How well do you understand your adversary?

The naming conventions adopted by Microsoft’s Threat Intelligence teams tell a story. Volt Typhoon. Salt Typhoon. Silk Typhoon. The typhoon designation signals a specific origin — the People’s Republic of China — and a specific intent: pre-positioning within critical infrastructure for disruption, not espionage. The adversary is not there to steal data. They are there to wait.

Salt Typhoon’s confirmed intrusion into U.S. telecommunications providers demonstrated that nation-state actors had achieved persistent access to the backbone of American communications infrastructure for months — possibly years — before detection. These were not smash-and-grab operations. They were patient, deliberate campaigns designed to survive network resets, firmware updates, and even hardware replacement.

The tsunami metaphor is equally deliberate. When the wave arrives, the damage is not the event — it is the consequence of what was already in motion.

Why Detection Is Hard

Nation-state actors operating in critical infrastructure employ living-off-the-land techniques: they use the system’s own tools, speak the network’s native protocols, and mimic the behavior of authorized administrators. Perimeter firewalls and signature-based detection are ineffective against an adversary who already holds valid credentials and behaves like a legitimate systems administrator.

What is required is visibility at a layer below the administrator — a vantage point inside the kernel, where the operating system itself reports on what is happening in real time.

Thor™ and the Typhoon Problem

Thor™ by Aronetics® operates at ring 0 — the kernel level. It monitors system call patterns, runtime memory behavior, and process lineage: the behavioral telemetry that exposes living-off-the-land activity regardless of how convincingly an actor mimics legitimate use. Thor™ does not require prior knowledge of the threat actor’s tools. It establishes a behavioral baseline and raises alarms when the machine behaves differently — even when nothing looks wrong from the outside.

For critical infrastructure operators, water authorities, energy utilities, satellite ground stations, and telecommunications providers, Thor™ provides the kind of internal assurance that perimeter security cannot.

Know your adversary. Deploy your defenses inside the machine.