0.0
For at least five years, hackers working for
3.12
the Chinese state have been inside America's power
6.139
grid.
6.86
They have been inside the water systems, the
9.619
pipelines, the ports,
11.24
the communications networks that would carry military orders
14.64
across the Pacific.
16.519
And in all that time, they have stolen
18.94
almost nothing.
20.62
That is not good news.
23.019
That is the single most alarming detail in
26.1
the entire case.
28.899
Because an intruder who breaks into your house
31.62
and takes the television is a burglar.
34.32
You know what he wanted.
35.899
You know it is over.
37.619
An intruder who breaks in, takes nothing, memorizes
41.619
the fuse box, copies the keys,
43.88
and quietly comes back every few months for
46.659
five years.
47.479
That is something else entirely.
49.679
That is not theft.
51.299
That is rehearsal.
53.64
This is Fragment Zero, Case File 46.
56.96
Case File 47.
57.32
Volt Typhoon.
59.179
The army that was already inside.
61.799
The story surfaces on May 24, 2023.
66.739
Microsoft publishes a report naming a new threat
69.799
actor, Volt Typhoon.
71.859
State-sponsored.
73.76
Operating out of China.
75.459
Active by Microsoft's telemetry since the middle of
78.859
2021,
79.719
which means that by the day the world
81.879
first heard the name,
83.159
the operation was already two years old.
86.099
The report says,
86.959
The report contains one detail that makes intelligence
89.219
officials sit up.
90.579
Among the targets, communications, manufacturing, utilities, transportation, maritime,
96.0
government,
96.739
one location keeps recurring.
99.04
Guam.
100.04
A small island in the western Pacific that
103.14
happens to be the hub of American military
105.079
power in the region.
106.54
The bombers are there.
107.939
The submarines are there.
109.739
And the island's only power utility,
112.079
the company that keeps the naval base running,
114.56
the Navy is its single biggest customer.
116.959
Would later be reported as one of the
119.319
places Volt Typhoon had been.
122.08
Microsoft's assessment, in its own careful words,
125.04
the campaign was pursuing capabilities that could disrupt
128.599
critical communications infrastructure between the United States and
132.199
Asia,
132.78
quote,
133.4
during future crises.
135.419
American officials and the reporting that followed were
138.68
less careful.
139.46
They named the crisis they had in mind.
142.0
It is the one that begins with an
143.9
invasion of Taiwan.
146.96
The same day as Microsoft's report,
149.5
the National Security Agency, CISA, the FBI, and
153.699
their counterparts in Britain, Canada, Australia, and New
157.02
Zealand,
157.599
the Full Five Eyes Alliance, published a joint
160.939
advisory.
161.719
It explained how an operation like this stays
164.699
invisible for years.
166.24
The answer is that Volt Typhoon barely uses
169.74
hacking tools at all.
171.159
The technique is called living off the land.
174.52
No malware.
175.539
No implants.
176.24
No suspicious files for an antivirus to find.
179.68
The intruders log in with stolen credentials,
182.62
and then use the computer's own built-in
185.08
administrative tools.
186.419
The same commands your IT department runs every
189.439
day.
190.039
PowerShell.
190.9
Network utilities.
192.62
Backup tools that ship with Windows itself.
195.96
To every monitoring system,
198.159
Volt Typhoon looks like a system administrator doing
200.96
routine work.
201.979
Because technically, that is exactly what it is.
205.36
The ultimate goal of Volt Typhoon,
206.24
and the only thing wrong,
207.24
is who is typing.
208.84
And the traffic never seems to come from
211.599
China.
212.159
Before touching a target,
213.719
it is routed through a curtain of hacked
215.639
home and small office routers across the United
218.28
States.
219.139
Aging Cisco and NetGar boxes,
221.719
the kind sitting on a shelf in a
223.599
million home offices,
225.039
long past their last security update.
227.62
To the power company's logs,
229.52
the intrusion looks like a connection from a
231.68
house down the road.
233.4
Researchers at Lumen,
234.699
who mapped that router network,
236.439
gave it a name.
237.3
The KV Botnet.
238.939
It had been running since at least February
241.34
2022.
244.4
Inside a network,
245.919
the patience is almost geological.
248.719
The federal advisory that followed reconstructs the method
252.58
step by step.
253.819
The intruders enter through a flaw in some
256.66
internet-facing appliance.
258.36
A firewall.
259.48
A VPN gateway.
260.879
They steal an administrator's credentials.
262.98
Then they walk,
264.459
quietly,
265.1
to the most valuable object in any corporate
267.56
network,
268.279
the domain controller.
269.54
The machine that holds the master file of
272.199
every username and password hash in the organization.
275.759
They copy that file using Windows' own backup
278.86
mechanism,
279.8
carry it out through the router curtain,
281.819
and crack the passwords offline,
283.86
at leisure.
284.879
From that moment,
286.279
they no longer need to hack anything.
288.3
They simply log in.
290.3
As anyone they want.
291.819
In one documented compromise,
295.12
investigators found Volt Typhoon had returned to harvest
298.72
that password file from three separate domain controllers
301.68
across four years.
303.339
Not to take data.
304.839
To keep their keys current.
306.74
In a water utility,
308.5
the advisory describes the intruders moving patiently toward
312.079
the operational side of the network,
314.16
the systems that touch physical equipment,
316.639
over nine months.
317.74
In some facilities,
319.22
they were observed testing access to industrial equipment.
321.819
In some facilities,
322.0
they were observed testing access to industrial control
322.18
systems,
322.939
using the default passwords the equipment shipped with.
325.759
Passwords nobody had ever changed.
329.759
If you are picturing the victims as fortress
333.139
-like federal installations,
335.379
adjust the picture.
337.58
Littleton, Massachusetts.
339.319
Population,
340.019
roughly 10,000.
341.6
Its electric and water departments serve the town
344.62
and its neighbor.
345.68
A public utility so small its security was,
348.879
for a long time,
349.839
whatever came in the box.
351.519
Around Thanksgiving of 2023,
354.259
the FBI notified the utility of a problem.
357.259
The subsequent investigation,
359.399
published by the industrial security firm Dragos,
362.319
concluded the intruders had been inside for around
365.3
300 days.
366.839
Ten months.
368.139
Inside the water and power systems of a
370.839
town most Americans have never heard of.
373.279
And that is the point.
375.0
The strategy was never only about the Giants.
378.019
The Washington Post cited,
379.839
officials,
380.56
counted roughly two dozen compromised critical entities in
384.18
a single year.
385.079
A water utility in Hawaii.
387.0
A major West Coast port.
389.079
An oil and gas pipeline.
391.139
An attempted breach of the operator of the
393.319
Texas power grid.
394.56
Not the targets of a thief.
396.62
The shopping list of a war planner.
400.6
By February 7th,
402.54
2024,
403.54
the United States government stopped using the language
406.5
of espionage altogether.
407.6
A new joint advisory stated the conclusion in
411.759
plain text.
412.779
The actors were maintaining footholds in victim networks,
416.139
quote,
416.68
for at least five years.
418.68
And the purpose,
420.04
in the government's own words,
421.74
was to pre-position for disruptive or destructive
424.519
cyber attacks against U.S.
426.279
critical infrastructure
427.52
in the event of a major crisis or
429.72
conflict with the United States.
431.74
Pre-position.
432.939
Not listen.
434.019
Not steal.
435.06
Wait.
435.839
A week earlier,
437.019
FBI Director Christopher Wray had said it without
440.079
the bureaucratic varnish,
441.459
testifying that Chinese state hackers were positioning to,
444.86
quote,
445.68
wreak havoc and cause real-world harm to
448.48
American citizens and communities.
450.779
Water treatment plants.
452.3
The electrical grid.
454.04
Pipelines.
455.18
Transportation.
456.8
He added a number that should have ended
459.5
the news cycle,
460.379
and somehow did not.
462.3
If every single FBI cyber agent and analyst
465.92
worked the China threat and nothing else,
468.5
Chinese state hackers would still outnumber them at
471.6
least 50 to 1.
472.98
A month later,
474.3
the White House National Security Advisor
476.379
and the head of the Environmental Protection Agency
478.92
did something almost unprecedented.
481.319
They wrote to the governor of every American
483.759
state,
484.5
warning that Volt Typhoon had compromised infrastructure,
488.48
including drinking water.
491.74
The counterattack,
493.319
when it came,
494.24
was strange and surgical.
