CyberCX has released its annual Digital Forensics and Incident Response Year in Review Report for 2023 

What Volt Typhoon could mean for your organisation

Threat Advisory

Published by CyberCX Intelligence on 1 June


Last week, Australia and New Zealand joined Five Eyes partner countries in calling out a Chinese nation-state actor – known as “Volt Typhoon” – for targeting US critical infrastructure. The cyber campaign was stealthy and designed for persistence. While one aspect of the campaign was espionage, Microsoft assessed [1] that Volt Typhoon was seeking capability to disrupt communications between the US and Asia in a future crisis scenario.

There are no known Australian or New Zealand victims of this campaign. But the joint government advisory warned that Volt Typhoon could target a range of critical infrastructure sectors in a range of countries. CyberCX’s standing assessment is that nation-state actors will almost certainly target Australian or New Zealand critical infrastructure organisations for espionage purposes as well as prepositioning for disruption or sabotage.

What does the recent Volt Typhoon attribution mean for my organisation?

This attribution is a stark reminder of the scale and persistence of nation-state cyber threats to critical infrastructure. In recent months, cyber security conversations in Australia and New Zealand have been dominated by threats to data confidentiality, following a spate of high-profile cyber extortion attacks by cyber criminals. Now is a good time to (re)widen the lens.

Governments have long warned about the risk of nation-state prepositioning in critical infrastructure. But this is the first time that Australia or New Zealand has publicly attributed behaviour associated with pre-positioning for sabotage to a Chinese nation-state actor. This reflects government’s concern about cyber infrastructure targeting and our region’s worsening cyber threat landscape.

 What should we do now?

CyberCX has already acted to protect our managed service customers, including by conducting threat hunts across their environments for indicators of Volt Typhoon. Here are four priority considerations we are recommending across our customers and which we can help you with.

  1. Detect threats. While criminal attacks are often noisy by design, nation state threats are harder to detect. This campaign involved sophisticated and stealthy activity, including hands-on-keyboard ‘living off the land’ techniques to evade detection. The best way to detect this type of activity is a compromise assessment or ‘threat hunt’.
  2. Prepare to defend against threats. We can test how vulnerable your organisation is to a threat actor, like Volt Typhoon, by emulating their tactics and techniques. CyberCX has delivered hundreds of purple team engagements across Australia and New Zealand, allowing us to build up a detailed library of MITRE ATT&CK tactics and techniques across a range of threat actors, enriched by detailed testing data.
  3. Understand your threat profile. Specialist intelligence services can help you understand the intent and capability of threat actors like Volt Typhoon to target your organisation. Our intelligence experts know today’s threat landscape, but they also track the geopolitical triggers that affect the scale and tempo of nation-state activity in future.
  4. Review critical infrastructure frameworks. The implementation deadlines to changes to Australia’s Security of Critical Infrastructure (SOCI) Act 2018 are fast approaching. These changes are an essential benchmark but not a panacea, especially for nation-state threats. SOCI is also designed to be adaptable – organisations which have been, or are likely to be, declared ‘systems of national significance’ under the Act should expect more change from government, as it grapples with this latest development. Now is a good time to review your broader cyber security maturity and strategy for uplift.


For more information, and to stay a step ahead, you can contact CyberCX for more information here.


Contact us


[1] Microsoft made this assessment with moderate confidence.

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.