DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/THREAT ACTORS/SYLVANITE
TLP:WHITETHREAT ACTOR DOSSIER // SYLVANITE-VOLT-TYPHOON-FEEDERFIRST SEEN: 2024

SYLVANITE

ALSO KNOWN AS: Volt Typhoon initial access cluster (Dragos tracking designation)
FROM:DMZ INTELLIGENCE DESK
ORIGIN:China (assessed PRC-aligned; operates in support of Volt Typhoon / PLA)
ATTRIBUTION:STATE-SPONSORED
STATUS:ACTIVE
FIRST OBSERVED:2024
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL72/100
RESOURCES80/100
PERSISTENCE80/100
STEALTH80/100
IMPACT72/100

SUBJECT PROFILE

SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated initial-access broker operating in direct support of Volt Typhoon. The group gains footholds across OT-adjacent organizations in North America, Europe, South Korea, Guam, the Philippines, and Saudi Arabia, then hands off access to Volt Typhoon for deeper persistence and OT reconnaissance. Dragos has attributed several recent high-profile vulnerability exploitation campaigns — including Ivanti and Trimble Cityworks GIS — to SYLVANITE, making it a critical link in China's critical infrastructure pre-positioning strategy.

Pre-conflict critical infrastructure access development and handoff to Volt Typhoon for long-term persistence

OPERATIONAL HISTORY

T1190 (Exploit Public-Facing Application - Ivanti Connect Secure, Trimble Cityworks CVEs), T1078 (Valid Accounts), T1199 (Trusted Relationship - access broker handoff model), T1133 (External Remote Services), LOTL techniques consistent with Volt Typhoon cluster

OIL AND GAS
WATER UTILITIES
POWER GENERATION
TRANSMISSION
MANUFACTURING
TELECOMMUNICATIONS

KNOWN INFRASTRUCTURE

Exploited Ivanti and Trimble Cityworks GIS systems for initial access; SOHO router compromise consistent with Volt Typhoon cluster infrastructure; no dedicated public tooling yet attributed; operates as feeder node for Volt Typhoon KV-Botnet successor infrastructure

ATTRIBUTED CAMPAIGNS

FILE DATE: 2024
OT Initial Access Campaign - Multi-Region
SYLVANITE identified by Dragos targeting oil and gas, water, power generation and manufacturing organizations across North America, Europe, South Korea, Guam, Philippines, and Saudi Arabia; gains initial access via Ivanti and Cityworks CVEs then transfers footholds to Volt Typhoon operators.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn