The actor that does not steal.

Volt Typhoon, the kill-switch reservist, and why detection-first cyber doctrine is the wrong posture for the next decade.

Prologue. The dial has moved.

In every doctrine of cybersecurity written between 2010 and 2024, the adversary was assumed to be loud and motivated by data. The People's Liberation Army Strategic Support Force has politely declined to be either of those things.

Volt Typhoon is the operator codename. The doctrine behind it has a different name in every Western reporting language; the substance is the same. China has stopped trying to read your mail. China is in your circuit breakers, your water valves, your fibre muxes, and the residential routers that sit between you and the public internet. It has been there for years.¹

The Cybersecurity and Infrastructure Security Agency, alongside the National Security Agency and Federal Bureau of Investigation, issued a supplementary advisory in February 2026 noting intensified activity in the Water and Communications sectors specifically. The advisory does not say stop reading email. It says evict from the operational technology environment. That is a different verb, and a different war.¹

The thesis.

Espionage is read by an analyst. Prepositioning is read by a war planner. Confusing the two is the central error in current Western cyber doctrine, and it is making us slower than the adversary precisely where speed is the only currency.

The adversary that lives in your routers for five years is not a hacker. It is a reservist. The Western framing of cyber as crime assumes a perpetrator who wants to leave with something. The Eastern framing of cyber as artillery assumes a unit that wants to be in place when the call comes. The defender that builds for the first encounters the second and discovers that none of the alarm bells were wired for the right event.

What the numbers actually say.

The European Union Agency for Cybersecurity (ENISA) catalogued 4 875 reportable incidents in the EU between July 2024 and June 2025, a step-change increase over prior periods. Hacktivist clusters dominate the absolute count by hitting availability. State-aligned threats, much smaller in volume, are the share that moves the strategic dial because they hit control surface.³

Mandiant's M-Trends 2025, drawing on roughly 450 000 hours of incident response engagements, found median dwell time globally at 10 days. The same dataset reports Chinese-state-aligned campaigns operating with median dwell times an order of magnitude longer, and specific Volt Typhoon engagements documented at more than 300 days inside operational technology environments. The gap between dwell time as KPI and dwell time as adversary objective is the operational story.²

Microsoft's threat intelligence team, which maintains the Vanguard Panda designator for the same actor, has published telemetry showing Volt Typhoon's pivot from initial compromise via SOHO routers (the KV-botnet, with hundreds of thousands of compromised end-of-life devices serving as anonymisation infrastructure) to in-place persistence using only signed Windows utilities.⁴

The KV-botnet itself is worth a beat of attention. The Department of Justice authorised a court-supervised takedown in early 2024 covering hundreds of compromised Cisco and NetGear small-office routers, the majority end-of-life and unpatched. Within weeks of the takedown, the operator reseeded an equivalent volume from a different OEM lineup. The lesson is uncomfortable. Removing infrastructure from an actor that recruits residential routers as a renewable resource is not removal. It is rate-limiting.⁹

That last point is the one most often missed about Volt Typhoon. There is no malware to find. There is no payload. There are only logs, and the logs are clean because the commands are legitimate.

Living off the land.

The technique stack is unglamorous, which is part of the design. The actor uses signed Microsoft binaries, executed in sequences a system administrator would run on a normal Tuesday. The sequence, not the binary, is the intrusion.

Detection-first defence, which dominated the 2010s, assumes the adversary is loud. Loud adversaries write malware. Quiet adversaries do not. The defender that runs an EDR product with default rules will see precisely nothing in a Volt Typhoon engagement, because the EDR's signatures key off behaviours the actor specifically does not exhibit.

Endpoint detection that fires on legitimate administrative tools also burns out the analyst within a month, which is why detection thresholds get tuned permissive, which is why the actor can run for years. There is a recursive comedy to this that the actor has presumably noticed.

What works: privileged-access management with cryptographically enforced session boundaries; segmentation that does not assume the network perimeter is meaningful; out-of-band logging with retention measured in years; and the assumption, baked into architecture, that any given device on the operational network is presumptively hostile. None of this ships as a SKU. All of it requires the defender to own the design.

Sector heatmap. Where the prepositioning sits.

The CISA February 2026 supplementary advisory specifies intensified activity in Water and Communications, with the existing Energy and Transportation footprints unchanged. The matrix below maps actor presence (P), reconnaissance depth (R), persistence mechanism (M) and disruption readiness (D) per sector, drawing on the joint advisory and Mandiant case data.¹²

The financial sector reads cool because financial institutions have spent two decades hardening privileged identity in ways the rest of critical infrastructure has not. Out-of-band logging with multi-year retention sits alongside the identity layer; together they define a defensive posture that makes living-off-the-land techniques structurally noisy. The lesson is portable. The funding model that made it portable is not.

