Volt Typhoon is a state-sponsored advanced persistent threat (APT) group, attributed to China, that’s been quietly targeting critical infrastructure—including energy, water, transportation, and telecoms—since at least 2021. According to CISA’s advisory (AA24-038A), their tactics prioritize stealth over speed: exploiting zero-day vulnerabilities, leveraging valid credentials, and using “living-off-the-land” techniques like PowerShell and WMI to avoid detection.
While the group’s known targets have been primarily in the U.S., the risk extends globally. In an interconnected infrastructure ecosystem, a breach in one region can quickly ripple across supply chains, affecting North America and Europe alike.
Combating modern identity-centric threats requires more than perimeter defences and EDR. Security teams need deep, continuous visibility into access across human and non-human identities—and the ability to act on that insight in real time. An identity threat detection approach built on access intelligence is key to identifying and disrupting campaigns like Volt Typhoon.
Platforms like Veza provide this capability by mapping who can do what across fragmented environments, helping CISOs reduce risk without slowing operations
How Veza Helps Defend Against Volt Typhoon
1. Detecting Abuse of Legitimate Credentials and Living-Off-the-Land Binaries (LOLBins)
APT groups like Volt Typhoon are adept at avoiding detection by using legitimate tools, such as PowerShell, WMI, and command-line interfaces, to operate under the radar. This tactic, known as “living off the land,” evades traditional EDR and SIEM alerts.
An access intelligence platform like Veza’s Access Graph can correlate identity permissions with behaviour to surface anomalies, such as unauthorized use of administrative tools from rarely used accounts, enabling earlier threat detection.
2. Eliminating Overprivileged Access to Limit Lateral Movement
Overprivileged access remains a leading cause of lateral movement in cyber intrusions. Attackers often exploit dormant or excessive permissions to pivot across systems and escalate privileges.
With Veza, organizations can apply least privilege principles consistently across users, service accounts, and non-human identities—limiting the blast radius of compromised credentials and preventing unauthorized lateral movement to operational technology (OT) environments.
3. Continuous Monitoring to Disrupt Long-Term Persistence
Long-term persistence is a hallmark of Volt Typhoon’s strategy. Rather than install malware, they often rely on rarely used or dormant accounts to maintain covert access.
Identity-first monitoring tools like Veza continuously analyze account usage patterns, enabling teams to detect anomalies such as privilege escalations or reactivated service accounts before attackers can exploit them.
4. Securing Non-Human Identities
Non-human identities—like service accounts, SSH keys, and API tokens—often fly under the radar of traditional security controls, yet they’re a prime target for groups like Volt Typhoon.
Veza helps organizations discover and govern these identities across cloud, SaaS, and on-prem environments, ensuring they are actively used, properly scoped, and owned. This visibility helps eliminate orphaned or overprivileged accounts that could otherwise serve as entry points for command-and-control (C2) operations.
5. Unified Identity Governance Across Fragmented Infrastructure
Across both North America and the EU, critical infrastructure environments are increasingly complex, hybrid, and fragile—spanning cloud, SaaS, on-prem, and OT systems. This fragmentation makes identity governance even more challenging.
Solutions like Veza unify visibility across environments—including AWS, Azure, Microsoft 365, Salesforce, and Oracle—giving CISOs a single source of truth to secure access across all identity types and platforms.
Why It Matters — and What to Do Next
Volt Typhoon isn’t just another APT—it’s emblematic of a new threat era where identities, not malware, are the primary weapon. These adversaries bypass traditional defences by exploiting the gaps in how access is governed, monitored, and enforced.
Modern security leaders must rethink their posture: Identity needs to be treated with the same urgency and rigor as endpoint and network security. That starts with visibility and control over who can take what actions across all systems—cloud, SaaS, on-prem, and OT.
For a clear overview of how Veza addresses these challenges, start with the Platform Overview Data Sheet. It offers a concise summary of how Veza delivers identity and access intelligence across hybrid infrastructure, helping you enforce least privilege access and identify abnormal behaviour early.
Ready to go deeper? Explore Veza’s unique architectural approach in The Veza Advantage – Product Whitepaper. This resource outlines how Veza’s Authorization Metadata Graph and open APIs deliver the access intelligence foundation critical to defending against identity-driven threats like Volt Typhoon.
In an era defined by identity-centric threats, proactive identity security isn’t optional—it’s essential. Veza helps security teams unify visibility, disrupt persistence, and respond decisively to threats before they become breaches.
About the Authors
This article was co-authored by Matthew Romero, Technical Product Marketing Manager at Veza, and Rob Rachwald, VP of Marketing at Veza. Together, they bring deep expertise in identity security, cybersecurity marketing, and go-to-market strategy.
Matthew’s background includes a wealth of experience in identity-centric security, hybrid cloud environments, and SecOps. He focuses on translating complex identity access challenges into clear, actionable insights for security leaders. Matthew’s expertise lies in bridging technical depth with strategic communication, helping organizations defend against modern threats.
Rob has over two decades of experience in cybersecurity marketing, having led go-to-market efforts at companies like Palo Alto Networks, FireEye, and Fortinet. His work spans across nearly every facet of the security landscape, including identity security, endpoint protection, and threat intelligence. Rob is passionate about simplifying complex security concepts into impactful, strategic narratives that resonate with CISOs and security teams.
Together, Matthew and Rob bring a unique blend of technical and strategic perspectives, helping security leaders build proactive defenses against evolving identity-driven threats.
