You are currently viewing The Invisible Occupation: Volt Typhoon and the Strategic Pre-Positioning of Maritime Infrastructure

The Invisible Occupation: Volt Typhoon and the Strategic Pre-Positioning of Maritime Infrastructure

Maritime Cyber Threat Briefing #11

Article content
From Quiet Access to Crisis-Time Disruption

In December 2024, something remarkable happened in a meeting room in Geneva. Senior Chinese officials reportedly signaled in a private Geneva meeting that the Volt Typhoon campaign was real, state-directed, and tied to Beijing’s military calculus around Taiwan. The Wall Street Journal

They did not use the name. They did not issue a statement. But the admission was clear enough that American officials left the room in no doubt: the campaign was real, it was state-directed, and it was linked to China’s military calculus around Taiwan.

That acknowledgement [which did not become public until April 2025] represents one of the most significant moments in the history of state-sponsored cyber operations. Not because China confessed. But because they felt compelled to say anything at all.

The Office of the Director of National Intelligence’s 2026 Annual Threat Assessment highlights persistent cyber threats posed by Chinese government-linked cyber actors. CISA, NSA, and FBI assess that these APT actors are positioning themselves within information technology networks, enabling lateral movement to operational technology systems [the hardware and software that control critical infrastructure] to disrupt critical functions at a time of their choosing. Control Risks

This briefing is about what that means for maritime. Because while the public discourse around Volt Typhoon has focused on power grids, water systems, and telecommunications, the maritime dimension of China’s pre-positioning strategy has received almost no attention in the shipping industry. It deserves urgent analysis.

The series has documented Iranian cyber-to-kinetic operations since Briefing #1, GPS spoofing and electronic warfare in Briefings #5 and #9, and port infrastructure attack methodology in Briefing #10. This briefing closes the arc on the geopolitical threat landscape by examining the most strategically sophisticated actor in the current threat environment and what it has already done, quietly, to maritime infrastructure that the global shipping industry depends on.


Understanding Volt Typhoon: This Is Not Espionage

Article content
Not Espionage. Pre-Positioning for Disruption.

The instinct, when confronting a Chinese state-sponsored cyber campaign, is to frame it as espionage, intelligence collection, data theft and commercial advantage. That framing is wrong for Volt Typhoon, and understanding why it is wrong is essential to understanding the maritime risk.

CISA‘s executive assistant director for cybersecurity explained that Volt Typhoon was found using living-off-the-land techniques on targets “where there is no reasonable espionage benefit.” When asked about the total number of victims, CISA’s executive director stated that any number given “is likely an underestimate.” Vectra AI

Volt Typhoon’s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology assets for potential destructive or disruptive attacks. The group has emphasized stealth using living-off-the-land binaries, hands-on keyboard activity, and stolen credentials. Cyble

The distinction is fundamental. An espionage campaign collects information that has value. Volt Typhoon is gaining access to systems whose value lies not in the data they hold but in the functions they perform:

  • Power distribution
  • Water treatment
  • Communications routing
  • Transportation management.

There is only one reason to pre-position inside operational technology systems that control physical infrastructure: to be able to disrupt or destroy those systems at a future moment of strategic choice.

In a secret meeting in Geneva in December 2024, Chinese officials indirectly acknowledged their role in cyberattacks against US critical infrastructure linked to the Volt Typhoon campaign. This admission validates long-standing fears that China’s cyber operations are designed to deter American intervention in Taiwan. Volt Typhoon represents a notable shift from cyber espionage to battlefield preparation, specifically targeting civilian infrastructure critical to US national resilience. Honeywell

The strategic logic is not difficult to decode. In a Taiwan crisis scenario, the United States would need to rapidly mobilise military assets across the Pacific. That mobilisation depends on functioning ports, functioning communications infrastructure, functioning logistics networks, and functioning fuel supply chains. Pre-positioning cyber access inside those systems [and being able to degrade or disable them at the moment of crisis] delays the American response, degrades military readiness, and potentially alters the outcome of a conflict without a single kinetic weapon being fired at a US military target.

This is not a theoretical scenario constructed by intelligence analysts. The scenario has been explicitly modelled: PRC forces move on Taiwan; the US Navy mobilises carrier groups; simultaneously, cyber sabotage cripples infrastructure on US territorial and allied islands, impacting power and water on key bases, delaying deployments, and jeopardising the Department of Defense’s ability to effectively aid Taiwan. Industrial Cyber

The maritime dimension of that model is direct, documented, and currently underweighted in the industry’s threat assessment.


