencies assessed with high confidence that the actors were pre-positioning in IT networks for possible movement toward OT and future disruption. This is an assessment of potential purpose, not proof that disruption occurred.
Volt Typhoon is also associated with living-off-the-land activity, valid accounts, and traffic proxied through compromised SOHO routers. The January 2024 U.S. Department of Justice action disrupted the KV Botnet, but that botnet was supporting infrastructure—not the whole actor or every victim foothold.
DeepStrike's guide to living-off-the-land techniques explains why identity, command context, network flows, and configuration evidence matter when endpoint telemetry is incomplete.
No authoritative source reviewed here establishes that Salt Typhoon and Volt Typhoon are the same group. They remain separate labels with different core targets and strategic assessments.
Shared PRC attribution, infrastructure targeting, valid accounts, or persistence may reflect common doctrine. They do not prove shared personnel, tooling, or command.
| Claim | Supported? | Evidence needed | Current caveat |
|---|---|---|---|
| Both are publicly linked to PRC state-sponsored activity | Yes | Direct government or original naming-source assessment | Attribution scope differs by source and event |
| Both have targeted network infrastructure | Yes | Technical advisory or incident record | A common target is not identity evidence |
| Salt Typhoon is Volt Typhoon | No | Direct authoritative mapping supported by evidence | No such mapping was found in the reviewed sources |
| Every activity carrying a related vendor label is identical | No | Source-specific one-to-one equivalence | The 2025 joint advisory explicitly describes partial overlap for some Salt-related labels |
| Shared techniques prove shared command | No | Corroborating infrastructure, operational, and intelligence evidence | Many actors use the same built-in tools and device classes |
For broader context on state-sponsored cyber threats, keep actor labels, campaigns, malware, botnets, vulnerabilities, and victim sets analytically separate.
The distinction changes risk priorities. Salt raises a confidentiality question: which communications, metadata, management systems, and privileged workflows could be observed? Volt raises a continuity question: where could persistent access cross trust boundaries during a crisis?
Telecom teams need visibility into routers, management systems, subscriber platforms, and vendor access. Critical operators must also map IT-to-OT dependencies, engineering access, safety constraints, and recovery. Actor labels cannot replace incident scoping.
| Sector or environment | Salt Typhoon reporting | Volt Typhoon reporting | Source | Confidence |
|---|---|---|---|---|
| Telecommunications and ISPs | Core, repeatedly documented target environment | Communications is a confirmed critical-infrastructure sector | FBI/CISA 2024; CISA 2024 | High |
| Network edge and routers | Confirmed in Canadian and multinational guidance | SOHO and edge infrastructure used for access or proxying | Canadian Cyber Centre 2025; DOJ 2024 | High |
| Government | Government and political communications were collection targets; broader global advisory includes government networks with partial overlap | Government organisations appeared in Microsoft’s broader observed sector list | FBI/CISA 2024; Microsoft 2023 | Moderate to high; scopes differ |
| Energy | Edge-device risk can affect the sector; not established as Salt’s defining mission | Confirmed priority sector in the joint advisory | CISA global advisory 2025; CISA 2024 | High for Volt; limited for Salt-specific attribution |
| Water and wastewater | No core Salt-specific sector claim in reviewed sources | Confirmed sector in the joint advisory | CISA 2024 | High for Volt |
| Transportation | Included in the 2025 global campaign with only partial Salt overlap | Confirmed sector in the joint advisory | CISA global advisory 2025; CISA 2024 | High for Volt; moderate for Salt relationship |
| Manufacturing, construction, maritime, IT, education | Not treated as core Salt targets here | Microsoft reported victim organisations across these sectors | Microsoft 2023 | Moderate; vendor-observed campaign scope |
| Lodging and military networks | Included in broader 2025 global activity that partially overlaps Salt | Not part of the core Volt sector statement used here | CISA global advisory 2025 | Moderate; partial-overlap caveat |
| Enterprise identity systems | Relevant through privileged and administrative access | Central to valid-account and living-off-the-land behaviour | Official technical advisories | High as a defensive environment, not a separate victim sector |
| OT-adjacent networks | Possible downstream dependency; no defining Salt-specific claim | Agencies warned about movement from IT toward OT | CISA 2024 | High for Volt assessment; future impact uncertain |
Collection, reconnaissance, persistence, pre-positioning, and disruption are distinct. Collection seeks information; persistence preserves access; pre-positioning preserves an option. Potential disruption is not proof of destructive action.
