The online Us newspaper DarkReading Chinese APT Volt Typhoon struck a US power utility in Massachusetts in 2023, in a prolonged attack that aimed to exfiltrate sensitive data regarding its operational technology (OT) infrastructure. It's the first known assault on a US power utility by the group, which gained notoriety last year for an attack spree on US telecoms, and which consistently targets critical infrastructure globally.
The attack by Volt Typhoon subgroup Voltzite on the Little Electric Light and Water Departments (LELWD) prompted joint action from the FBI and security company Dragos, which revealed details of the attack and its mitigation in a case study (PDF) published today. Dragos founder and CEO Robert M. Lee mentioned the attack at a media roundtable in February 2024, but did not name the company or provide explicit details on what transpired.
LELWD, which serves the communities of Littleton and Boxborough, Mass., became aware of the attack when assistant general manager David Ketchen received a call from the FBI on a Friday afternoon in November 2023, alerting the utility of a suspected compromise. The following Monday, FBI agents and representatives from the Cybersecurity and Infrastructure Security Agency (CISA) arrived at LELWD to aid in the investigation.
The goal of the group was to exfiltrate specific data related to operational technology (OT) operating procedures and spatial layout data relating to energy grid operations, Josh Hanrahan, principal hunter at Dragos, tells Dark Reading. This information can be pivotal for helping the adversary know exactly where to attack when (or if) they decide to use a Stage 2 capability to compromise the actual OT network that controls physical functions in the future, he says.
Mitigation & Cleanup of an Energy Grid Cyberattack
Dragos and other investigators identified the activity through Dragos' OT Watch platform, which provides advanced threat hunting for critical infrastructure, and let company officials know where the intrusion occurred. Together, responders eliminated Volzite from the network and provided additional security to prevent further intrusion, according to the report.
"Further investigation determined that the compromised information did not include any customer-sensitive data, and the utility was able to change their network architecture to remove any advantages for the adversary," the company said in its report.
Dragos also provided recommendations to the utility to shore up their OT even further to avoid and quickly mitigate future intrusions. LELWD currently invests in asset visibility and inventory, threat detection and response, vulnerability management, network segmentation analysis, and incident response guidance.
Volt Typhoon, Voltzite Attacks Likely to Continue
Since being publicly outed in May 2023, Volt Typhoon (aka Bronze Silhouette, Vanguard Panda, and UNC3236) has compromised not only telecom providers but also the US territory of Guam, military bases, and the US emergency management organization, among others.
The group typically infiltrates networks through a sprawling botnet created by compromising poorly protected small office/home office (SOHO) routers. While law enforcement said it dealt Volt Typhoon a blow early last year when it remotely killed this botnet, Dragos expects attacks from the APT are far from over; Voltzite operations against critical infrastructure of the United States and Western-aligned nations will continue into 2025, the company said.
Since the threat actor typically exploits vulnerabilities in Internet-facing VPN appliances or firewalls for initial access, Dragos encourages defenders of OT networks to implement adequate patch management and system integrity plans on those types of assets in their network.
Moreover, the best way to identify Voltzite is by monitoring its attack behaviors, which are to purposely blend in with trusted networks and use tools already available, Dragos tells Dark Reading. For this, OT network providers should compare any unusual lateral movement with expected traffic within their networks and validate suspicious user activity that originates from regular employee accounts.