The Maritime Target Set: What Has Been Confirmed

Article content
Maritime Infrastructure Is the Logistics Backbone of Crisis Response

Microsoft’s original disclosure explicitly listed the maritime sector in Volt Typhoon’s target set, and the US Coast Guard separately warned that the activity affected the Marine Transportation System. Microsoft United States Coast Guard

Microsoft’s original disclosure confirmed that Volt Typhoon has targeted organisations across communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Volt Typhoon proxies all its network traffic to targets through compromised small office and home office network edge devices including routers from ASUS, Cisco, D-Link, NETGEAR, and Zyxel. PC Quest

Maritime is explicitly named in the confirmed target set. That is not incidental. The targeting of maritime infrastructure in Guam [a critical US military and logistics hub whose port facilities would be essential for any Pacific conflict mobilization] reflects a deliberate assessment of what needs to be degraded to slow the American response to a Taiwan crisis.

Beginning in 2021, Volt Typhoon executed a years-long cyber-espionage campaign that quietly targeted infrastructure on Guam, impacting telecom companies, satellite operators, and systems linked to US military operations on the island. The hackers exploited vulnerabilities in unsecured edge devices, directing attacks against Fortinet FortiGate appliances. Once inside, they harvested credentials and moved laterally across networks. The campaign remained undetected before being discovered by Microsoft researchers and US intelligence agencies. Smartmaritimenetwork

The Guam targeting is the clearest documented case of Volt Typhoon maritime-adjacent activity. But the implications extend far beyond Guam. US-allied ports in Japan, South Korea, Australia, and across the Indo-Pacific serve similar logistics and military support functions. The Kaohsiung and Keelung container ports in Taiwan [two of the world’s highest-throughput facilities] handle the semiconductor supply chain on which the entire global technology ecosystem depends. These ports have been assessed at a critical composite cyber risk score of 95 out of 100, facing threats from Volt Typhoon, APT41, and ArcaneDoor amid escalating China-Taiwan tensions. CongressGov

Beyond the immediate Taiwan theatre, Volt Typhoon’s confirmed activity across US West Coast transportation infrastructure, Hawaii, and Texas represents a systematic mapping of the maritime logistics network that would be required to sustain any extended Pacific military operation. These are not random targets. They are the nodes of a logistics chain, and the group has been inside them for years.


The Living-off-the-Land Methodology: Why You Cannot Find What You Cannot See

The most operationally significant characteristic of Volt Typhoon is not its targets. It is its technique and why that technique makes detection extraordinarily difficult in the maritime environment specifically.

Volt Typhoon abuses legitimate network administration tools used for routine maintenance, system configuration, and privilege management, making its activity indistinguishable from that of authorised administrators. As these actions rely on trusted tools and interfaces, traditional security controls often fail to detect anything unusual. This allows the threat actor to maintain long-term access while blending malicious traffic into normal network patterns. SecurityWeek

Living-off-the-land means exactly what it says. Rather than deploying custom malware that creates a detectable signature, Volt Typhoon uses the legitimate administrative tools already present in the target environment:

  • PowerShell
  • Windows Management Instrumentation
  • Command-line utilities

To conduct reconnaissance, harvest credentials, move laterally across networks, and establish persistence. From the perspective of any security monitoring tool looking for malicious software signatures, there is nothing to find. The activity looks like a network administrator doing their job.

When the FBI called the assistant general manager of Littleton Electric Light and Water Department on a Friday afternoon in November 2023, it was to tell him that Chinese state-sponsored hackers had been living inside his organisation’s systems for nearly ten months. The utility serves two small towns about 30 miles northwest of Boston. It is not a major defence contractor or a government agency. It is a local power and water company. Cyble

  1. Read that carefully. A local utility [not a defense contractor, not a government agency, not a strategically obvious target] had been hosting Volt Typhoon for ten months before the FBI found it and made the call. The utility had no idea. Their monitoring tools had nothing to flag. The attackers were using the utility’s own administrative tools to conduct their operations.
  2. Now apply that scenario to a maritime context. A port authority’s vessel traffic management system. A ship management company’s fleet operations platform. A satellite communications provider’s network operations centre. An OEM’s remote access infrastructure connecting to thousands of vessels. None of these are hardened government networks. Many are operated by organisations whose cybersecurity monitoring capability is limited. And the attacker’s methodology is specifically designed to be invisible to exactly the monitoring tools these organisations are most likely to have deployed.