| Risk dimension | Salt Typhoon | Volt Typhoon | Executive implication |
|---|---|---|---|
| Assessed objective | Communications-focused espionage and intelligence collection | Long-term access and assessed pre-positioning for potential disruption during crisis or conflict | Fund controls against the mission most relevant to the environment |
| Information at risk | Call records, selected private communications, administrative and network data, and other intelligence-rich telecom information where supported | Credentials, network topology, configurations, remote access, and operational dependencies that can support persistence | Treat management data and metadata as sensitive assets |
| Operational risk | Loss of confidentiality and trust in communications infrastructure; response actions can affect service | Business-continuity, safety, and service-delivery risk if access reaches critical functions | Plan containment with service and safety owners |
| Strategic uncertainty | Public victim scope and cluster boundaries are incomplete | Intent is assessed; timing and decision to disrupt remain unknown | Use scenario planning without presenting prediction as fact |
| Assurance emphasis | Privileged-access review, network-device logging, configuration integrity, traffic visibility, and telecom segmentation | IT/OT boundary validation, edge security, detection of legitimate-tool abuse, safe isolation, and recovery | Ask for evidence that controls work under realistic constraints |
Salt requires evidence to scope communications collection. Volt requires testing whether quiet access could survive credential resets, cross critical boundaries, or delay recovery.

Figure 2. How strategic objectives change defensive priorities for Salt Typhoon and Volt Typhoon risk.
Source note: Original DeepStrike synthesis based on the cited public advisories.
Tactics, techniques, and procedures (TTPs) describe observed behaviour, but no single technique proves attribution. The table includes only selected behaviours supported by official advisories or current MITRE ATT&CK pages and omits exploit steps, payloads, and evasion instructions.
| ATT&CK phase or security function | Salt Typhoon | Volt Typhoon | Evidence source | Confidence | Defensive relevance |
|---|---|---|---|---|---|
| Initial access | Exploitation of public-facing network devices (T1190) | Exploitation of internet-facing systems and use of stolen credentials | MITRE Salt G1045; Microsoft 2023 | High | Inventory exposure, patch supported devices, restrict management paths |
| Valid and added access | Account creation and SSH authorised-key changes are ATT&CK-mapped for Salt (T1136; T1098.004) | Valid accounts (T1078) are central to documented persistence | MITRE group pages and joint advisories | High | Review account provenance, key changes, privilege, and authentication context |
| Network-device discovery and collection | Configuration dumping (T1602.002) and network sniffing (T1040) | Network and system discovery using built-in capabilities | MITRE Salt G1045; MITRE Volt G1017 | High | Preserve configs, commands, flow records, and management sessions |
| Command execution | Remote administration on network infrastructure, including SSH (T1021.004) | PowerShell and Windows command shell (T1059.001; T1059.003) where ATT&CK-mapped | MITRE group pages | High | Correlate tool use with identity, host, change window, and network destination |
| Lateral movement | Tunnelling and administrative access can extend reach | Valid accounts and remote services support movement within enterprise networks | Joint advisories and MITRE | Moderate to high | Segment management networks and alert on trust-boundary crossings |
| Collection | Telecom traffic and configuration access can enable intelligence collection | Discovery and credential access support long-term positioning; collection is not the only concern | FBI/CISA and Microsoft | High | Protect sensitive data paths and record privileged access |
| Defense evasion | Quiet device-level access and use of legitimate functions reduce obvious malware signals | Living off the land and proxy infrastructure can blend with normal activity | Official advisories | High | Detect behavioural deviations; do not rely on malware indicators alone |
| Proxy and relay infrastructure | Tunnelling (T1572) and compromised network infrastructure are reported | Compromised SOHO routers and the KV Botnet concealed source traffic | MITRE Salt; DOJ KV Botnet action | High | Examine destination history, relay patterns, device ownership, and egress context |
| Persistence | Account, key, and device configuration changes can preserve access | Long-lived valid-account and edge access was documented in some victims | Official advisories | High | Rebuild trust through configuration comparison, credential plans, and re-entry monitoring |
ATT&CK mappings change. Verify the current Salt Typhoon G1045 and Volt Typhoon G1017 pages before building analytics.
