The Evidence Pack: How Defenders Are Neutralizing Nation-State Malware in US Energy and Water Systems
As cyber adversaries shift from data theft to the physical disruption of critical infrastructure, a coalition of federal agencies and private security firms has published unprecedented evidence on how to hunt and dismantle dormant threats.
By Factlen Editorial Team
- Federal Cyber Defenders
- Prioritize national security, intelligence sharing, and establishing baseline resilience mandates across all critical infrastructure sectors.
- Private Threat Intelligence
- Focus on forensic analysis, behavioral detection of advanced persistent threats, and public attribution of nation-state actors.
- Infrastructure Operators
- Balance the need for robust cybersecurity with operational continuity, budget constraints, and the practicalities of manual fallback systems.
What's not represented
- · Local municipal governments funding the cybersecurity upgrades
- · Industrial control system (ICS) hardware manufacturers
Why this matters
Understanding how adversaries pre-position malware in operational technology (OT) networks demystifies a critical national security threat, empowering infrastructure operators and the public to focus on proven defensive mechanisms rather than panic.
Key points
- Nation-state cyber actors have shifted focus from data espionage to pre-positioning malware for the physical disruption of critical infrastructure.
- China's Volt Typhoon uses 'Living off the Land' techniques to maintain stealthy, dormant access for potential strategic leverage.
- Russia's Sandworm (APT44) actively pursues sabotage, using OT-native payloads to directly manipulate industrial equipment.
- Defenders are countering these threats by shifting from perimeter security to behavioral anomaly detection and strict IT/OT network segmentation.
- Federal agencies are urging infrastructure operators to practice running facilities manually to ensure resilience during a cyber breach.
For decades, the primary objective of nation-state cyber operations was espionage: the quiet extraction of intellectual property, diplomatic cables, and defense secrets. But the paradigm has shifted. Today, the most acute cyber threats facing the United States and its allies do not seek to steal data; they seek to manipulate the physical world. The targets are the operational technology (OT) networks that control municipal water purification, regional power grids, and maritime ports.[5][7]
This shift from digital theft to physical disruption has prompted an unprecedented response from federal defenders and private threat intelligence firms. By declassifying forensic evidence and publishing detailed behavioral signatures, agencies like the Cybersecurity and Infrastructure Security Agency (CISA) are mathematically flipping the advantage back to defenders. This Evidence Pack examines the primary sources documenting how two distinct threat actors—China’s Volt Typhoon and Russia’s Sandworm—operate, and how their pre-positioned malware is being actively hunted and neutralized.[1][7]
The first major claim established by the intelligence community is that China’s Volt Typhoon campaign is designed for strategic pre-positioning rather than immediate sabotage. According to a joint advisory from CISA, the NSA, and the FBI, Volt Typhoon has successfully infiltrated the IT networks of multiple critical infrastructure organizations, primarily in the communications, energy, and water sectors. The evidence indicates that the group's objective is to establish dormant access that could be activated to disrupt U.S. military mobilization during a future geopolitical crisis, such as a conflict over Taiwan.[1][5]
The evidence supporting this assessment comes from the specific tactics Volt Typhoon employs. Forensic analysis reveals that the group relies heavily on "Living off the Land" (LOTL) techniques. Instead of deploying custom, easily identifiable malware, the attackers use built-in Windows administrative tools—like PowerShell and Windows Management Instrumentation (WMI)—to move laterally across networks. Because these tools are used daily by legitimate system administrators, the malicious activity blends seamlessly into normal network traffic, making detection via traditional signature-based antivirus software nearly impossible.[1][7]
While Volt Typhoon plays a long game of stealth, the evidence surrounding Russia’s premier cyber sabotage unit, Sandworm (recently redesignated as APT44 by Mandiant), points to a fundamentally different intent: active, physical disruption. Sandworm, attributed to the GRU’s Unit 74455, has a documented ten-year history of deploying destructive wiper malware and OT-native payloads against civilian infrastructure, most notably causing power blackouts in Ukraine in 2015 and 2016.[2][3]
Recent threat intelligence reports confirm that Sandworm’s operations have expanded beyond Eastern Europe. Security firm Nozomi Networks documented instances where Sandworm leveraged unresolved IT compromises to pivot directly into OT environments. In one campaign, the group targeted hundreds of engineering workstations and Human-Machine Interfaces (HMIs). Unlike financially motivated ransomware gangs, Sandworm utilizes industrial protocols like Modbus and IEC 104 to directly manipulate physical equipment, demonstrating a clear willingness to cause real-world harm.[3]
Recent threat intelligence reports confirm that Sandworm’s operations have expanded beyond Eastern Europe.
