View by Author

Most Recent Articles

Why Volt Typhoon Matters In 2026

By Published On: 22 January 2026Categories: Critical Infrastructure, Defence, Security

Volt Typhoon has all the hallmarks of being an advanced [...]

Share This Article:

Volt Typhoon has all the hallmarks of being an advanced persistent threat (APT) focused on long‑term access to critical infrastructure, including communications, energy, transport, and water/wastewater sectors. The group has been repeatedly highlighted in 2024–2025 joint advisories for quietly embedding itself in infrastructure networks to be ready for potential future crises, rather than for immediate impact.

Heading into 2026, the strategic concern is that this persistent access can be activated to disrupt services at times of geopolitical tension, elections, or regional conflict, with cascading impacts across supply chains and government services. This makes operational resilience, incident response readiness, and OT‑aware detection capability board‑level priorities rather than optional enhancements.

Tradecraft: Quiet Access, Disruptive Potential

Volt Typhoon’s operations typically begin with careful reconnaissance to map networks, trust relationships, and remote access services, including smaller or regional service providers that support larger critical infrastructure operators. The group frequently exploits internet‑facing appliances and services, then pivots to credential theft and “living off the land” techniques that blend almost perfectly with legitimate admin activity.

Instead of relying on bespoke malware, Volt Typhoon prefers native tools, valid accounts, and existing remote management channels, dramatically reducing detection by traditional signature‑based controls. In documented cases, the group has reached control systems inside critical infrastructure environments and positioned itself to move further into OT, raising real concerns about the ability to manipulate HVAC, power, or water systems during a crisis.

The Australian Signals Directorate (ASD)’s current message is that critical infrastructure operators must assume state‑sponsored actors like Volt Typhoon are already targeting (or in) their environments and respond with a mix of standards based uplift and OT‑specific resilience measures such as isolation and rapid rebuild capability. The emphasis in 2025–26 is on asset visibility, edge‑device and identity hardening, and the ability to keep vital services running even if parts of the network need to be cut off for months.

Core ASD Guidance Themes

ASD frames its advice around building resilience to severe incidents, not just preventing minor breaches. Guidance now combines classic ICT controls (NIST, E8, ISM) with OT‑specific practices based in applicable standards (e.g. AS 62443) for critical infrastructure operators.

Key themes include:

  • Treat state‑sponsored activity and “living off the land” techniques as baseline threats, not edge cases.
  • Embed cyber into board, executive and risk discussions, with directors expected to understand their exposure and resilience posture.OT‑Specific: Principles of OT Security

ASD’s “Principles of operational technology cyber security” call out that OT must be segmented and governed differently to corporate IT. The focus is on preventing IT compromise from cascading into OT and limiting lateral movement once an adversary is inside.

Key principles relevant to Volt Typhoon‑style actors include:

  • Segmentation and segregation of OT from IT and the internet, with tightly controlled and monitored conduits.
  • Hardening and monitoring of remote access, gateways and vendor connections, treating them as high‑risk control points.
  • Minimising unnecessary services, enforcing least privilege, and maintaining secure configurations for OT and supporting systems.

CI Fortify: Isolate And Rebuild

In late 2025 ASD released the CI Fortify guidance specifically for critical infrastructure and OT environments. This explicitly responds to the risk of state‑sponsored actors pre‑positioning for disruption (Volt Typhoon being the flagship example).

CI Fortify centres on:

  • Three preparatory steps:
    • Maintain a complete inventory of OT assets.
    • Identify which systems are truly vital to critical services.
    • Map where and how those systems can be safely isolated.
  • Two planned actions:
    • Be able to isolate vital OT systems from external networks and third parties for up to three months while still delivering essential services.
    • Maintain trusted offline backups and spare equipment to rapidly rebuild essential systems after a major incident.

ASD stresses that these capabilities also improve resilience to natural disasters and supply‑chain disruptions, not just cyber events.

