However, subsequent investigations, including password changes and authentication

[official khan boy]

Volt Typhoon actors were periodically wasting their credentials. However, subsequent investigations, including password changes and authentication implementations, revealed authentication failures originating from unassigned IP addresses without a clear connection to Volt Typhoon.  During their known presence on the network, unusual login attempts to an Azure tenant may have used credentials that were previously at risk of being stolen.  As  Volt Performance Avis  the authoring agencies have previously highlighted, the use of “living outside the territory” techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when it comes to critical infrastructure.  The decision to reconnect to the Internet depends on the confidence of managers in the actions taken. Depending on the environment, new information discovered during clearance steps may add additional clearance tasks. https://www.triggercam.com/group/triggercam-group/discussion/37b42297-065a-42a2-a02e-cfc5335baf22