The Quiet Foothold: Pre-Positioning, Critical Infrastructure and the New Geometry of Cyber Conflict

I. From espionage to pre-positioning

On 7 February 2024, the U.S. Cybersecurity and Infrastructure Security Agency, together with the National Security Agency and the FBI and a coalition of allied agencies, issued advisory AA24-038A.^[1] Its assessment was unusually direct. The People's Republic of China state-sponsored actor tracked as Volt Typhoon had compromised the IT environments of multiple critical-infrastructure organisations, "primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors", and the authoring agencies judged "with high confidence" that the intrusions were intended to enable lateral movement toward operational-technology assets in order to disrupt their functions.^[1]

The advisory drew an explicit distinction that deserves to be quoted. Volt Typhoon's "choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations."^[1] The actor was not reading the network; it was learning to break it. CISA further reported indications that the intruders had maintained access within some victim environments "for at least five years."^[1]

Two features make this campaign a category shift rather than an escalation in degree. The first is patience. Five years of dwell time inside an electricity or water utility is not reconnaissance in any ordinary sense; it is the construction of an option, a capability deliberately built and held against a future contingency. The second is method. Volt Typhoon's signature is the use of "living off the land" techniques: rather than deploying bespoke malware that a defender might catch, the actor operates through the legitimate administrative tools already present on the network, blending into routine activity and frustrating detection.^[1]

The unit of account has changed. It is no longer the stolen document but the pre-placed capability, a foothold that produces no value until the day someone decides to use it.

II. The telecommunications backbone as a target in itself

If Volt Typhoon revealed the ambition against energy and water, the campaign tracked as Salt Typhoon revealed its scale against the communications layer. Beginning with reports that surfaced in 2024, U.S. officials disclosed that a PRC-affiliated actor had penetrated the networks of major American telecommunications carriers.^[2]^[3] By the close of 2024, the White House confirmed that at least eight U.S. telecommunications firms had been affected and that the operation had reached "several dozen" countries.^[3]

The detail that gives this campaign its strategic weight is what the intruders reached. According to U.S. officials, Salt Typhoon accessed the systems that providers use to satisfy lawful-intercept requests under the Communications Assistance for Law Enforcement Act, the very apparatus of court-authorised wiretapping.^[2]^[4] Deputy National Security Advisor Anne Neuberger stated that a "large number" of individuals had their geolocation and call metadata accessed, and that communications of a smaller set, including figures connected to the 2024 U.S. presidential contest, were directly collected.^[3]^[4] In response, CISA and partner agencies in the United States, Australia, Canada and New Zealand published hardening guidance for communications infrastructure in December 2024.^[2]

The figures for the campaign's total reach have continued to grow and should be treated with the caution that evolving incident reporting demands: in August 2025 the FBI and partners characterised Salt Typhoon as having compromised entities across some 80 countries.^[4] Whatever the final tally, the lesson is structural. The telecommunications backbone is no longer merely the medium through which other targets are reached. It is the target, because whoever holds it holds the lawful-intercept systems, the metadata of a society, and a switch that can be turned in a crisis.

METHOD BOX: Reading attribution claims.

This Note privileges primary government advisories (CISA, NSA, FBI, ANSSI) and the public statements of named officials over secondary press synthesis. Cyber attribution is a probabilistic judgement, not a forensic certainty; where agencies state a confidence level we reproduce it, and where figures are still being revised through successive disclosures, as with Salt Typhoon's country count, we flag the claim as provisional rather than settled. Readers should treat "compromised" and "pre-positioned" as the authoring agencies' assessments, made on classified evidence we cannot independently audit.

