Critical Infrastructure Under Siege: Nation-State Actors Embed Deeper as CISA Shifts to Resilience-First Strategy

CISA Concedes the Perimeter Is Already Breached

On May 5, CISA launched CI Fortify, a new initiative that focuses on isolation and recovery efforts to help critical infrastructure organizations operate during cyberattacks [1]. The program doesn't focus on keeping attackers out. It focuses on keeping critical services running while attackers are already inside [1].

That framing tells you everything about where the fight for critical infrastructure stands right now. The agency charged with defending American networks is publicly planning around the assumption that nation-state actors assessed to be linked to China maintain access to operational technology systems controlling energy, water, transportation, and telecommunications. CI Fortify prioritizes isolation capabilities and offline recovery, aiming to help infrastructure operators maintain a "baseline of continuity for critical services during a cyberattack" [1].

The Threat Picture: Doubled Nation-State Activity, AI-Assisted Attacks

The Waterfall Threat Report found that nation-state and hacktivist attacks doubled in 2025, with the majority targeting critical infrastructure systems [3]. The raw count of cyber breaches with physical consequences actually fell 25%, down to 57 incidents from 76 in 2024 [3]. That decline is misleading. It masks a compositional shift: fewer opportunistic ransomware hits, more deliberate nation-state pre-positioning campaigns that don't yet trigger physical consequences because they're designed to wait [3].

Energy, telecom, and industrial sectors remain the primary targets of both nation-state actors and cybercriminal groups. Threat actors are combining espionage, ransomware, credential theft, and disruption tactics into unified operations rather than running them as separate campaigns. The World Economic Forum reported that 64% of organizations now factor geopolitical tensions into their cybersecurity planning.

The speed of compromise is collapsing. Armis's 2026 Cyberwarfare Report found that Mean Time to Compromise has dropped from hours to seconds in cases involving autonomous AI agents. Fifteen percent of zero-day exploits discovered in 2026 were found and weaponized by autonomous agents before human researchers could identify them. And 89% of security leaders fear AI-charged nation-state attacks, up from 33% in 2023.

This isn't theoretical. Dragos reported in May 2026 that an AI-assisted attack attempted to breach a municipal water utility in Monterrey, Mexico between December 2025 and February 2026, though the OT breach was ultimately unsuccessful. That's the first publicly documented case of AI being used operationally during a live attempt to breach industrial control systems.

Volt Typhoon and Salt Typhoon: China's Persistent Infrastructure Campaign

Volt Typhoon, assessed by U.S. agencies to be linked to China, remains a significant pre-positioning threat to U.S. critical infrastructure. The group targeted communications, energy, transportation, and water systems using living-off-the-land (LOTL) techniques, relying on legitimate administrative tools and stolen credentials to blend into normal network traffic [7]. FBI Director Christopher Wray stated that China's hackers "were pre-positioning to cause real-world harm" in the event of a conflict with the United States [7].

Salt Typhoon, also assessed to be China-linked, represents a parallel campaign targeting telecommunications backbone infrastructure. The group exploited vulnerabilities in telecom systems to establish long-term covert access.

CISA's CI Fortify initiative references persistent nation-state threats as a primary driver of the program's creation [2]. The agency acknowledges that advanced threat actors remain embedded in critical infrastructure systems after years of eradication efforts [2].

The IT-to-OT Kill Chain

The path from initial compromise to operational technology control follows a consistent pattern across threat groups. TXOne Networks reported that 96% of OT incidents in 2025 could be traced back to IT system compromises [5]. Attackers aren't breaking directly into control systems. They're moving laterally from corporate networks.

Phishing remains one of the most successful initial access techniques despite years of improved defenses. Hackers exploit internet-exposed OT devices connected for remote monitoring, turning convenience features into attack surfaces. Once inside, the progression follows predictable stages:

Stage 1: IT Network Access. Phishing, supply chain compromise, or exploitation of internet-facing services gets attackers into corporate environments.

Stage 2: Lateral Movement. Poorly segmented network architectures provide pathways from IT to OT. Volt Typhoon specifically uses legitimate administrative tools for this phase, making detection extremely difficult [7].

Stage 3: Protocol Exploitation. Forescout found that attacks on OT protocols increased 84% in 2025. Modbus accounted for 57% of protocol-level attacks, followed by Ethernet/IP at 22% [5]. These protocols were designed decades ago without authentication or encryption.

