Researchers warn Volt Typhoon still embedded in US utilities and some breaches may never be found

U.S. military and law enforcement officials have been on a dedicated mission for nearly three years to uncover and root out hackers who breached water and power companies in key locations across the country. But a new report suggests that many of these attacks on U.S. critical infrastructure may never be found.

Operational technology firm Dragos, which has helped multiple critical infrastructure organizations investigate compromises by Chinese hackers connected to the Volt Typhoon operation, said in its annual report published this week that the group continued to attack U.S. utilities through 2025 and remains active despite increased scrutiny.

Rob Lee, the company’s chief executive, told reporters last week that “they're still very active, and they're still absolutely mapping out and getting into embedding in U.S. infrastructure, as well as across our allies.” 

When asked by Recorded Future News whether Volt Typhoon could ever fully be removed from all U.S. utilities that have been attacked so far, Lee said there are sites compromised by the group in the U.S. and in NATO countries that “we will never find.”

The group’s goal, according to U.S. authorities, is to pre-position hackers on operational technology networks so destructive cyberattacks could be launched in an effort to slow any U.S. military mobilization. Lee said they focus on strategically important targets and find ways to maintain long-term access.

Lee noted that many of the regulations being issued by the U.S. government over the next three to five years will help companies find Volt Typhoon compromises. Several of the largest electricity companies currently do have the ability to find and root out Volt Typhoon actors. 

But for other critical public utilities that are being attacked, like those in the water sector, it is likely they will never reach the level of sophistication where they would be able to find and remove Volt Typhoon compromises. 

“Is it possible to go look in those companies? Sure it is. Are they ever going to get there? No, not at all. In my assessment…we're going to have to live with the reality that a portion of our infrastructure is currently compromised and will remain compromised at the current trajectory of the community.”

China has denied any involvement in the Volt Typhoon compromises but evidence of Volt Typhoon hackers was found hidden in U.S. critical infrastructure in Guam and near other U.S. military bases with the intent of slowing any potential mobilization of forces. 

The total number of Volt Typhoon victims is unknown and, when pressed, U.S. officials said any number given “is likely an underestimate.”

SYLVANITE handoffs

Dragos researchers also highlighted another group they said gained initial access to utilities before handing it off to Volt Typhoon for further activity. 

That group, which Dragos calls SYLVANITE, was seen targeting operational technology systems across North America, Europe, South Korea, Guam, the Philippines and Saudi Arabia. The group gained initial access to organizations in the oil and gas, water, power generation, transmission and manufacturing industries.

“In other words, this is not the team that's going in and causing an effect. It's not the team trying to gain long term access but it is a team working with or for [Volt Typhoon] that is going and developing the access, getting them in, knocking down the door to hand it over to [Volt Typhoon,” Lee said. 

Dragos experts attributed several recent high-profile vulnerability exploitation campaigns to Volt Typhoon and SYLVANITE, including bugs involving widely-used tools from Ivanti and Trimble Cityworks GIS asset management software. The federal cyber defense agency ordered all agencies to immediately patch the Trimble Cityworks bug one year ago and cybersecurity firms later confirmed that Chinese hackers used it to breach multiple local governments. 

Dragos said the breaches gave Volt Typhoon hackers access to data that enables “adversaries to plan precise, disruptive attacks on electric and water utilities.”

“U.S. based utilities and municipalities often rely on GIS data for infrastructure operations, but this information can be weaponized by adversaries for future ICS intrusions,” Dragos said. 

Throughout 2025, Volt Typhoon’s operations “reflect a shift toward not only collecting and exfiltrating data from IT networks but also directly interacting with OT network-connected devices and stealing sensor and operational data,” Dragos said.