III. The seabed and the physical layer

Cyber conflict does not stop at the logical layer. The Baltic Sea has become the theatre where digital dependency meets physical sabotage. On 25 December 2024 the Estlink 2 power cable between Finland and Estonia, together with several telecommunications cables, was severed; Finnish investigators concluded that the tanker Eagle S had dragged its anchor across the seabed for tens of kilometres, and a Finnish armed boarding team seized the vessel.^[5]^[6] The ship was associated with the so-called shadow fleet used to move Russian oil in evasion of Western sanctions.^[5]

The incident sits within a wider pattern of cable damage in the region that has driven European governments to treat undersea infrastructure as a contested domain. On 14 January 2025 NATO launched the "Baltic Sentry" activity, deploying frigates, maritime patrol aircraft and naval drones to strengthen the protection of critical undersea infrastructure.^[7] Whether each individual cable break is deliberate sabotage or maritime negligence remains, in several cases, genuinely contested, a Finnish court later found it could not try the Eagle S officers for acts committed outside territorial waters.^[6] But the strategic effect does not depend on resolving each case. Ambiguity is itself the weapon: a campaign that can never be cleanly attributed imposes cost, anxiety and the burden of permanent patrol while preserving deniability.

The genius of operations in the grey zone is that they need not be proven to succeed. Doubt, distributed across an alliance, is the deliverable.

IV. Criminal capability, state effect

A clean line between state pre-positioning and criminal extortion no longer holds. The Colonial Pipeline incident of May 2021, a ransomware attack attributed by the FBI to the criminal group DarkSide that led the operator to halt fuel distribution for six days across much of the U.S. East Coast, demonstrated that a financially motivated intrusion can produce a national-security effect indistinguishable from sabotage.^[8] In November 2023, the Iran-linked group CyberAv3ngers compromised an internet-exposed Unitronics programmable logic controller at the Municipal Water Authority of Aliquippa, Pennsylvania; CISA subsequently documented exploitation of the same equipment across multiple states.^[9] The water supply was never endangered, but the demonstration value was the point.

France's national cyber agency has named this convergence explicitly. In its 2025 cyber-threat panorama, ANSSI observed that techniques once reserved for state groups, exploitation of zero-day vulnerabilities, abuse of legitimate services, durable pre-positioning, are now appearing in the criminal ecosystem, and that actors traditionally associated with espionage, including from China and North Korea, were seen deploying ransomware for profit in 2025.^[10] ANSSI further noted that the targeting of critical infrastructure in the telecommunications and energy sectors, including through attempted sabotage, remains highly prized by these actors, and described an alarming end to 2025 marked by coordinated, destructively-oriented attacks against Polish electrical infrastructure.^[10] The Institute reads this convergence as the most dangerous trend of the period: it collapses the analytic categories on which deterrence depends. If a state can rent a criminal proxy, and a criminal can wield a state-grade capability, the question "who did this, and was it an act of war?" becomes structurally unanswerable in the hours that matter.

V. The cognitive front

The second front is informational. The European External Action Service, in its successive reports on Foreign Information Manipulation and Interference, has documented an industrialised infrastructure of manipulation. Its work analysed hundreds of FIMI incidents and tens of thousands of channels, attributing the bulk of activity to Russia and, increasingly, to China, and mapping persistent covert networks such as Doppelgänger, which replicates the appearance of legitimate European news outlets to launder hostile content.^[11]^[12] The EEAS records that FIMI incidents in 2024 spanned roughly 90 countries and targeted hundreds of organisations.^[11]

The connection to infrastructure is not incidental. A society's confidence that the power grid is secure, that the water is safe, that an outage is an accident rather than an attack, is itself a target. Pre-positioning in physical systems and manipulation of the information environment are two halves of one strategy: the first creates the capability to inflict disruption, the second shapes how a population interprets disruption when it comes, or merely fears that it might.

VI. The European and Swiss frameworks

The regulatory response has been substantial but uneven. The European Union's NIS2 Directive, in force since January 2023, extended binding cybersecurity obligations across eighteen critical sectors and set a transposition deadline of 17 October 2024.^[13] The follow-through has lagged the ambition: only a handful of member states met the deadline, and in late November 2024 the European Commission opened infringement proceedings against twenty-three of them.^[13] A directive that exists on paper but not in national law protects no one.

A framework calibrated for breach-and-notify is poorly suited to an adversary whose objective is to be present, patient and unnoticed.