Living off the land uses built-in administration, system utilities, and valid accounts. It can resemble maintenance, but initial access may still involve exploitation.
Detection depends on identity, parent activity, destination, change window, and network path. For Volt Typhoon and agentless edge devices, authentication, configuration, flow, and firewall evidence must fill endpoint gaps.
Telecommunications networks reveal relationships among people, devices, services, and locations. Officials reported stolen call-record data, selected private communications, and certain law-enforcement-request information—not universal access to every provider or subscriber.
Protect routers, controllers, authentication systems, orchestration tools, and vendor portals as a management plane. Restrict administrative paths, use attributable accounts, centralise configuration and flow records, segment sensitive zones, and test recovery.
Critical infrastructure connects enterprise IT, remote access, engineering systems, and OT through dependencies often missing from endpoint inventories. Volt guidance warns of possible movement toward OT, not proven disruption at every victim.
Map identity, name services, virtualisation, backup, network management, and vendor access supporting critical functions. Validate segmentation, make remote access revocable, preserve known-good configurations, and rehearse safe isolation and recovery. Energy operators can also review DeepStrike's cybersecurity in the power sector guide for additional SCADA, OT, and resilience context.
| Date | Threat cluster | Public event | Source | Why it matters | Status |
|---|---|---|---|---|---|
| Since at least mid-2021; disclosed May 24, 2023 | Volt Typhoon | Microsoft reported activity affecting U.S. critical infrastructure and Guam | Microsoft | Established the public label, LOTL pattern, and disruption concern | Vendor assessment; activity date differs from disclosure date |
| May 24, 2023 | Volt Typhoon | U.S. and allied agencies issued joint LOTL guidance | CISA AA23-144A | Added multinational technical and defensive context | Official advisory |
| December 2023 operation; announced January 31, 2024 | Volt Typhoon | U.S. authorities disrupted the KV Botnet | Department of Justice | Distinguished supporting router infrastructure from victim access | Court-authorised law-enforcement action |
| February 7, 2024 | Volt Typhoon | Joint advisory described persistent access and assessed pre-positioning | CISA AA24-038A | Clarified sectors, long-term access, and possible IT-to-OT risk | Official assessment; future disruption not certain |
| September 2024 awareness; filed February 2025 | Salt Typhoon | Verizon said it became aware it was one of several telecom providers attacked and later contained the incident | Verizon 2024 Form 10-K | Provides a named, company-confirmed case with limited public scope | Company filing; not a complete victim account |
| October 25, 2024 | Salt Typhoon-related activity | FBI and CISA acknowledged an investigation into PRC-affiliated access to commercial telecom infrastructure | FBI/CISA | First concise U.S. public confirmation of the telecom investigation | Official statement; did not name every victim |
| November 13, 2024 | Salt Typhoon-related activity | FBI and CISA described stolen call records, selected private communications, and certain law-enforcement-request information | FBI/CISA | Defined confirmed data categories without claiming universal exposure | Official statement |
| December 3, 2024 | Salt Typhoon-related activity | U.S. agencies published enhanced visibility and hardening guidance for communications infrastructure | CISA guidance | Shifted public guidance from incident acknowledgement to durable defenses | Official guidance |
| January 17, 2025 | Salt Typhoon | U.S. Treasury sanctioned Sichuan Juxinhe for direct involvement | U.S. Treasury | Added a named company and official attribution language | U.S. government assessment and sanctions action |
| April 24, 2025 | Salt Typhoon | FBI sought information about global telecom targeting | FBI | Explicitly used the public Salt Typhoon label and repeated collection categories | Official public notice |
| April–June 2025 | Salt Typhoon-associated activity | Canada published edge-router observations and a telecom-specific bulletin | Cyber Centre edge guidance; telecom bulletin | Added public evidence outside the U.S. and device-focused defenses | Official Canadian assessment |
| August 27–28, 2025; revised September 3 | Partial Salt Typhoon overlap | Multinational agencies exposed a broader global espionage system targeting networks worldwide | CISA AA25-239A | Expanded sectors and geography while explicitly warning that commercial labels only partially overlap | Official advisory; not a one-to-one Salt alias statement |
The timeline separates observed activity, discovery, disclosure, advisory publication, and law-enforcement action where sources allow. A public announcement is not the campaign start date.