Stage 4: Persistence and Pre-Positioning. Rather than immediately causing disruption, sophisticated actors establish persistent access and map control system topology for future operations.

Ransomware Consolidation Compounds the Risk

The ransomware ecosystem is consolidating around fewer, more capable operators. Q1 2026 saw 2,122 reported victims, the second-highest first quarter on record despite a 12.2% decline from Q4 2025. The top ransomware groups account for a significant portion of all victims.

Ransomware attacks on manufacturers surged 61% compared to 46% growth across all sectors [5]. Manufacturing sits at the intersection of IT and OT, making it a natural target for groups that want maximum operational disruption to drive ransom payments.

This consolidation matters for critical infrastructure defenders because fewer, larger groups means more sophisticated tooling, better operational security, and greater willingness to hit high-profile targets. The line between financially motivated ransomware and state-sponsored disruption continues to blur.

IOC Table

MITRE ATT&CK Techniques

Based on documented Volt Typhoon and related campaign behaviors:

Detection and Hunting

LOTL Detection. Volt Typhoon's use of legitimate tools makes signature-based detection ineffective. Focus on behavioral analytics: unusual use of wmic, ntdsutil, netsh, and PowerShell on systems that don't normally run administrative commands. Baseline normal admin activity on OT-adjacent jump hosts and alert on deviations.

IT-OT Boundary Monitoring. With 96% of OT incidents originating from IT compromises [5], the IT-OT boundary is the critical detection point. Monitor all traffic crossing network segments between corporate IT and operational technology environments. Any new connection patterns, unusual protocols, or previously unseen source IPs crossing that boundary warrant immediate investigation.

Protocol-Level Alerting. The 84% increase in OT protocol attacks [5] requires defenders to implement deep packet inspection on Modbus and Ethernet/IP traffic. Look for:

• Modbus function codes that write to registers or coils from non-standard source addresses
• Unusual polling frequencies or timing patterns
• Any Modbus traffic from IP ranges outside the expected OT subnet

Credential Monitoring. Volt Typhoon relies on stolen credentials [7]. Monitor for authentication anomalies: logins from unusual source systems, credential use outside normal working hours on OT management interfaces, and any use of service accounts interactively.

Analysis

CISA's CI Fortify initiative represents a doctrinal shift in how the U.S. government approaches critical infrastructure defense. The old model assumed defenders could keep adversaries out. The new model assumes they can't. Planning around continued adversary presence in OT networks is an honest assessment, not an admission of defeat. It reflects the reality that advanced persistent threat groups have been embedded in these systems for years and that eradication campaigns have not fully succeeded [2].

The convergence of three trends makes the current threat environment particularly dangerous. First, nation-state actors have moved from reconnaissance to persistent pre-positioning in OT environments. Second, AI is compressing attack timelines from hours to seconds. Third, ransomware groups are consolidating into more capable operations that disproportionately target manufacturing and industrial sectors [5].

The Monterrey water utility incident matters beyond its immediate impact. An AI-assisted attack attempting to breach a municipal water system demonstrates that these techniques work against real-world OT targets, not just in simulated environments.

References

[1] https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure

[2] https://therecord.media/cisa-initiative-aims-for-critical-infrastructure-to-operate-during-cyberattacks

[3] https://industrialcyber.co/reports/waterfall-threat-report-2026-finds-ransomware-slowdown-masks-deeper-shift-toward-nation-state-attacks-on-critical-infrastructure/

[4] https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/china

[5] https://www.techtarget.com/searchsecurity/news/366642732/News-brief-Critical-infrastructure-OT-cybersecurity-attacks

[6] https://research.checkpoint.com/2026/the-state-of-ransomware-q1-2026/

[7] https://cyberwarzone.com/2026/03/09/volt-typhoon-chinas-critical-infrastructure-pre-positioning-campaign/

Event Timeline

Entity Relationships

Diamond Model

Hunt Guide: Hunt Report: Volt Typhoon and Nation-State Pre-Positioning in Critical Infrastructure

Hypothesis: If Volt Typhoon or similar nation-state actors are active in our environment, we expect to observe living-off-the-land techniques using legitimate administrative tools, lateral movement from IT to OT networks, and persistent access mechanisms in Windows Security/Sysmon logs, network traffic, and authentication events.

