Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Volt Typhoon and Salt Typhoon are confirmed, active, state-sponsored threat actors with demonstrated capability and sustained operational tempo targeting edge infrastructure; organizations in critical infrastructure, defense supply chains, or regulated industries face elevated targeting probability because these campaigns are selective and persistent, not opportunistic. Impact is high because adversary access is designed to be long-dwell and detection-evading, enabling exfiltration of intellectual property, strategic communications, and personnel records before discovery, with secondary regulatory and reputational consequence.
Treatment rationale: The threat is active, technically sophisticated, and targets infrastructure outside direct organizational control, making avoidance impractical and acceptance unjustifiable for any organization holding sensitive data or operating in a targeted sector — mitigation through enhanced edge visibility, network segmentation, and hunting for covert proxy indicators is the only proportionate primary response.
Third-Party / Supply-Chain Risk
The covert proxy network is built on SOHO and IoT devices from multiple vendors (consumer-grade routers, cameras, NAS devices) operating in residential and small-business environments — organizations relying on ISP-provided edge hardware, remote-worker home networks, or third-party managed network services inherit risk from devices they do not own, cannot patch, and cannot monitor, consistent with NIST SP 800-161 Tier 3 supply-chain risk (supplier and external dependency exposure). Vendor firmware patching cadence and EOL device prevalence across the supplier ecosystem amplify this exposure.
Loss Exposure (illustrative)
Magnitude: high — illustrative $1M–$15M for a mid-size organization in a targeted sector, ranging upward significantly for critical infrastructure or defense supply chain entities where IP or operational data is exfiltrated over a multi-month dwell period
Frequency: For an organization in a priority sector (critical infrastructure, defense supply chain, advanced manufacturing, telecommunications) with unmonitored edge or remote-worker infrastructure, illustrative exposure frequency is 1 event per 3–7 years given the selectivity and sustained operational tempo of these campaigns; lower for organizations outside priority sectors
Annualized: Illustrative ALE: $150K–$5M annualized for a priority-sector organization, reflecting low-frequency but high-magnitude loss events with extended detection lag amplifying exfiltration volume
Basis: Loss magnitude derived from: multi-month average dwell time for state-sponsored campaigns of this class, exfiltration of high-value IP or strategic communications as the stated objective, incident response and forensic costs for a long-dwell intrusion, potential regulatory notification costs, and reputational impact in sectors where supply chain trustworthiness is contractually evaluated. Frequency derived from campaign selectivity — these actors target specific sectors and organizations, not broad opportunistic scanning. No third-party benchmark reports cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed or suspected exfiltration of PII or regulated data may invoke state and federal breach-notification obligations — verify with counsel before making notification decisions.
• Long-dwell adversary access without timely detection may affect cyber-insurance claims under notification-window or reasonable-security clauses — verify with broker and review policy language.
• Organizations in the defense industrial base or critical infrastructure sectors may have reporting obligations to CISA, DIBNet, or sector-specific regulators if adversary access is confirmed — verify with counsel and applicable regulatory contacts.