CISA issued a supplementary advisory in February 2026 noting that Volt Typhoon activity had intensified since mid-2025, with new indicators of compromise identified in the water and communications sectors, characterising the heightened activity as consistent with “pre-conflict positioning.” CongressGov

The intensification in 2025, as US-China tensions elevated across the semiconductor export restriction dispute and the broader strategic competition, is not coincidental. The tempo of pre-positioning activity correlates with the geopolitical temperature. As the strategic environment deteriorates, the access is being expanded and verified.


The Taiwan Scenario: What Maritime Disruption Would Actually Look Like

The Taiwan Strait carries approximately 20 percent of global maritime trade. Kaohsiung is the fifteenth largest container port in the world. The semiconductor supply chain [on which every advanced military system, every data centre, every modern vehicle, and every consumer electronic device depends] flows through Taiwan’s ports.

The PLA has increasingly normalised military simulations of blockades and coercive maritime operations in the Taiwan Strait aimed at disrupting commercial traffic and asserting control over critical sea lanes. The CCP has ramped up cyberattacks against Taiwan’s energy grid. Taiwan’s National Security Bureau reported that successful cyber intrusions doubled year over year in 2024. Beijing is embedding itself in energy sector technology supply chains and targeting LNG terminal logistics to choke fuel offloading. Brside

Article content
Taiwan Crisis Activation Would Turn Hidden Access Into Maritime Disruption

Beijing might employ the China Coast Guard to undertake boarding, inspecting, and diversion operations under the guise of law enforcement. In combination with sabotage and cyberattacks on Taiwan’s critical infrastructure, as well as economic pressures on suppliers, Beijing might achieve an impact equivalent to a blockade without crossing the threshold of open armed conflict. Economy Middle East

The maritime cyber dimension of a Taiwan crisis would not be limited to Taiwan’s own ports and infrastructure. The pre-positioning already documented inside US transportation and communications infrastructure creates the capability to simultaneously degrade the response capacity of any nation attempting to support Taiwan, disrupting the port logistics, fuel distribution, and communications networks that military mobilization depends on.

A blockade would not be just an economic challenge. It represents a fundamental disruption to the global supply chain for advanced semiconductors, affecting manufacturers worldwide from German carmakers to US consumer electronics producers. The Taiwan Strait is a narrow but heavily traversed waterway where 20 percent of world shipping passes. Security Middle East

For commercial shipping companies, the practical consequence of a Taiwan Strait crisis [with or without the cyber dimension] is severe. Routes disrupted. War risk insurance premiums surging as they did in the Hormuz crisis. Cargo rerouted through longer and more expensive alternatives. Vessel scheduling thrown into months of uncertainty. The maritime industry learned this lesson from the Hormuz crisis in 2026. The Taiwan scenario carries the same economic consequences at potentially larger scale. The cyber pre-positioning documented inside maritime infrastructure adds a dimension of active operational disruption that the Hormuz crisis, for all its severity, did not fully demonstrate.


What Maritime Operators Need to Understand About Their Exposure

The Volt Typhoon threat to maritime infrastructure has three characteristics that make it distinct from every other threat category the series has previously documented.

  1. It is already inside. The Iranian cyber campaigns documented in Briefings #1 and #3 were active offensive operations, attacks that happened and were detected. Volt Typhoon’s methodology is designed for silent, persistent access that precedes any visible attack. The access is being established now, in environments that may show no signs of compromise, for use at a moment of Beijing’s choosing. The question for maritime operators is not whether this threat is coming. It is whether it is already present in their environment and they do not know it.
  2. The entry point is the edge device. Living-off-the-land attacks target edge devices such as routers, firewalls, and virtual private networks. From there, attackers access credentials of key personnel in networks without detection, enabling disruption of operational technologies. The 800 percent increase in edge device attacks documented in Cydome‘s 2026 Maritime Cyber Trends Report [highlighted in this series’ editorial research for Briefing #11] and Volt Typhoon’s documented methodology are describing the same attack surface from two different directions. The router sitting at the boundary of a vessel traffic management system, a port operations network, or a satellite communications hub is the entry point. And in maritime environments, these devices are frequently unpatched, undocumented, and unmonitored. Proarch
  3. The detection gap is structural. Traditional security monitoring looks for malicious software signatures. Volt Typhoon does not use malicious software. It uses the administrative tools the organization already has. Detecting it requires: behavioral monitoring, analyzing patterns of administrative activity and identifying anomalies against a baseline of normal behavior. CISA has confirmed that some Volt Typhoon victims are smaller organizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic locations. The maritime supply chain is full of exactly these organizations: smaller port service companies, regional logistics providers, satellite communications resellers, and local vessel traffic management operators whose connectivity to larger maritime infrastructure makes them valuable entry points and whose security capability makes them accessible targets. Cydome

