Volt Typhoon Strikes: Chinese Hackers Infiltrate US Water Utilities in Stealth Cyber Siege

This is your Dragon's Code: America Under Cyber Siege podcast.

This is Ting, your favorite techie guide through America’s wildest summer cyber ride. Brace yourselves, my listeners—because this past week, the phrase “Dragon’s Code” was a little too on the nose. Chinese cyber operations set a new bar for sophistication and scale, targeting US infrastructure with a blend of stealth, persistence, and, frankly, concerning creativity. Let’s plug in.

The headline: over a dozen small-town water utilities, including some supporting critical military and hospital operations, discovered they’d been breached not just as an afterthought, but as core targets. According to DEF CON’s Franklin project and Craig Newmark-backed cybersecurity teams, these attacks were traced back to Beijing’s Volt Typhoon—the same crew infamous for burrowing into networks, pre-positioning themselves for future sabotage. Why hack a tiny water plant outside Fort Carson, Colorado? Because a single compromised outpost can be a springboard for disrupting hospitals or even DoD logistics.

Let’s get nerdy with methodology. The attackers exhibited everything from vulnerable remote access tool exploitation—the sort of thing that makes IT admins everywhere weep—to advanced lateral movement using legitimate but under-monitored IoT devices like smart meters and chemical sensors. Imagine a network of connected pumps quietly routing malicious traffic: not only a way to hide command-and-control, but also a method to mask themselves inside the cacophony of industrial noise. The Volt Typhoon teams were stealthy, often operating with “living off the land” tactics that make detection dramatically harder. No fancy malware needed when you can run PowerShell or abuse forgotten credentials.

Attribution was possible thanks to a blend of network forensics, some old-school human intelligence, and crucially, threat intelligence sharing between DEF CON hackers, CISA, and the Multi-State Information Sharing and Analysis Center. Indicators unique to Chinese government operations—like the use of distinct command servers, encoded toolkit signatures, and “Lao Wang’s” Telegram-disseminated phishing kits—tied incidents to familiar operators within the Chinese cyber ecosystem. Even the FBI stepped in, citing “persistent and systematic” transnational cyber and surveillance activities, especially after the arrest of two men believed to be operating under Beijing’s Ministry of Public Security.

We saw lightning-fast response. By Wednesday, CISA issued an emergency directive to all federal and municipal entities running Microsoft Exchange in hybrid mode, ordering immediate checks for CVE-2025-53786 compromise vectors. AI-powered defense tools from vendors like Dragos and Red Queen Security were rapidly deployed at no cost to help smaller utilities shore up detection and recovery. Still, as the Foundation for Defense of Democracies warned, with federal funding shrinking, not every utility will get the armor they need unless states follow New York’s lead in mandating baseline cyber requirements.

What did we learn? First: Small infrastructure is big risk. Second: Attribution isn’t a “who was it” game—it’s a chess match that blends cyber breadcrumbs with political signals. Third: Cyber defense is most effective when it’s crowd-sourced, with volunteer hackers working shoulder to shoulder with operators on the ground. And finally, in the words of Aspen Digital’s Jiwon Ma, resilience isn’t just firewalls and updates—it’s vigilance, fast sharing, and never underestimating the adversary.

That wraps this week’s deep dive into Dragon’s Code: America Under Cyber Siege. Special thanks to DEF CON’s Franklin team, the relentless volunteers, and my ever-paranoid drinking buddies at CISA for keeping the lights—and the water—on. Thanks for tuning in! Don’t forget to subscribe. This has been a quiet please production, for more check out quiet...