| Name | Organisation using the name | Salt or Volt relationship | Confidence | Notes |
|---|---|---|---|---|
| Salt Typhoon | Microsoft; later public government and industry use | Salt public name | High | Activity-cluster label, not a self-declared organisation |
| OPERATOR PANDA, GhostEmperor, FamousSparrow | Microsoft cross-reference lists other tracking labels | Microsoft-listed relationship to Salt | Moderate to high | Vendor scopes and historical periods may not be identical; validate before merging records |
| RedMike, UNC5807 | Industry labels cited by the 2025 joint advisory | Partial overlap with broader activity associated with Salt | Moderate | The advisory explicitly says commercial labels partially overlap; not confirmed one-to-one aliases |
| JumbledPath | MITRE ATT&CK software entry | Tool associated with Salt activity | High as software relationship | Software name, not an actor alias |
| Volt Typhoon | Microsoft | Volt public name | High | Separate activity-cluster label |
| Vanguard Panda, BRONZE SILHOUETTE, DEV-0391, UNC3236, Voltzite, Insidious Taurus | CISA/NSA/FBI and partners | “Also known as” labels for Volt in the 2024 joint advisory | High for advisory mapping | Individual vendors may retain different analytical boundaries |
| DazedToad | MITRE ATT&CK | Associated Volt label | Moderate to high | MITRE cross-reference; confirm in the source used by the local intelligence platform |
| KV Botnet | DOJ, FBI, and industry | Supporting campaign and compromised-router botnet used by Volt | High | Not an actor alias and not the whole Volt operation |
| SYLVANITE | MITRE ATT&CK | Separate initial-access cluster that transferred access to Volt/VOLTZITE in cited reporting | Moderate to high | Do not merge with Volt as an alias |
Naming sources: Microsoft threat-actor naming, CISA AA24-038A, CISA AA25-239A, and current MITRE ATT&CK group pages. The map remains intentionally narrower than many vendor alias lists. For broader actor context, DeepStrike's overview of leading hacking groups is kept separate from this Salt-versus-Volt comparison.
| Defensive priority | Salt Typhoon relevance | Volt Typhoon relevance | Primary owner | Evidence of completion |
|---|---|---|---|---|
| Asset and external exposure inventory | Identify telecom, edge, and management systems that can expose traffic or configuration | Identify internet-facing systems and paths toward critical services | Network engineering; security architecture | Reconciled inventory with owner, support state, exposure, and last validation |
| Edge-device lifecycle management | Reduce exposure from unpatched or misconfigured routers and appliances | Remove end-of-life devices that can become access or proxy infrastructure | Network engineering; procurement | Support dates, patch status, replacement plan, and exception approvals |
| Management-interface restrictions | Limit direct access to routing, controllers, and orchestration | Limit administrative entry points into enterprise and operational support networks | Network security | Allowlist or brokered paths, tested from outside, with denied-access evidence |
| Privileged-access controls | Make telecom administration attributable and detect unusual keys or accounts | Reduce valid-account abuse and unauthorised lateral movement | Identity team; platform owners | Named accounts, phishing-resistant MFA where supported, session and approval records |
| Network segmentation | Separate management, subscriber-supporting, vendor, and enterprise zones | Enforce IT/OT and critical-service boundaries | Architecture; operations engineering | Tested rules, dependency map, exception review, and safe isolation procedure |
| Centralised logging | Preserve device, identity, configuration, and flow evidence off-device | Correlate legitimate-tool use with identity and network context | SOC; platform owners | Searchable logs, monitored ingestion health, retention, and time-sync checks |
| Configuration-change monitoring | Detect routing, tunnelling, account, key, and collection-related changes | Detect persistence or boundary changes on edge and infrastructure systems | Network operations; SOC | Versioned configs, authorised-change correlation, and alert tests |