495.92
In December 2023,
498.56
a federal court quietly authorized the FBI
501.519
to do something with very little precedent,
504.22
reach into hundreds of infected home routers across
507.12
America,
507.879
devices owned by ordinary citizens
510.259
who had no idea their hardware was a
512.6
foreign military asset,
514.019
and delete the botnet from the inside.
516.559
The operation worked.
518.399
The KV botnet's American curtain was torn down
521.899
in a single coordinated action
523.799
announced at the end of January,
525.919
2024.
527.6
And then,
528.399
the fine print.
529.519
The fix was temporary.
531.1
The routers were end of life,
532.72
too old to patch.
534.0
Reboot one without remediation
535.84
and it could simply be infected again.
537.879
The FBI had won a battle against hardware
540.46
that nobody,
541.419
anywhere,
542.039
was responsible for defending.
543.799
By the following autumn,
545.62
security researchers watched the rebuild begin.
548.96
Within 37 days,
550.62
the operators had compromised roughly a third
553.279
of all matching Cisco routers exposed,
555.919
on the internet,
556.74
anywhere in the world.
558.639
You cannot arrest a methodology.
562.54
What followed reads like the second act of
565.399
a thriller,
565.94
except every beat is sourced.
568.179
Summer 2024,
570.08
Volt Typhoon burns a zero-day in VersaDirector,
573.7
software that internet providers use
576.08
to manage entire customer networks,
578.659
planting a custom web shell that antivirus engines
581.98
scored zero detections against.
584.019
The target class this time,
585.919
the service providers themselves,
587.98
the trunk of the tree rather than the
589.74
branches.
590.84
November,
591.559
Bloomberg reports a breach at Singapore Telecommunications,
595.059
malware found sitting in listening mode.
597.679
Sources describe it as a test run.
600.36
December,
601.259
Geneva,
602.019
at a closed-door summit.
603.7
According to the Wall Street Journal,
605.559
Chinese officials offered remarks so indirect and ambiguous
609.639
that the American delegation walked away convinced
612.699
they had just heard something extraordinary.
614.84
What they interpreted as a tacit acknowledgement of
618.24
the campaign
618.74
tied to American support for Taiwan.
621.7
Beijing publicly denies all of it.
624.659
And in February 2026,
627.279
the firm that worked the Littleton case
629.62
reported the campaign simply never stopped,
632.82
through 2025,
634.72
into the present.
636.12
Its chief executive added the sentence
638.84
that this entire case file has been building
641.6
toward.
642.299
Some of the compromised sites, he said,
644.84
we will never find.
647.519
So here is where this case file leaves
650.759
you.
651.48
Salt typhoon.
652.779
Case file 43 in this archive
655.08
was China's ear inside American telecommunications.
659.08
It listened.
660.22
It stole the most sensitive conversations in the
663.179
country.
664.139
Espionage,
664.96
ancient as states themselves,
666.919
executed brilliantly.
669.0
Volt typhoon steals nothing.
670.94
It is not an ear.
672.379
It is a hand,
673.62
resting on the master breaker of American daily
676.48
life,
677.08
applying no pressure at all.
679.0
The strategists call it pre-positioning.
681.86
The honest translation is this.
684.019
If a war begins in the Pacific,
686.12
the first American casualties may not be soldiers.
689.259
They may be water pressure,
691.059
rail switching,
692.059
port cranes,
692.86
and the lights in 10,000 towns like
695.019
Littleton,
695.6
a society discovering,
697.299
in its first hour of crisis,
699.299
that its own infrastructure has been rehearsing against
702.039
it for years.
702.879
The lights are on tonight.
705.22
The water runs.
706.519
The intruders,
707.7
by every official assessment,
709.539
are still there,
710.48
patient,
711.32
credentialed,
712.12
indistinguishable from the staff.
714.1
For five years,
715.48
the question was whether anyone was inside America's
718.58
grid.
719.24
That question is answered.
721.379
The question that remains is the one no
724.019
advisory can close.
726.019
What else have they found that we will
728.34
never find?
731.019
This has been fragmented.
732.86
Nothing isFinanzero case file 47,
734.94
volt typhoon.
736.82
The Blackout,
738.1
if it ever comes,
739.179
was installed years in advance.