Germany as a stress test.

The BSI-Lagebericht 2025, the annual threat report of the Bundesamt für Sicherheit in der Informationstechnik, contains a number that should arrest anyone reading this. Forty-eight percent of surveyed German organisations operate AI-driven systems without functional detection capability for adversarial activity against those systems. The systems are deployed; the means of seeing what is happening to them is not.⁵

Add the Network and Information Security Directive 2 (NIS2), which the BSI enforces in Germany. Operators of essential services are required to register with the BSI by March 2026. As of the date of this study, the deadline has passed and a meaningful share of obligated entities have not registered, in part because the criteria are operationally unclear, in part because registration triggers reporting obligations the entities are not staffed for.⁶

The European Union's regulatory response to a long-dwell, patient adversary is, predictably, a long-dwell, patient regulation. Negotiation takes years; transposition into Member-State law takes years on top; enforcement takes years on top of that. The adversary's planning horizon comfortably outlasts the regulator's.

Spain's posture is instructive in a quieter way. INCIBE-CERT, the national operational CERT housed inside the Instituto Nacional de Ciberseguridad in León, has reported a sustained year-on-year increase in incidents against operators of essential services since 2022, with critical sectors absorbing a structurally higher share of state-aligned activity than commercial sectors. The transposition of NIS2 into Spanish law has progressed faster than in several northern Member States, but the operator-side staffing gap between obligated entities and skilled defenders mirrors the German pattern. The adversary does not require a regulatory consensus to operate. The defender does.

The libertarian read.

The strategic implication is, awkwardly for the regulatory consensus, a libertarian one. Centralised state response is too slow for the time-scales that matter. The Member State that takes seven years to write a directive cannot defend infrastructure against an actor with a five-year prepositioning horizon. The regulator at the supranational level cannot, in the operational sense, write a single line of detection logic.

What works against prepositioning is decentralisation paired with sovereignty in the architectural sense. A power grid with strong locality, backed by independent storage, is harder to coerce than a continent-wide synchronous interconnection. A residential broadband market with multiple providers and multiple router OEMs is harder to compromise at scale than a duopoly. A building management system that runs on locally-controlled identity is harder to live off the land of than one tethered to a single-vendor cloud identity provider with global reach.

This is not an argument against regulation. It is an argument that regulation, by its nature, addresses the wrong layer. The layer that needs the work is the architectural one, and architecture is a property of how systems are designed rather than how they are governed. (One can be forgiven for noting that European public policy in technology has discovered, late, that the same logic applies to fab capacity, to frontier compute and to language models. The pattern is consistent.)

What it means for builders.

If you are designing or operating critical infrastructure software in 2026, the operational implications of Volt Typhoon are the following.

Assume the adversary is already inside your environment. The mean time to discovery for a Chinese-state-aligned actor in operational technology is measured in years. The honest defender plans for what the adversary does after the breach, not for the breach. Detection capability for actions inside the environment outranks detection at its perimeter.

Decouple identity from network position. The single most common pivot in a Volt Typhoon engagement is from a low-privilege foothold on the IT network to a high-privilege account on the OT network using nothing more than reused credentials. Identity boundaries that do not depend on network segmentation are the only ones that hold up under the actor's playbook.

Log everything to an environment the adversary cannot reach. Out-of-band, append-only, retention five years minimum. The adversary's window is multi-year; the defender's forensic evidence has to outlast it.

Build for mistrusted infrastructure. Your firmware is hostile. Your cloud provider's control plane is hostile. Your edge router was end-of-life two years ago and the OEM is not patching it. Plan accordingly.

Drop the assumption that you are not a target. Every operator of every essential service is on the prepositioning list. The strategic value of being in a thousand environments dormant for five years is precisely that the adversary does not need to choose which one to activate until the moment of a kinetic crisis.

Closer.

The dial moved. Western public discourse is still reading from the old face. The Chronicle's purpose is to read the new one out loud, before the reading becomes urgent.

Tobias Hager

Founder · CEO · Sole engineer · mi media intelligence SL

Tobias designs and operates every system inside the house. He builds AI-native products and the offensive/defensive cyber capability stack the company runs alongside its research thread toward agentic generative reasoning. He writes the Chronicle from inside the operational stack rather than from outside of it.

tobias-hager.com LinkedIn contact@mi.network

mi media intelligence SL · Palma de Mallorca · April 2026 · SIGIL CHR-0001