| Egress control and flow visibility | Detect unusual destinations and traffic relays from management networks | Find proxying and low-volume outbound patterns that endpoint tools may miss | Network security; SOC | NetFlow or equivalent coverage, destination baselines, and review workflow |
| Backup configuration and recovery | Restore network trust after device compromise | Rebuild edge and management systems without carrying persistence forward | Infrastructure; continuity teams | Protected known-good configs, restore test, firmware/image provenance |
| Incident-response access | Ensure responders can collect device evidence without relying on compromised administration | Enable safe containment while protecting operations | Incident response; network/OT owners | Out-of-band access, tools, credentials, authority matrix, and exercise record |
| Vendor-access governance | Control third-party paths into telecom management | Control remote maintenance into critical and OT-adjacent environments | Vendor risk; system owner | Named sponsor, time bounds, logging, revocation test, and contract controls |
| Detection and recovery exercises | Test telecom-specific collection and management-plane scenarios | Test LOTL, edge, IT/OT boundary, isolation, and recovery scenarios | SOC; red/purple team; continuity | Scenario results, gaps, owners, retest dates, and executive decisions |
Judge controls by evidence, not policy text. Centralised logging is incomplete until the SOC can show current ingestion, sufficient retention, correct time, and a tested analytic for the expected behaviour.
The DeepStrike Typhoon Defense Lens is an editorial synthesis, not an official government model. It connects actor objectives to the assets, visibility, controls, ownership, and assurance evidence required for a defensible decision.
| Lens | Key question | Salt Typhoon concern | Volt Typhoon concern | Required evidence | Owner | Review cadence |
|---|---|---|---|---|---|---|
| Objective | What outcome would make our environment valuable? | Communications intelligence and sensitive network visibility | Persistent access and a future option to disrupt | Threat scenario tied to business services and data | CISO; threat intelligence; business owner | Quarterly and after material advisories |
| Environment | Which systems and trust paths support that outcome? | Telecom core, management systems, edge, identity, and vendor paths | Enterprise IT, edge, remote access, IT/OT boundaries, and critical services | Asset and dependency map with owners and exposure | Architecture; network; OT | Monthly for exposure; quarterly for dependencies |
| Visibility | Could we reconstruct identity, configuration, and traffic activity? | Device auth, config history, flows, routing, and privileged actions | Identity, command context, east-west traffic, remote access, and boundary events | Coverage map, retention, ingestion health, time sync, and test results | SOC; platform owners | Continuous health; quarterly coverage review |
| Control | Which controls prevent or contain the likely path? | Restricted management, privilege, segmentation, patching, and egress | Edge lifecycle, valid-account controls, segmentation, isolation, and recovery | Configurations, approvals, denied-path tests, and remediation status | Control owners | Monthly exceptions; after major change |
| Assurance | What independent evidence shows the controls work safely? | Configuration review, exposure validation, detection validation, and telecom-safe testing | Threat-informed testing, purple-team exercises, recovery and safe-isolation validation | Scope, safety plan, findings, retest results, and accepted residual risk | Assurance; red/purple team; audit | Risk-based; at least annually for critical paths |

Figure 3. The DeepStrike Typhoon Defense Lens for evaluating nation-state exposure and assurance priorities.
Source note: Original DeepStrike editorial framework. Not an official government standard.
Use current official advisories for time-sensitive indicators, then hunt for durable behaviours. A single indicator match does not prove attribution; the hypothesis, data coverage, and alternative explanations matter.