The mechanism of these attacks almost universally relies on bridging the "air gap" between a facility's enterprise IT network (used for email and billing) and its OT network (used for controlling valves, pumps, and breakers). Threat actors typically exploit a vulnerability in an internet-facing edge device, such as a VPN or firewall, to gain an initial foothold in the IT environment. From there, they harvest credentials and search for misconfigured firewalls or shared active directories that allow them to cross into the OT network.[4][7]
The evidence also highlights a critical vulnerability in the water and wastewater sector. A comprehensive threat report by DomainTools tracked multiple incidents between 2024 and 2026 where nation-state actors and aligned hacktivists exploited internet-exposed Programmable Logic Controllers (PLCs). In one notable case in Texas, attackers accessed a remote industrial interface and caused a municipal water tank to overflow. These incidents underscore that even unsophisticated attacks can achieve physical consequences if OT devices are left exposed to the public internet.[4]
Despite the severity of these threats, the evidence shows that the defensive posture of U.S. critical infrastructure is rapidly maturing. The strategy has shifted from an outdated reliance on perimeter defense to an "assumed breach" mentality. CISA’s recent "CI Fortify" initiative explicitly directs infrastructure operators to practice maintaining essential services in a degraded state. The core directive is resilience: ensuring that when an IT network is compromised, the physical processes can be isolated and operated manually.[6]
To counter the stealth of LOTL techniques, defenders are increasingly deploying behavior-based anomaly detection. By establishing a mathematical baseline of normal network activity, AI-driven security platforms can flag when a legitimate administrative tool is being used in an anomalous way—such as a PowerShell script executing at 3:00 AM to query a domain controller. This approach turns the attackers' reliance on native tools into a detectable behavioral signature.[7]
Furthermore, the U.S. government has adopted a strategy of aggressive, public attribution. By publishing detailed Indicators of Compromise (IOCs) and the specific vulnerabilities being exploited, federal agencies are effectively burning the adversaries' infrastructure faster than it can be rebuilt. The EPA has also stepped up its regulatory and support role, distributing alerts to over 60,000 water systems and coordinating cybersecurity assistance for facilities that support defense-critical operations.[1][4]
The evidence pack ultimately reveals a landscape defined by persistent friction rather than imminent catastrophe. While the pre-positioning of malware by highly capable nation-states is a severe strategic threat, it is not an insurmountable one. By enforcing strict network segmentation, patching edge devices, and maintaining the capability for manual operational overrides, infrastructure defenders are systematically dismantling the leverage these adversaries seek to build.[5][7]
How we got here
Dec 2015
Sandworm causes the first known malware-facilitated power blackout in Ukraine.
May 2023
CISA and international partners first disclose Volt Typhoon's 'Living off the Land' pre-positioning campaign.
Jan 2024
The FBI disrupts a Volt Typhoon botnet used to mask the group's cyber espionage activities.
Feb 2024
CISA confirms Volt Typhoon has compromised IT environments across multiple U.S. critical infrastructure sectors.
Apr 2024
Mandiant formally elevates the Russian threat group Sandworm to the APT44 designation, highlighting its focus on physical sabotage.
May 2026
CISA releases 'CI Fortify' guidance, urging infrastructure operators to practice maintaining services in a degraded state.
Viewpoints in depth
Federal Cyber Defenders
Agencies view pre-positioning as a severe strategic threat requiring aggressive public attribution and mandatory resilience standards.
For federal agencies like CISA, the NSA, and the EPA, the presence of nation-state malware in domestic infrastructure is treated as a pre-kinetic military threat. Their strategy relies on declassifying intelligence rapidly to burn adversary infrastructure and issuing binding operational directives to force baseline security improvements. They argue that voluntary compliance is insufficient when dealing with advanced persistent threats, advocating for a shift toward 'secure by design' principles where technology vendors bear more responsibility for the security of edge devices.