Volt Typhoon / PRC‑Specific Advice

ASD’s joint advisory on PRC state‑sponsored activity (including Volt Typhoon) aligns with US and Five Eyes partners and explicitly warns that Australian critical infrastructure could be targeted in similar ways. The fact sheet for leaders calls on executives to treat this as a critical business risk and to resource cyber teams accordingly. More can be read at: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/prc-state-sponsored-actors-compromise-and-maintain-persistent-access-us-critical-infrastructure

In summary, recommended actions include:

  • Empower cyber teams to prioritise work using intelligence‑informed guidance (e.g. performance goals, sector‑specific risk assessments).
  • Focus on hardening edge devices, remote access, and identity systems that enable “living off the land” intrusions.
  • Improve logging, monitoring, and hunting for anomalous admin activity rather than just signature‑based malware detection.

What This Means Practically For 2026 Security Programs

For Anchoram’s clients, “what ASD says” effectively translates into four program pillars for 2026:

  1. Uplift Essential Eight maturity;
  2. Implement OT‑specific segmentation and remote access control;
  3. Adopt CI Fortify’s isolate/rebuild model for vital systems; and
  4. Ensure boards treat state‑sponsored pre‑positioning as a core enterprise risk, backed by funded resilience initiatives.

Aligning rail, water, energy, and defence‑estate programs with such ASD publications gives operators both practical security outcomes and clear evidence of adherence to contemporary Australian government expectations

What This Means For Anchoram’s Clients In 2026

For government agencies and regulated operators, 2026 is the year when “quiet pre‑positioning” becomes a central planning assumption for risk, not a hypothetical outlier. The focus shifts from purely preventing ransomware and data breaches to ensuring essential services can withstand targeted attempts to disrupt OT and supporting IT systems during national or regional crises.

Anchoram’s work across government, defence, rail, and utilities enables clients to translate these high‑end threats into practical actions: more mature Essential Eight implementation, defensible segmentation between IT and OT, and assurance that remote access, vendor connections, and edge devices are governed and monitored as critical assets. This requires balancing standards like ASD Essential Eight, AESCSF, IEC 62443, and DISP with real‑world constraints in brownfield plants, rolling stock, and complex supply chains.

Anchoram’s 2026 Priority Themes

To help boards and executives respond credibly to Volt Typhoon‑class adversaries in 2026, Anchoram centres its narrative and services around a small set of priority themes. These themes speak directly to the evolving threat landscape and the expectations of regulators, ministers, and communities that rely on essential services.

  • Strategic asset and exposure visibility: Deliver integrated inventories covering IT, OT, remote access, and third‑party connections, with specific attention to internet‑exposed interfaces, gateways, and unmanaged devices.
  • Identity‑ and access‑centric defence: Uplift identity controls, privileged access management, and vendor access governance across both IT and OT, ensuring that stolen credentials and compromised edge devices are less useful to long‑dwell actors.
  • OT‑aware monitoring and sovereign SOC integration: Implement behaviour‑driven monitoring, tuned OT baselines, and sovereign‑capable SOC integrations that can detect subtle, long‑term intrusions as well as rapid destructive attempts.
  • Cyber‑physical disruption and crisis playbooks: Embed cyber‑driven physical disruption scenarios into emergency management, BCP, and whole‑of‑government exercises, including cross‑jurisdictional dependencies such as power, water, and transport.
  • Supplier, project, and gateway assurance: Apply threat‑informed assurance to capital projects, outsourced operations, and managed services, ensuring procurement and design decisions do not introduce insecure remote access or flat networks.

For Anchoram, helping customers develop a 2026 focused strategy for threats such as Volt Typhoon and peer actors is a chance to provide real world experience in combatting threats based on our experience within Critical Infrastructure, Australian government, Defence estates, inclusive of rail, water, and energy.

We aim to frame our services around credible adversary tradecraft and realistic disruption scenarios, to help clients move from generic “critical infrastructure is at risk” statements to targeted, funded programs and strategies that materially reduce the likelihood and impact of cyber‑physical incidents.

For a confidential discussion on how we can assist reach out to us today: contact@anchoramconsulting.com.au

James Kambourian
By Published On: 22 January 2026Categories: Critical Infrastructure, Defence, Security

Categories

Subscribe

Subscribe to our newsletter and get the latest news and information from Anchoram.

Most Recent Articles

Author Profiles