| Signal | Why it matters | Required data source | Salt / Volt relevance | Caveat |
|---|---|---|---|---|
| New or unusual network-device administrative session | Can reveal access outside normal operations | Device authentication, AAA, bastion, VPN, and change records | Both; especially Salt management planes | Emergency maintenance and automation can look similar |
| New account, key, or privilege on a network device | May preserve access beyond a password reset | Account inventory, key fingerprints, privilege and config history | Both | Validate approved break-glass and vendor accounts first |
| Unexpected configuration change | Routing, tunnels, logging, collection, or access policy can be altered | Versioned configs and authorised-change system | Both | Vendor upgrades may create bulk changes |
| Unusual outbound destination from management or edge infrastructure | Can indicate relay, proxy, or remote-control traffic | Firewall, DNS, proxy, and flow records | Both; Volt proxying is well documented | Shared hosting and update services require context |
| Dormant, service, or administrator account activity outside baseline | Valid accounts can support quiet persistence | Identity provider, directory, VPN, PAM, and host logs | Both; central to Volt LOTL activity | Baselines must account for on-call and disaster recovery |
| Authentication from atypical infrastructure | A new source, path, or autonomous system can be meaningful | VPN, bastion, device and identity logs with source context | Both | Compromised residential routers can weaken geography-based logic |
| Endpoint-to-network evidence gap | Device activity may be invisible to EDR | EDR coverage map, asset inventory, network and device logs | Both; critical for edge devices | Absence of EDR is not itself malicious |
| Unexplained routing or tunnelling change | Can redirect, observe, or extend access | Router configs, routing telemetry, flow and change records | Strong Salt relevance; also Volt movement | Planned engineering work must be correlated |
| Firmware or boot-integrity deviation | Can undermine trust in an edge device | Vendor integrity features, inventory, firmware provenance | Both | Capability varies by platform; validate vendor guidance |
| Log-source silence or time drift | Can hide sequence and frustrate scoping | SIEM ingestion health, NTP status, device audit logs | Both | Device failure and capacity issues are common alternatives |
| East-west discovery followed by remote administration | Can indicate movement using legitimate tools | Network telemetry, process context, identity, remote-service logs | Strong Volt relevance | Administration and vulnerability scanning can create similar patterns |
| Re-entry after containment | Indicates incomplete removal or another access path | Identity, edge, DNS, flow, configuration, and endpoint evidence | Both | Define a clean monitoring period and known-good baseline |
Document the data searched, time range, hypotheses, results, and blind spots. Revalidate IP addresses and domains before turning them into lasting detection rules.
Follow current official incident-response guidance and use qualified assistance. Telecom and OT containment requires specialist safeguards because aggressive action can affect service continuity or safety.
Authorised threat-informed testing can validate external exposure, management interfaces, privileged access, segmentation, identity controls, cloud, web and API paths, detection coverage, and recovery. The goal is to test selected controls—not to reproduce a nation-state operation.
Testing must reflect asset criticality and safety constraints. A penetration test cannot prove Salt Typhoon or Volt Typhoon is absent, replace continuous monitoring, or guarantee future protection. Telecom and OT exercises need approved windows, stop conditions, and remediation retesting.
A scoped red-team assessment can test approved attack paths and detection controls against the organisation's threat model.
“They are the same group.” They are separate labels; shared attribution or techniques do not prove common command.
“Every China-linked intrusion is a Typhoon operation.” Naming and cluster boundaries differ, and wider campaigns may only partially overlap Salt.
“Living off the land means no exploit or malware.” Initial access may exploit vulnerabilities, and operations may combine legitimate tools with malware.
“EDR covers edge devices.” Many routers lack agents, so device, identity, configuration, and network telemetry are essential.
“The KV Botnet was the whole Volt operation.” It was supporting router infrastructure; disruption did not remove every victim foothold.
“IOC lists provide lasting protection.” Infrastructure changes; use current indicators for bounded investigations and durable behaviour-based detection.
“A penetration test certifies safety.” Testing validates selected paths and controls but cannot guarantee absence, prevention, or complete coverage.