The Institute's assessment is that the prevailing architecture, built around incident reporting, breach notification and data protection, remains organised around the theft paradigm. Pre-positioning inverts its assumptions: the adversary's success is precisely the absence of an incident to report. Defending against a foothold requires sustained threat-hunting inside operational-technology networks, the capacity to operate critical services through a cyberattack rather than merely to recover afterward, and a tolerance for the uncomfortable truth that the most dangerous intrusions generate no alert at all. For Switzerland, whose interconnection with European energy and telecommunications markets is profound and whose neutrality offers no exemption from the physics of dependency, the implication is direct: resilience must be measured not by how quickly a breach is disclosed, but by how long an essential service can keep functioning while compromised.

VII. Conclusion, Defending against patience

The cyber competition of this decade is not primarily a contest of theft, and treating it as one is a category error with operational consequences. The decisive moves are the quiet foothold held in a utility for years, the backbone access that turns a telecommunications carrier into an instrument, the ambiguous anchor on a darkened seabed, and the manufactured doubt that erodes a society's ability to tell accident from attack. Each is designed to mature into effect only at a moment of the adversary's choosing.

Defending against patience demands patience of one's own, and a candour that most institutions still avoid. The honest measure of security is no longer the speed of detection but the durability of function under conditions of assumed compromise. That is an uncomfortable standard, because it concedes that the foothold may already be in place. It is also the only standard adequate to the threat as the evidence now describes it.

References

[1] "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure," Advisory AA24-038A, CISA / NSA / FBI, 7 February 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
[2] "Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications," Congressional Research Service (In Focus IF12798), 2024–2025. https://www.congress.gov/crs-product/IF12798
[3] "At least 8 US telcos, dozens of countries impacted by Salt Typhoon breaches, White House says," The Record (Recorded Future News), December 2024. https://therecord.media/eight-telcos-breached-salt-typhoon-nsc
[4] "Salt Typhoon," Wikipedia (citing U.S. official statements, FBI/NSA reporting; consulted June 2026). https://en.wikipedia.org/wiki/Salt_Typhoon
[5] "Authorities investigate possible Russian 'hybrid warfare' after oil tanker cuts undersea cables," CBS News, 2025. https://www.cbsnews.com/news/eagle-s-baltic-cut-cable-investigation-russia-ties-60-minutes/
[6] "Miles-long anchor drag mark found on Baltic seabed after suspicious cable damage, Finnish investigators say," CNN, 30 December 2024. https://www.cnn.com/2024/12/30/europe/baltic-sea-cable-anchor-drag-russia-intl-latam
[7] "NATO launches 'Baltic Sentry' to increase critical infrastructure security," NATO, 14 January 2025. https://www.nato.int/en/news-and-events/articles/news/2025/01/14/nato-launches-baltic-sentry-to-increase-critical-infrastructure-security
[8] "Colonial Pipeline ransomware attack," Wikipedia (citing FBI attribution and DOJ recovery announcement; consulted June 2026). https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack
[9] "Pennsylvania water facility hit by Iran-linked hackers," CyberScoop, November 2023. https://cyberscoop.com/pennsylvania-water-facility-hack-iran/
[10] "Panorama de la cybermenace 2025," ANSSI (CERT-FR), 2026. https://cyber.gouv.fr/actualites/panorama-de-la-cybermenace-2025/
[11] "2024 Report on EEAS Activities to Counter Foreign Information Manipulation and Interference (FIMI)," European External Action Service, 2024. https://www.eeas.europa.eu/eeas/2024-report-eeas-activities-counter-foreign-information-manipulation-and-interference-fimi_en
[12] "3rd EEAS Report on Foreign Information Manipulation and Interference Threats," European External Action Service, March 2025. https://www.eeas.europa.eu/eeas/3rd-eeas-report-foreign-information-manipulation-and-interference-threats-0_en
[13] "NIS2 Directive: securing network and information systems," European Commission, Shaping Europe's digital future, 2024. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Cite this note

Benalla A. (2026). « The Quiet Foothold: Pre-Positioning, Critical Infrastructure and the New Geometry of Cyber Conflict ». Note IV·NOTE·005, Institut Vidocq.