Nation-State Threats to the Power Grid: Sandworm and Volt Typhoon
In 2023 and 2024 CISA, the NSA and allied agencies including the UK's NCSC issued repeated warnings that a state-sponsored group tracked as Volt Typhoon had pre-positioned itself inside US critical national infrastructure, including power, water and communications, with no apparent purpose other than to be ready to disrupt those services during a future crisis. This is a different threat model from cybercrime: the goal is not money but the capability to switch the lights off at a moment of geopolitical tension.
CISA warned in 2023-2024 that Volt Typhoon had pre-positioned inside US power and water CNI
Two distinct nation-state playbooks
Grid-focused state activity falls broadly into two patterns. The first is destructive operations, exemplified by the Russian GRU unit known as Sandworm, which has repeatedly demonstrated the willingness and ability to cause physical outages. The second is quiet pre-positioning, exemplified by Volt Typhoon, where the objective is to establish persistent, deniable access and hold it for years until it is needed.
- Destructive operations: deliberate, visible disruption such as the 2015 and 2016 Ukraine blackouts
- Pre-positioning: long-term covert access into CNI for use during a future conflict
- Espionage: theft of grid design, generation and trading data to inform later operations
Living-off-the-land makes detection hard
A defining feature of Volt Typhoon is its use of living-off-the-land techniques: instead of dropping obvious malware, it abuses legitimate built-in tools such as PowerShell and Windows Management Instrumentation, and routes traffic through compromised home and small-office routers to blend in with normal activity. This makes the intrusion extremely difficult to spot with signature-based tools, because almost nothing the attacker does looks inherently malicious.
The attack surface is wider than the control room
State actors rarely walk in through the front door of a SCADA system. They target the edges: internet-facing VPNs, unpatched perimeter appliances, exposed remote-access services for contractors, and the IT systems of suppliers that have trusted connections into the operator. Every internet-exposed asset an energy operator owns, including those it has forgotten about, is a potential foothold.
Defending against patient, well-resourced adversaries
You cannot out-spend a nation state, but you can deny it the easy footholds it depends on and reduce the time it can dwell undetected. The priorities are knowing exactly what you expose to the internet, closing it fast, and watching for the subtle behavioural signals that living-off-the-land intrusions produce.
- Continuous discovery of every internet-facing asset, including shadow IT and forgotten services
- Rapid patching of perimeter devices, which are a favourite initial-access route
- Behavioural monitoring tuned for abuse of legitimate admin tooling
- Strict segmentation so an IT foothold cannot reach OT control systems
How Kyanite Blue and Hadrian defend against state actors
Nation-state actors win by finding the one internet-facing asset you did not know you had. Kyanite Blue deploys Hadrian autonomous attack-surface management to continuously discover, map and risk-rank everything your organisation exposes to the internet, from forgotten VPN gateways and test environments to misconfigured supplier connections. Hadrian thinks like an attacker, validating which exposures are genuinely exploitable so your team fixes what matters before a Volt Typhoon-style actor finds it. Combined with our segmentation and monitoring guidance, this shrinks the footholds available to patient adversaries and shortens the window in which they can operate unseen.
Frequently Asked Questions
What is Volt Typhoon and why does it worry energy regulators?
Volt Typhoon is the name given to a state-sponsored cyber group that, according to CISA and allied agencies in 2023 and 2024, has covertly embedded itself in US critical infrastructure including power and water. What alarms regulators is that the access appears to serve no espionage purpose, suggesting it is being held in reserve to disrupt essential services during a future geopolitical crisis.
How is a nation-state threat different from ransomware?
Ransomware groups are financially motivated, move quickly and want to be noticed so you pay. Nation-state actors are mission-driven, patient and want to stay hidden, often maintaining access for years. They are typically better resourced, more careful, and may be willing to cause physical damage, which makes detection and resilience, rather than just prevention, essential.
What is living-off-the-land in a grid attack context?
Living-off-the-land means the attacker avoids custom malware and instead abuses legitimate tools already present on the system, such as PowerShell, WMI and remote-management utilities. Because these tools are used by administrators every day, the malicious activity blends into normal operations, defeating antivirus and demanding behavioural detection instead.
Map your internet-facing attack surface before an adversary does
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.