Volt Typhoon and Pre-Positioning in US Infrastructure: A Resilience Checklist

Key takeaways

• Volt Typhoon, a state-linked actor tied to China, has pre-positioned inside US critical infrastructure across the electric, water, telecommunications, and transportation sectors, with dwell times documented at 300 days or more.
• CISA frames the activity as pre-positioning for potential disruption during a future crisis, not classic espionage, which changes how defenders should prioritize segmentation, monitoring, and the removal of remote-management exposure.
• A confirmed case at Littleton Electric Light and Water Departments, a Massachusetts public power utility compromised since around February 2023, shows how long an intruder can persist undetected in a smaller operator.
• A February 2026 CISA advisory noted intensified activity in the water and communications sectors, raising urgency for utilities, municipalities, and the agencies that serve them.
• The practical defense is not a single product. It is network segmentation, identity-based access, continuous detection, edge hardening, and a supported equipment lifecycle, built on DoDIN APL-ready and TAA-compliant gear that Uniqcli scopes, procures, and helps operate.

What happened, and why it matters now

US authorities have spent the past two years tracking a state-linked threat actor known as Volt Typhoon, tied to China, living inside the networks that keep the lights on and the water running. This is not a smash-and-grab. Investigators have documented dwell times of 300 days and more, meaning the intruders were present, patient, and largely invisible for the better part of a year before anyone confirmed they were there.

The targets are not banks or retailers. They are the operational backbone of daily life: electric utilities, water and wastewater systems, telecommunications carriers, and transportation networks. The Cybersecurity and Infrastructure Security Agency has been blunt about the intent. This looks like pre-positioning for potential disruption during a future crisis or conflict, not the quiet theft of secrets that usually defines nation-state espionage, a pattern detailed across CISA's cybersecurity advisories.

That distinction is the whole story. An actor stealing data wants to stay hidden and leave. An actor pre-positioning wants to hold access until the moment it becomes useful to turn something off. For utility operators, municipal governments, and the federal and SLED buyers who fund and run this infrastructure, that reframes the problem from data protection to operational resilience. Our team works this exact intersection of security and public-sector delivery, and the steps below are where we tell buyers to start.

Who is affected: from federal grids to a small New England utility

The most striking detail in the public record is how ordinary some of the victims are. Littleton Electric Light and Water Departments, a public power utility serving a Massachusetts town, was found to have been compromised since roughly February 2023. A small municipal operator is not a hardened defense site with a 24-hour security operations center, and that is exactly the point. Attackers go where access is durable and attention is thin.

Scale that across thousands of US water districts, rural electric cooperatives, regional transit authorities, and local telecom providers and the exposure picture comes into focus. Many run lean IT teams. Many carry aging equipment with internet-facing management interfaces that were never meant to be exposed. A February 2026 CISA advisory noted intensified activity specifically in the water and communications sectors, a signal that the pressure is not easing. Several techniques tied to this kind of activity also appear in the CISA Known Exploited Vulnerabilities catalog, which is a sensible patch-priority list for any operator.

For DoD, federal civilian, and SLED organizations, the takeaway is twofold. Your own networks need scrutiny, and so do the smaller operators and suppliers connected to your mission. Resilience is a supply-chain property, not just a perimeter one. Reviewing how identity, network segmentation, and monitoring extend across those connected operators is a reasonable first move, and one we can help you scope through a federal network quote.

How pre-positioning works (at the level defenders need)

Without handing anyone a playbook, the defensive shape of this campaign is worth understanding. Reporting on Volt Typhoon describes an actor that favors stealth: using built-in administrative tools and legitimate credentials rather than noisy custom malware, blending into normal traffic, and frequently entering through exposed or under-maintained network edge devices and remote-management interfaces.

That approach defeats defenses that only look for known-bad files. If the intruder is using valid logins and native system utilities, a signature scanner sees nothing unusual. This is why the center of gravity for defense has shifted toward identity, behavior, and segmentation. The questions that matter are who is authenticating, from where, to reach what, and does that pattern look normal for this account and this network. Frameworks like NIST SP 800-53 and the DoD STIGs codify exactly these controls for regulated operators.

It also explains why long dwell times are possible. When access rides on legitimate credentials and the network is flat, an intruder can move laterally and wait without tripping an alarm. Shrinking that blast radius, and getting eyes on east-west traffic instead of just the perimeter, is the difference between an intruder who reaches one segment and one who reaches the control systems.