Intelligence Summary: CISA's CI Fortify initiative acknowledges nation-state actors, particularly Volt Typhoon (assessed China-linked), maintain persistent access to U.S. critical infrastructure using LOTL techniques and stolen credentials. The threat landscape shows doubled nation-state activity in 2025, with 96% of OT incidents originating from IT compromises and AI-assisted attacks now targeting municipal utilities.

Confidence: High | Priority: Critical

Scope

• Networks: All critical infrastructure networks with focus on IT-OT boundaries, SCADA networks, and systems with access to operational technology
• Timeframe: Initial: Last 30 days for IOC sweeps; Ongoing: Real-time monitoring for behavioral detections
• Priority Systems: OT jump hosts, SCADA workstations, HMIs, engineering workstations, domain controllers with OT trust relationships

MITRE ATT&CK Techniques

T1078 — Valid Accounts (Defense Evasion, Persistence, Privilege Escalation, Initial Access) [P1]

Volt Typhoon uses stolen credentials to blend into normal network traffic and maintain persistent access to critical infrastructure systems

Splunk SPL:

index=wineventlog (EventCode=4624 OR EventCode=4625 OR EventCode=4672) | eval hour=strftime(_time,"%H") | where (hour<6 OR hour>20) OR (EventCode=4625 AND Failure_Reason="Unknown user name or bad password") | stats count by ComputerName, EventCode, Account_Name, Source_Network_Address | where count>5

Elastic KQL:

event.code:(4624 OR 4625 OR 4672) AND (event.code:4625 AND winlog.event_data.FailureReason:"Unknown user name or bad password" OR (@timestamp:[* TO now-6h] OR @timestamp:[now-20h TO *])) | stats count by host.name, event.code, winlog.event_data.TargetUserName, source.ip | where count > 5

Sigma Rule:

title: Suspicious Off-Hours Authentication to OT Systems
id: 8b4c7e3a-9f2d-4a1e-b5c8-3d2f1a4e5c7b
status: experimental
date: 2026/04/07
author: RedSheep Security/Stone
description: Detects authentication attempts to OT-adjacent systems outside normal operational hours
references:
  - Internal research
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4624
      - 4625
      - 4672
  timeframe:
    - EventTime|re: '^.*T(0[0-5]|2[1-3]):.*$'
  ot_systems:
    ComputerName|contains:
      - 'SCADA'
      - 'HMI'
      - 'PLC'
      - 'OT-'
      - 'ICS-'
  condition: selection and (timeframe or (EventID: 4625 and FailureReason: 'Unknown user name or bad password')) and ot_systems
fields:
  - ComputerName
  - IpAddress
  - TargetUserName
falsepositives:
  - Legitimate maintenance windows
  - On-call engineers
level: high

Focus on service accounts used interactively, accounts accessing OT jump hosts for first time, and authentication from unusual source IPs. Baseline normal admin activity patterns first.

T1218 — System Binary Proxy Execution (Defense Evasion) [P1]

Volt Typhoon uses legitimate Windows administrative tools to evade detection while conducting reconnaissance and lateral movement

Splunk SPL:

index=sysmon EventCode=1 (Image="*\\wmic.exe" OR Image="*\\ntdsutil.exe" OR Image="*\\netsh.exe" OR Image="*\\cmdkey.exe") | eval parent_process=lower(ParentImage) | where NOT (parent_process IN ("*\\services.exe", "*\\svchost.exe", "*\\wmiprvse.exe") AND User="NT AUTHORITY\\SYSTEM") | stats count by ComputerName, Image, CommandLine, User, ParentImage | where count>3

Elastic KQL:

event.code:1 AND process.executable:(*\\wmic.exe OR *\\ntdsutil.exe OR *\\netsh.exe OR *\\cmdkey.exe) AND NOT (process.parent.executable:(*\\services.exe OR *\\svchost.exe OR *\\wmiprvse.exe) AND user.name:"NT AUTHORITY\\SYSTEM")