Mitigation: Hunting for What Signature-Based Tools Cannot Find

Article content
The Threat Hides Inside Normal Operations

The mitigation response to Volt Typhoon requires a fundamentally different security posture from the controls that address most other maritime cyber threats. Patching against known vulnerabilities matters. Fortinet FortiGate, Cisco IOS, Citrix ADC, and NETGEAR devices with unpatched CVEs are the documented initial access vector. But patching alone does not address an attacker that is already inside using legitimate tools.

  1. Threat hunting as an operational discipline. Volt Typhoon cannot be detected by waiting for alerts from signature-based tools. It requires active hunting. Deliberately searching for indicators of compromise and anomalous behavior patterns against a documented baseline of normal administrative activity. CISA advisory AA24-038A provides detailed indicators of compromise and YARA rules specifically developed for Volt Typhoon detection. Maritime organizations with critical infrastructure connections [port authorities, vessel traffic management operators, major shipping companies, communications providers] should be engaging threat hunting capability against these specific indicators as an operational priority, not a future aspiration.
  2. Edge device governance as a security critical function. Every router, firewall, VPN concentrator, and satellite terminal connected to a maritime operations network must be documented, inventoried, patched, and monitored. Management interfaces must not be exposed to the public internet. Default credentials must be eliminated. Volt Typhoon proxies all its network traffic through compromised SOHO network edge devices. Network edge devices owners should ensure that management interfaces are not exposed to the public internet to reduce the attack surface. This is a basic control. It is not universally implemented across the maritime sector, and the consequences of that gap are now documented at the highest levels of government intelligence. PC Quest
  3. Network segmentation between IT and OT as a containment measure. If Volt Typhoon gains access to the IT environment of a port or vessel management organization, the priority containment measure is ensuring it cannot reach OT systems. The vessel traffic management infrastructure, the terminal operating systems, the industrial control systems that govern physical operations. The lateral movement from IT to OT is Volt Typhoon’s documented next step after initial access. Segmentation does not prevent initial access. It limits the operational damage when access is achieved.
  4. Privileged access management and credential hygiene. Volt Typhoon’s primary technique after initial access is credential harvesting, collecting the administrative credentials that allow lateral movement across the network. Removing stale accounts, enforcing multi-factor authentication on all privileged access, limiting the scope of administrative credentials, and monitoring for unusual credential usage patterns are the controls that interrupt the lateral movement phase before it reaches OT systems.
  5. Intelligence-sharing participation. The Maritime Transportation System Information Sharing and Analysis Center in the United States, the Dutch Ferm Seaports collective intelligence model discussed in Briefing #10, and equivalent national maritime cybersecurity frameworks provide access to threat intelligence that individual maritime operators cannot generate independently. Volt Typhoon indicators of compromise, observed TTPs, and new advisory updates from CISA and Five Eyes partners are distributed through these channels. Maritime organisations that are not actively participating in these networks are operating without access to the most current available intelligence about the threat targeting their infrastructure.

Regulatory and Strategic Implications

Article content
Strategic Exposure Is Becoming a Maritime Governance Issue

The regulatory framework was not designed for a threat of this character. IMO MSC-FAL.1/Circ.3, IACS UR E26 and E27, and NIS2 were all developed with criminal ransomware operators and opportunistic state-sponsored espionage campaigns in mind. Volt Typhoon represents a different category: a patient, persistent, pre-conflict positioning campaign by a state actor that has explicitly acknowledged [in diplomatic back-channels if not public statements] that its purpose is to deter American military intervention in a Taiwan scenario.

