China's Hackers Are Still Inside America's Power Grid

The Intruders Who Will Not Leave

On February 19, 2026, operational technology security firm Dragos released its annual Year in Review report with a blunt warning: Volt Typhoon, the Chinese state sponsored hacking group that has been systematically infiltrating America's critical infrastructure since at least 2021, is still active, still embedding, and still expanding its reach.

"They're still very active, and they're still absolutely mapping out and getting into embedding in U.S. infrastructure, as well as across our allies," Dragos CEO Rob Lee said. More troubling still, Lee acknowledged what many in the security community have quietly feared: "We're going to have to live with the reality that a portion of our infrastructure is currently compromised."

What Volt Typhoon Is After

Unlike ransomware groups that encrypt files and demand payment, Volt Typhoon does not steal money or hold data hostage. According to U.S. intelligence agencies, the group's objective is pre positioning: embedding itself deep enough inside critical infrastructure networks that it could launch destructive cyberattacks during a future geopolitical crisis, particularly one involving Taiwan.

The targets are not random. Volt Typhoon has focused on electric utilities, water treatment facilities, oil and gas pipelines, telecommunications networks, and transportation hubs, the systems that keep civilian life functioning and military operations running. By compromising these systems in advance, China would theoretically have the ability to disrupt power, water, and communications during a conflict to slow U.S. military mobilization.

300 Days Inside a Massachusetts Utility

The most detailed public case study comes from Littleton Electric Light and Water Departments, a small municipal utility in Massachusetts. Dragos investigators found that Volt Typhoon had been inside the utility's systems for approximately 300 days, from February 2023 until just before Thanksgiving that year, when the breach was finally discovered.

The hackers gained initial access by exploiting a vulnerability in an internet facing firewall, then moved laterally through the network. They exfiltrated operating procedures, spatial layout data, and geographic information system records related to energy grid operations. No customer data was compromised, but the stolen information, grid layouts, operational procedures, sensor data, is exactly what an attacker would need to plan a physical disruption.

What makes this case particularly alarming is the scale disparity. Littleton is a small utility. The FBI and CISA arrived the Monday after the breach was discovered. But most small utilities lack the monitoring tools and security staff to detect this kind of intrusion at all.

Living Off the Land

Volt Typhoon's primary technique is what security researchers call "living off the land." Instead of deploying custom malware that antivirus tools might detect, the group uses legitimate system administration tools already present on the victim's network: PowerShell, Windows Management Instrumentation, and standard network utilities. This makes their activity nearly indistinguishable from normal system administration work.

By 2025, Dragos observed a significant evolution in tactics. Volt Typhoon began moving beyond traditional IT network reconnaissance and started directly interacting with operational technology devices, the industrial control systems that physically manage power generation, water treatment, and pipeline operations. This shift from intelligence gathering to operational access represents a dangerous escalation.

Dragos also identified a related group it calls SYLVANITE that appears to handle initial access, exploiting vulnerabilities in products like Ivanti VPN appliances and Trimble Cityworks GIS software, before handing off compromised networks to Volt Typhoon for long term operations.

The Detection Gap

The hardest truth in the Dragos report is that many compromises will never be found. Large electricity companies have the resources and sophistication to detect and remove Volt Typhoon from their networks. But the U.S. has thousands of small municipal utilities, rural water systems, and local power cooperatives that lack dedicated cybersecurity staff, let alone the ability to detect a nation state actor using legitimate system tools.

Rob Lee put it plainly: it is likely that critical public utilities, particularly those in the water sector, will never reach the level of sophistication needed to identify and remove these compromises. The actual number of victims is almost certainly larger than what has been publicly confirmed, and U.S. officials have acknowledged that current estimates are "likely an underestimate."

A Geopolitical Weapon in Peacetime

Volt Typhoon does not fit the typical cyberattack narrative. There is no ransom note, no data dump on the dark web, no public embarrassment. The group's value to China lies in remaining invisible, maintaining access year after year so that capability exists if it is ever needed.

This patient, strategic approach makes it fundamentally different from other Chinese hacking operations like Salt Typhoon (which targeted telecommunications providers), Flax Typhoon (which built a botnet of compromised IoT devices), or the BPFDoor campaign that planted sleeper backdoors in telecom networks. Volt Typhoon is not collecting intelligence for espionage. It is building the infrastructure for potential sabotage.

The implications extend beyond the United States. Dragos confirmed that Volt Typhoon has been found in infrastructure across NATO allied countries as well, suggesting a coordinated effort to map and pre position across the entire Western alliance's critical systems.

What Can Be Done

For individuals, Volt Typhoon does not directly target personal devices or accounts. But the infrastructure it compromises affects everyone. A disrupted power grid means no electricity, no internet, no cell service, and no way to access the digital systems modern life depends on.

The broader security community is pushing for increased federal funding for small utility cybersecurity programs, mandatory baseline security standards for critical infrastructure operators, and better information sharing between government agencies and private sector operators. CISA has published detailed advisories with indicators of compromise, but detecting living off the land techniques requires a level of network monitoring that many small operators simply cannot afford.

For now, the uncomfortable reality is that Chinese hackers are embedded in systems that control American electricity, water, and energy infrastructure, and some of them will stay there.