In July 2025, NSA officials at a conference in New York City made a surprising claim:
“The good news is, [Volt Typhoon] really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign.”
The remarks, which came with a headline of “Volt Typhoon was ‘not successful’ at persisting in critical infrastructure,” came as quite a shock as previously comments on Volt Typhoon ranged from indicating any estimate of intrusions was likely an underestimate to the group’s actions being a “dress rehearsal” for the opening stages of World War 3. One might wonder, how much changed within a year from Volt Typhoon being the greatest cyber threat to US national security to now being “defeated?”
First, we need to parse the precise language being used and its meaning. The statement leading this article from Kristina Walter notes that Volt Typhoon failed in the sense that they wanted to persist in networks very quietly for a long time. Based on public reporting (as well as significant non-public action), Volt Typhoon has not been quiet, or its stealth has at least been compromised. In this sense, the group has indeed failed in that they have been “caught” in (some of) their activity. However, the broader sense of Volt Typhoon operations—People’s Republic of China (PRC)-led cyber intrusions into US critical infrastructure—almost certainly continues to take place. Where matters get tricky is how these items are proceeding, and the nature of just what “Volt Typhoon” really is.
Volt Typhoon is a Microsoft-originating term for PRC-sponsored intrusions into US critical infrastructure. Notably for Volt Typhoon activity, the specific entities behind these operations have not been named or identified beyond having a PRC origin. For example, the also concerning Salt Typhoon activity targeting telecommunications has been publicly linked to at least three PRC-based contractors, while other PRC-nexus threat groups such as APT41 have been linked to specific individuals, government organizations, or contractors. No such specific identification has taken place for Volt Typhoon, making a statement claiming they have been “defeated” or “failed” interesting, as there is no really acknowledged entity involved.
Instead, Volt Typhoon becomes a construct: a cluster of linked actions, behavioral tendencies, and targeting preferences linked to PRC interests. When viewed in this manner, Volt Typhoon becomes an entity far more likely to be disrupted or to fail, but in a trivial sense. As one set of behaviors or intrusion methodologies fail or are identified by defenders, then the entities behind Volt Typhoon operations will shift to new tradecraft, to new operating techniques, to evade them resulting in a new cluster of behaviors and such. In this way, Volt Typhoon disappears into the ether while its mission is taken up by a new construct.
The above captures a difficulty in assigning responsibility to activities between cyber threat intelligence (CTI) measures and more traditional law enforcement, military, and related means of identifying entities (or targets). CTI is generally confined to a perspective where the only relevant (or available) information for identifying a given group is a set of linked behaviors, infrastructure, tools, and targets, as represented in the Diamond Model. Looking at a continuum of attribution outcomes, a CTI perspective aligns more with a “how-centric” perspective instead of a “who-focused” view. From this perspective, a single in-the-world entity may be reflected by multiple behavioral clusters, some of which may fade over time and be replaced by new representations. On the other hand, a “who-oriented” perspective to threat assignment emphasizes precisely the entity responsible for actions: APT28 represents Russia’s GRU 85th Main Special Service Center (85th GTsSS), military unit 26165, for example.
The key point between these distinctions is that threat groups cannot really be defeated, deterred, or countered in the sense that we use these words typically as they are reflections or shadows of the underlying entity responsible for their operations. Looking at our Volt Typhoon cluster of actions, defenders and policymakers may be able to come up with mechanisms to block or otherwise mitigate against these activities—-but the entity behind these activities will simply shift methodologies to continue operations in ways that evade new defenses and similar mechanisms. The result is a constant sequence of coevolution between adversaries and defenders, with limitations in defender visibility making for the manifestation of multiple views of how specific adversaries “look” at any given time.
So long as PRC has a significant military and strategic interest in probing, compromising, and potentially staging capabilities within US critical infrastructure, Volt Typhoon-like activities will not cease. US authorities may succeed in neutralizing certain approaches to these goals over time (and in the case of Volt Typhoon operations, this success is highly debatable given available public and non-public information), but other forms and methods will emerge to replace them.
As such, premature declarations of victory and success must be appropriately couched to show that while some methods have been identified and countered, others exist and will be adopted by motivated threats. The “style” of operation represented by Volt Typhoon may be notionally defeated, but the entity behind these actions remains, and remains motivated to succeed in its mission. By acknowledging this, we can refocus attention from combatting symptoms (e.g., targeting specific Volt Typhoon documented tradecraft examples) to dealing with root causes (e.g., poorly segmented and too easily accessible industrial networks, lack of visibility in critical infrastructure environments, and similar). Only by shifting the discussion of defense from defending against particular threat actors to identifying and solving the mechanisms through which many (or all) threat actors operate will the overall problem—in this case, critical national infrastructure defense—be satisfied. Countering specific clusters of threat activity represents only so much “whack-a-mole” in nature in comparison, and claiming victory is not only premature but also nonsensical.