Private Threat Intelligence
Security firms emphasize the mathematical and behavioral challenges of detecting adversaries who use legitimate administrative tools.
Firms like Mandiant and Nozomi Networks focus on the technical reality of the threat. They point out that adversaries like Volt Typhoon have adapted to traditional perimeter defenses by 'Living off the Land'—using native tools like PowerShell to avoid triggering malware alerts. From their perspective, the solution lies in advanced, AI-driven behavioral analytics that can establish a baseline of normal network activity and flag anomalous administrative actions, effectively turning the attackers' stealth tactics into a detectable signature.
Infrastructure Operators
Utilities and municipalities must balance theoretical cyber risks with the practical realities of budget constraints and operational continuity.
For the operators of the nation's 60,000+ water systems and thousands of energy substations, the cyber threat is one of many competing priorities, alongside aging physical infrastructure and strict budgets. They emphasize the difficulty of recruiting top-tier cybersecurity talent to municipal utilities. Consequently, their focus is increasingly on resilience rather than perfect security—ensuring that when a digital breach occurs, the facility has the physical analog controls and trained personnel necessary to operate the plant manually and prevent a disruption of essential services.
What we don't know
- The exact number of U.S. critical infrastructure facilities currently harboring dormant nation-state malware remains classified or undiscovered.
- It is unclear how effectively smaller, under-resourced municipal utilities can implement the complex behavioral detection required to catch 'Living off the Land' techniques.
- The threshold at which a cyber intrusion into critical infrastructure would trigger a kinetic military response from the United States remains ambiguously defined.
Key terms
- Operational Technology (OT)
- Hardware and software that detects or causes a change through the direct monitoring and control of physical devices, processes, and events in an enterprise.
- Programmable Logic Controller (PLC)
- An industrial computer control system that continuously monitors the state of input devices and makes decisions based upon a custom program to control the state of output devices.
- Human-Machine Interface (HMI)
- A user interface or dashboard that connects a person to a machine, system, or device, commonly used in industrial processes to monitor and control machinery.
- Air Gap
- A security measure that involves isolating a computer or network and preventing it from establishing an external connection, theoretically separating IT and OT networks.
Frequently asked
What is 'Living off the Land' (LOTL) in cybersecurity?
LOTL is a tactic where attackers use legitimate, built-in administrative tools (like PowerShell) to conduct malicious activity, making it harder for traditional antivirus software to detect them.
Why are water systems frequently targeted?
Water and wastewater systems are often targeted because they are highly distributed, frequently underfunded, and rely on legacy equipment that may be inadvertently exposed to the internet.
What does it mean to operate in a 'degraded state'?
It means a facility has isolated its compromised computer networks and is using manual overrides and physical controls to keep essential services running during a cyberattack.
How do attackers cross from IT to OT networks?
Attackers typically breach the enterprise IT network first, harvest administrative credentials, and then exploit misconfigured firewalls or shared directories to access the isolated Operational Technology (OT) network.
Sources
Source coverage
7 outlets
3 viewpoints surfaced
[1]CISAFederal Cyber Defenders
PRC State-Sponsored Cyber Actors Seek to Pre-Position for Disruptive Cyberattacks
Read on CISA →[2]MandiantPrivate Threat Intelligence
APT44: Unearthing Sandworm
Read on Mandiant →[3]Nozomi NetworksPrivate Threat Intelligence
Sandworm's OT Targeting and Physical Disruption
Read on Nozomi Networks →[4]DomainToolsFederal Cyber Defenders
Threat Intelligence Report: Nation-State Targeting of Water Systems 2024–2026
Read on DomainTools →[5]Center for Strategic and International StudiesInfrastructure Operators
Energy Sector Cyber Threats and Pre-Positioning
Read on Center for Strategic and International Studies →[6]Cybersecurity DiveInfrastructure Operators
CISA wants critical infrastructure to practice operating in a degraded state
Read on Cybersecurity Dive →[7]Factlen Editorial TeamPrivate Threat Intelligence
Synthesis by Factlen editorial team
Read on Factlen Editorial Team →
Every angle. Every day.
Get technology stories with full source coverage and perspective breakdowns delivered to your inbox.