Sigma Rule:

title: Volt Typhoon LOTL Tool Execution Pattern
id: 3f5e2b8c-1a9d-4e7f-9b3c-5d8f2a1e4c6a
status: stable
date: 2024/01/15
author: Florian Roth
modified: 2026/04/07
description: Detects suspicious use of legitimate Windows tools associated with Volt Typhoon campaigns
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
logsource:
  category: process_creation
  product: windows
detection:
  selection_tools:
    - Image|endswith:
        - '\wmic.exe'
        - '\ntdsutil.exe'
        - '\netsh.exe'
        - '\cmdkey.exe'
    - OriginalFileName:
        - 'wmic.exe'
        - 'ntdsutil.exe'
        - 'netsh.exe'
        - 'cmdkey.exe'
  selection_suspicious_parents:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  filter_legitimate:
    User|contains: 'svc_'
    ParentImage|endswith: '\services.exe'
  condition: selection_tools and selection_suspicious_parents and not filter_legitimate
fields:
  - ComputerName
  - User
  - CommandLine
  - ParentCommandLine
falsepositives:
  - Administrative scripts
  - System management tools
level: high

Monitor for chained execution of multiple LOTL tools within short timeframes. Volt Typhoon often uses wmic for discovery followed by netsh for persistence.

T1570 — Lateral Tool Transfer (Lateral Movement) [P1]

Movement from IT networks to OT environments, documented in 96% of OT incidents as attackers pivot from corporate compromise to operational technology

Splunk SPL:

index=network (src_zone="IT" AND dest_zone="OT") OR (src_subnet="10.1.*" AND dest_subnet="192.168.100.*") | where (dest_port=445 OR dest_port=135 OR dest_port=3389 OR dest_port=22) | stats count by src_ip, dest_ip, dest_port, protocol | where count>10

Elastic KQL:

network.direction:"ingress" AND source.ip:10.1.0.0/16 AND destination.ip:192.168.100.0/24 AND (destination.port:445 OR destination.port:135 OR destination.port:3389 OR destination.port:22)

Sigma Rule:

title: IT to OT Lateral Movement Detection
id: 7c9e4b5a-2d1f-4e8c-9a3b-6e5d8f1a2c4b
status: experimental
date: 2026/04/07
author: RedSheep Security/Stone
description: Detects network connections crossing IT-OT boundary using common lateral movement protocols
references:
  - TXOne Networks 2025 OT Security Report
logsource:
  product: zeek
  service: conn
detection:
  selection:
    id.orig_h|startswith: '10.1.'
    id.resp_h|startswith: '192.168.100.'
    id.resp_p:
      - 445
      - 135
      - 3389
      - 22
      - 5985
      - 5986
  condition: selection
fields:
  - id.orig_h
  - id.resp_h
  - id.resp_p
  - proto
  - conn_state
falsepositives:
  - Legitimate IT administration of OT systems
  - Approved remote access sessions
level: high

Critical detection point - 96% of OT incidents start with IT compromise. Alert on ANY new source IP crossing IT-OT boundary.

T1071 — Application Layer Protocol (Command and Control) [P1]

Attacks targeting OT protocols increased 84% in 2025, with Modbus (57%) and Ethernet/IP (22%) being primary targets

Splunk SPL:

index=ot_protocols (protocol="modbus" OR protocol="enip") (function_code>=5 OR function_code=15 OR function_code=16 OR function_code=23) | eval is_write=if(function_code>=5,"true","false") | where is_write="true" | stats count by src_ip, dst_ip, function_code, protocol | where count>5

Elastic KQL:

network.protocol:("modbus" OR "enip") AND (modbus.function_code:>=5 OR modbus.function_code:(15 OR 16 OR 23)) AND event.dataset:"zeek.modbus"

Sigma Rule:

title: Suspicious Modbus Write Commands
id: 9a7c3d4e-5b2f-4a1c-8e6d-2f3a5b7c9d1e
status: stable
date: 2025/11/20
author: CISA ICS-CERT
modified: 2026/04/07
description: Detects Modbus write commands from unauthorized sources
references:
  - https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-25-297-01
logsource:
  product: zeek
  service: modbus
detection:
  selection:
    func|in:
      - 'write_single_coil'
      - 'write_multiple_coils'
      - 'write_single_register'
      - 'write_multiple_registers'
  unauthorized_source:
    id.orig_h|not:
      - '192.168.100.10'
      - '192.168.100.11'
      - '192.168.100.12'
  condition: selection and unauthorized_source
fields:
  - ts
  - id.orig_h
  - id.resp_h
  - func
  - tid
falsepositives:
  - New HMI installations
  - Maintenance activities
level: critical

Modbus has no authentication - any write command from non-standard source is suspicious. Baseline normal HMI/SCADA IPs first.

