Volt Typhoon – Constructed Intelligence or Defeated Adversary?
In July 2025, NSA officials declared at a New York conference that Volt Typhoon had “failed” to persist quietly in US critical infrastructure.
This statement caused surprise: only a year earlier, Volt Typhoon was described as perhaps the most serious cyber threat to US national security – even a “dress rehearsal” for digital warfare.
So, how did Volt Typhoon go from apocalyptic threat to defeated adversary in less than twelve months?
The answer lies not in operational reality but in the labels and constructs we in threat intelligence use. As Joe Slowik argues in his article The Beginning and Ending of Threat Actors many so-called “groups” like Volt Typhoon are less entities than constructed intelligence clusters.
1. What is Volt Typhoon?
Volt Typhoon is a term coined by Microsoft to describe PRC-sponsored intrusions into US critical infrastructure.
Unlike other PRC-linked operations (e.g., Salt Typhoon tied to three known contractors or APT41 tied to individuals), Volt Typhoon has no identified unit, contractor, or agency behind it.
Instead, Volt Typhoon is a cluster of behaviors:
- Repeated targeting of critical US sectors.
- Recurrent infrastructure and tool reuse.
- Operational goals aligned with PRC strategic interests.
This means: Volt Typhoon is not a “group” in the traditional sense – it’s a label for a pattern of activity.
2. Constructed Intelligence
Threat Intelligence (CTI) often uses actor names like APT28, Sandworm, Volt Typhoon.
But these are constructs – shorthand to group observable TTPs, not definitive “who” statements.
Joe Slowik explains that CTI tends to be “how-centric”:
- We can cluster behaviors, infrastructure, malware families.
- We rarely have the visibility to pinpoint the exact responsible unit.
In contrast, law enforcement or military attribution is “who-centric”:
- Example: APT28 = Russia’s GRU Unit 26165.
- This kind of attribution requires legal, HUMINT, or classified sources.
Volt Typhoon, therefore, exists only as a behavioral construct, not as a prosecutable entity.
3. Why “Defeat” is Misleading
When NSA officials say Volt Typhoon “failed,” what they mean is:
- Their stealth was compromised.
- Some persistence mechanisms were disrupted.
But the entity behind the construct remains: PRC intelligence and military cyber units.
They will simply adapt tradecraft, shift infrastructure, and continue operations under new patterns.
Thus, “defeating Volt Typhoon” is like beating one round of whack-a-mole. The mole just pops up with a new name.
4. The Real Problem
The focus should not be on whether Volt Typhoon is “defeated,” but on why it was possible in the first place
5. Why This Matters
Threat actor constructs can vanish overnight, replaced by new clusters of behavior.
But the mission endures: PRC interest in US critical infrastructure will not disappear.
| Construct | Reality Behind It |
|---|---|
| Volt Typhoon | PRC-linked intrusions into critical infra |
| APT Labels | Clusters of behaviors, not concrete units |
| “Defeat” of group | Detection of some TTPs, not end of mission |
6. The Takeaway
Volt Typhoon teaches us a broader lesson about CTI humility:
- Labels are tools, not truths.
- Defeating TTPs ≠ defeating adversaries.
- Systemic defense > chasing names.
As long as underlying strategic drivers exist, new clusters will emerge.
By recognizing the constructed nature of much of CTI, defenders can focus less on names and more on root causes.
Bottom line:
Volt Typhoon isn’t “dead.” It has simply shifted. The construct disappears, but the mission remains.
Accurate threat intelligence must move beyond catchy labels to structural defense, or we risk fighting shadows while the real adversary moves freely.
Based on Joe Slowik’s article The Beginning and Ending of Threat Actors
Tags: #cti #threatintel #voltTyphoon #constructedIntelligence #cybersecurity