| Executive question | Why it matters | Evidence to request | Owner |
|---|---|---|---|
| Do we know every externally managed network device? | Unknown edge systems can bypass endpoint visibility | Reconciled inventory, exposure scan, owner, support and patch state | CIO; network leader |
| Are internet-facing management interfaces restricted? | Direct administration expands the initial-access surface | Approved access paths and independent denied-access test | Network security |
| Can we investigate network devices without relying only on EDR? | Routers and appliances often lack agents | Device auth, configs, flows, logs, retention, and collection procedure | SOC; network operations |
| Do privileged accounts have clear ownership? | Shared or dormant access weakens attribution and containment | Named owner, purpose, last use, MFA, privilege, and review | Identity leader |
| Are telecom or critical-service dependencies mapped? | Incident decisions can affect services beyond the compromised asset | Current service and trust dependency map | Architecture; business continuity |
| Can the SOC retain and search the relevant logs? | Detection and scoping depend on history and time alignment | Coverage, ingestion health, searchable period, and tested analytics | SOC manager |
| Can we isolate compromised segments safely? | Containment without dependency knowledge can create harm | Runbook, authority, safety review, and exercise record | Incident response; operations |
| Are vendor remote-access paths governed? | Third-party routes can become persistent, weakly owned entry points | Sponsor, time bounds, logging, approved path, and revocation test | Vendor risk; system owner |
| Have we tested recovery from loss of network-management trust? | Configurations, credentials, and tools may all be suspect | Known-good backups, clean admin path, rebuild and restore exercise | Infrastructure; continuity |
| Have we validated controls against threat-informed scenarios? | Policy does not show whether controls work together | Test scope, findings, detection evidence, remediation, and retest | Assurance; SOC |
| Are reporting and escalation obligations documented? | Sector, privacy, contractual, and national duties differ | Decision tree, contacts, thresholds, and counsel review | Legal; compliance; CISO |
Salt Typhoon is Microsoft's label for PRC-linked telecommunications espionage. U.S. agencies reported access to telecom infrastructure and theft of call-record data, selected communications, and certain law-enforcement-request information.
Volt Typhoon is Microsoft's label for PRC state-sponsored activity involving persistent critical-infrastructure access, valid accounts, living-off-the-land behaviour, and edge infrastructure. Agencies assess that access could support future disruption.
Salt centres on telecom espionage. Volt centres on persistent critical-infrastructure access and possible disruptive pre-positioning. Shared techniques do not make them the same group.
No. Authoritative sources track them separately; shared attribution or infrastructure targeting does not prove shared personnel or command.
U.S., Canadian, and allied agencies link Salt Typhoon or associated activity to PRC state-sponsored actors. It remains an analytical cluster, not a disclosed legal organisation.
Yes, according to Microsoft and allied governments. The assessment does not identify every participant or prove that disruption occurred.
Telecommunications and ISP infrastructure are the clearest targets. Broader guidance lists other sectors only as partial overlap with the Salt label.
Official guidance identifies communications, energy, transportation, and water organisations, with more sectors in Microsoft's original disclosure. Scope varies by source and date.
Valid accounts and built-in tools can resemble normal administration, so detection needs identity, command, network, and configuration context.
Prioritise device authentication, account and key changes, configuration history, flows, unusual outbound traffic, remote administration, and identity anomalies. A single indicator match does not prove attribution.
Penetration testing can expose management, segmentation, privilege, and detection weaknesses. It is not forensics unless scoped that way and cannot certify that an actor is absent.
Activate incident response, preserve network and identity evidence, protect logs, assess privileged access, and coordinate containment. Avoid resets that destroy evidence or disrupt critical operations.
Salt Typhoon and Volt Typhoon are separate PRC-linked clusters: Salt is associated with communications espionage; Volt with persistent critical-infrastructure access and possible disruptive pre-positioning. Defenders should preserve that distinction while addressing shared edge, identity, segmentation, and visibility weaknesses.
Priorities are restricted management interfaces, attributable privilege, supported edge devices, tested segmentation, centralised logs, configuration monitoring, and rehearsed recovery. Telecom teams should protect management-plane trust; critical operators should protect IT/OT boundaries and continuity.
DeepStrike supports authorised threat-informed assessments across infrastructure, networks, cloud, identity, web applications, APIs, and critical paths. Testing should follow asset risk, safety constraints, remediation, and ongoing monitoring.
Mohammed Khalil is a DeepStrike Cybersecurity Architect specialising in penetration testing, application and cloud security, and threat-informed assurance. He holds CISSP, OSCP, and OSWE certifications and focuses on attack paths, control validation, and remediation.

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us