T1059.001 — PowerShell (Execution) [P2]

PowerShell used for discovery and lateral movement in conjunction with other LOTL tools

Splunk SPL:

index=wineventlog EventCode=4104 (ScriptBlockText="*Get-WmiObject*" OR ScriptBlockText="*Get-NetComputer*" OR ScriptBlockText="*Get-ADComputer*" OR ScriptBlockText="*Test-Connection*") | rex field=ScriptBlockText "(?<suspicious_pattern>Get-WmiObject.*Win32_.*|Get-NetComputer.*-Domain|Get-ADComputer.*-Filter)" | where isnotnull(suspicious_pattern) | stats count by ComputerName, UserData, suspicious_pattern

Elastic KQL:

event.code:4104 AND powershell.script.text:(*Get-WmiObject* OR *Get-NetComputer* OR *Get-ADComputer* OR *Test-Connection*)

Sigma Rule:

title: PowerShell Discovery Commands
id: 4d8f1e7c-2b3a-4c5d-9e1f-3a2b4c5d6e7f
status: experimental
date: 2026/04/07
author: RedSheep Security/Stone
description: Detects PowerShell commands commonly used for network discovery
references:
  - Internal threat research
logsource:
  product: windows
  service: powershell-classic
  definition: 'Requirements: Script Block Logging must be enabled'
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains|all:
      - 'Get-'
      - 'Computer'
  discovery_commands:
    ScriptBlockText|contains:
      - 'Get-WmiObject Win32_'
      - 'Get-NetComputer'
      - 'Get-ADComputer'
      - 'Get-NetDomain'
      - 'Get-NetForest'
  condition: selection and discovery_commands
fields:
  - ComputerName
  - ScriptBlockText
  - UserData
falsepositives:
  - System administration scripts
  - Asset management tools
level: medium

Correlate with parent process - PowerShell spawned by unusual processes or from temp directories is highly suspicious.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=dns query="volt-typhoon.com" | stats count by src_ip, query

YARA Rules

LOTL_Suspicious_CommandLine_Patterns — Detects command line patterns associated with Volt Typhoon LOTL techniques

rule LOTL_Suspicious_CommandLine_Patterns {
    meta:
        author = "RedSheep Security/Stone"
        date = "2026-04-07"
        description = "Detects suspicious LOTL command patterns used by Volt Typhoon"
        reference = "CISA AA24-038A"
    strings:
        $s1 = "wmic /node:" nocase
        $s2 = "ntdsutil \"ac i ntds\"" nocase
        $s3 = "netsh advfirewall" nocase
        $s4 = "cmdkey /list" nocase
        $s5 = "net use \\\\" nocase
        $s6 = "vssadmin delete shadows" nocase
        $combo1 = /wmic.{0,50}process.{0,50}call.{0,50}create/
        $combo2 = /netsh.{0,30}interface.{0,30}portproxy/
    condition:
        2 of ($s*) or any of ($combo*)
}

Suricata Rules

SID 3000001 — Detect Modbus Write Function Codes from External Networks

alert tcp !$HOME_NET any -> $HOME_NET 502 (msg:"SCADA Modbus Write Command from External"; flow:to_server,established; content:"|00 00|"; offset:2; depth:2; byte_test:1,>,4,8; reference:url,forescout.com/research; classtype:attempted-admin; sid:3000001; rev:1;)

SID 3000002 — Detect Ethernet/IP Write Commands to OT Network

alert tcp !$HOME_NET any -> $OT_NET 44818 (msg:"Ethernet/IP Write Command to OT Network"; flow:to_server,established; content:"|6F 00|"; offset:0; depth:2; content:"|04 00|"; distance:0; within:2; reference:cve,2025-0001; classtype:attempted-admin; sid:3000002; rev:1;)

Data Source Requirements

Sources

• CISA unveils new initiative to fortify America's critical infrastructure
• CISA initiative aims for critical infrastructure to operate during cyberattacks
• Waterfall Threat Report 2026 finds ransomware slowdown masks deeper shift toward nation-state attacks on critical infrastructure
• CISA - China Cyber Threat Overview
• Critical infrastructure OT cybersecurity attacks
• The State of Ransomware Q1 2026
• Volt Typhoon: China's Critical Infrastructure Pre-Positioning Campaign