That category requires a regulatory response that the maritime industry has not yet received. Current maritime cyber governance does not yet provide operational doctrine for confirmed state-sponsored pre-positioning inside maritime infrastructure. There is no classification society requirement for the threat hunting disciplines that Volt Typhoon detection requires. There is no mandatory reporting framework that would require a maritime organisation to disclose the discovery of Volt Typhoon access to flag state or port state control authorities.

NIS2 comes closest, its mandatory 24-hour reporting requirement for significant incidents and its supply chain security obligations provide a framework within which Volt Typhoon discovery would need to be reported in EU jurisdictions. But NIS2 does not reach the full scope of maritime infrastructure that Volt Typhoon is targeting, and its implementation remains uneven across member states.

The deeper strategic implication is one that the maritime industry needs to absorb as a collective: the shipping industry is not a neutral party in the geopolitical competition between major powers. It is logistics infrastructure. It is the network through which military mobilisation and economic pressure are both conducted. Pre-positioning inside maritime infrastructure is not an attack on a shipping company. It is an attack on the logistics capacity of the alliance that shipping company operates within.

That reframe has significant implications for how maritime organisations engage with national security agencies, how they approach intelligence sharing, and how they prioritise the security investments that protect not just their commercial operations but the broader strategic environment that makes those operations possible.


Article content

The Volt Typhoon campaign is one of the most strategically significant cyber threats ever documented against maritime infrastructure. It is not the most immediately visible, it is designed to be invisible. It is not the most operationally disruptive today, it is designed to be disruptive at a moment of Beijing’s choosing. It is not targeting data, it is targeting the ability to function.

By pre-positioning cyber threats within critical infrastructure networks, Volt Typhoon was poised to launch destructive cyberattacks of immense proportions. CISA confirmed that the group compromised critical infrastructure organizations in communications, energy, transportation systems, and water and wastewater systems. CongressGov

Transportation. Maritime is in that target set. It has been since 2021.

The maritime industry has built its cyber risk awareness around threats that announce themselves:

  • Ransomware that encrypts and demands
  • GPS spoofing that distorts navigation
  • Phishing that seeks immediate credentials
  • DDoS that overwhelms systems.

Volt Typhoon does none of these things. It waits. It maps. It holds access. And it is prepared to act at the moment when that access would have maximum strategic value. Which is precisely the moment when the maritime industry would be least able to absorb the disruption.

The Hormuz crisis gave the industry a live demonstration of what maritime hybrid warfare looks like when a determined state actor decides to weaponise a shipping chokepoint. The Taiwan scenario [with documented pre-positioned cyber access inside the maritime logistics infrastructure that would be essential to any response] raises that risk by an order of magnitude.

The question for every maritime organisation operating in the Indo-Pacific, connected to US-aligned logistics infrastructure, or serving as a node in the semiconductor supply chain, is not whether Volt Typhoon has them in its target set. The question is whether they are already inside and whether the organization would know.

Based on everything the intelligence tells us: many would not.


Maritime Cyber Threat Briefing is an independent series covering cyber threats, vulnerabilities, and risk management across the global maritime industry. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in maritime cyber risk.

Sources: CISA Advisory AA24-038A, CISA China Threat Overview 2026, CISA ODNI 2026 Annual Threat Assessment, CISA Strengthening Resilience Against PRC Cyber Threats, Microsoft Security Blog [Volt Typhoon original disclosure], FBI Director Wray Congressional testimony January 2024, MITRE ATT&CK Group G1017, The Record / Recorded Future News [CISA RSA Roundtable], Industrial Cyber [IISS Volt Typhoon analysis], HSToday [Volt Typhoon critical infrastructure], Cybelangel [Volt Typhoon 2026 Active Report], Cyberwarzone [Volt Typhoon pre-positioning campaign], Georgetown SCS [Volt Typhoon infrastructure analysis], CYFIRMA [Taiwan cyber threat landscape], FDD [Chinese coercion Taiwan energy], Asia Times [China Taiwan quarantine strategy], NJCCIC Volt Typhoon analysis, Institute for Security and Technology [Cyber Redlines], Eclypsium [Chinese APT campaigns], CYDOME 2026 Maritime Cyber Trends Report, CYTUR 2026 Maritime Cyber Threat White Paper.

No commercial relationship exists with any cited organisation.