Volt Typhoon actors rely on valid accounts for persistence. They first gain initial access to a network by exploiting vulnerabilities in public-facing applications. Then, they obtain administrator credentials and maintain persistence on the network. They are known to use compromised credentials for follow-on activities, such as logging into the victim’s network via VPN.