The resilience checklist: what to do about it

There is no product that makes an infrastructure operator immune, and anyone who promises that is selling something. The honest goal is risk reduction: making intrusions harder to achieve, faster to detect, and far smaller in impact when they happen. A practical, sober checklist looks like this, and it maps cleanly onto Cisco capabilities our team deploys.

• Remove remote-management exposure. Inventory every internet-facing admin interface and VPN endpoint, retire what should not be reachable, and put strong identity in front of what remains. Cisco Duo adds phishing-resistant multi-factor authentication and device-trust checks so a stolen password alone does not open a door.
• Segment the network. Flat networks are why dwell time turns into reach. Cisco Secure Firewall and the Identity Services Engine enforce policy that separates IT from operational technology and limits lateral movement, so a foothold in one zone does not become access to the grid control plane.
• Adopt Zero Trust access. Replace broad network access with per-application, identity-aware access using Cisco Secure Access, so contractors, remote staff, and connected operators reach only what they are authorized to touch.
• Watch east-west, not just the perimeter. Continuous detection on internal traffic is how you catch an actor using valid credentials. Cisco Hypershield brings distributed enforcement and segmentation into the data center fabric, and DNS-layer controls through Umbrella cut off command-and-control before it completes.
• Harden the edge and keep it supported. Internet-facing devices running unsupported software are the recurring entry point. A supported equipment lifecycle backed by Cisco Smart Net Total Care keeps firmware current and removes end-of-life gear from exposed positions before it becomes the way in.

Visibility and detection: assume access, prove control

Pre-positioning rewards patience, so the defensive counter is to stop assuming a clean network and start proving it. That means telemetry across the environment and the discipline to act on it. Cisco Catalyst Center gives network teams a single view of device inventory, configuration drift, and policy state, which is where unapproved changes and stale exposed interfaces get caught.

Detection has to reach beyond the network into identity and application behavior. Aggregating logs and running analytics with Splunk turns scattered events into the pattern that reveals credential abuse or anomalous lateral movement. Pairing that with digital-experience and path monitoring through ThousandEyes and a broader observability practice helps operators see when service degradation is an attack rather than a routine fault, which matters most for the water and communications sectors named in the recent advisory.

For operators without a 24-hour security team, and that describes most municipal utilities, the gap is rarely tooling. It is the staff to run it. This is where our managed operations and Zero Trust security services carry the load: monitoring, tuning, patch cadence, and change windows handled by people who do this full time, so detection actually happens instead of sitting idle in a console.

Procurement that meets the moment: TAA, DoDIN APL, and getting it fielded

For federal, DoD, and SLED buyers, the response is also a procurement problem. Hardening a critical network only counts if the gear is compliant, available on the right contract, and installed correctly. As an authorized Cisco partner, Uniqcli scopes TAA-compliant and DoDIN APL-ready Cisco hardware, configures it to STIG and FIPS 140-3 expectations, and helps route it through the contract vehicles your organization already uses.

Funding and timing matter when the threat is active. We help buyers structure acquisitions across GSA and NASA SEWP paths, align licensing terms with budget cycles, and avoid the patchwork of mismatched renewals that leaves equipment unsupported and exposed. The mechanics of compliant public-sector buying are covered across our procurement and defense pages, and our team handles the CLIN, packet, and lead-time details so the schedule does not slip.

From there it is execution. Design the segmentation across firewall and SD-WAN edges, stage and validate the equipment, and run a phased cutover that does not interrupt service, the kind of disciplined delivery a water plant or a transit network cannot afford to get wrong. If you want a sober scope of where you stand and what hardening costs, start a request for quote and we will build it around your environment rather than a generic template.

Cisco products involved

• Cisco Secure Firewall
• Cisco Identity Services Engine (ISE)
• Cisco Secure Access
• Cisco Duo
• Cisco Hypershield
• Cisco Umbrella
• Cisco Catalyst Center

Bottom line: Volt Typhoon did not break down the door; it walked in with valid credentials and waited, in some cases for more than 300 days. The lesson for utilities, municipalities, and the agencies that fund them is not panic, it is resilience: remove remote-management exposure, segment the network, enforce identity-based Zero Trust access, watch internal traffic continuously, and keep equipment supported and current. None of that makes any organization immune, but together these steps make intrusions harder to land, faster to catch, and far smaller in impact. Uniqcli scopes, procures, and helps operate that hardening on TAA-compliant, DoDIN APL-ready Cisco gear for federal, DoD, and SLED buyers. Start with a federal network quote and we will build the response around your environment.