Industrial cybersecurity firm Dragos has shared some details describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
The target was Littleton Electric Light and Water Departments (LELWD), a small public power utility in Massachusetts that serves Littleton and Boxborough. The utility had been in the process of implementing Dragos operational technology (OT) security solutions when the intrusion was detected, which led to an expedited deployment.
A case study published by Dragos focuses on the benefits of its solutions, including how they can be used to detect such intrusions and protect OT organizations against threats.
However, the industrial cybersecurity firm has shared some additional details with SecurityWeek.
Dragos said the LELWD breach was discovered in November 2023, just before Thanksgiving, and an investigation showed that the hackers had been in the organization’s network since February 2023, for more than 300 days.
The existence of Volt Typhoon came to light in May 2023, when Microsoft reported that the group, which the tech giant linked to the Chinese government, had been targeting US critical infrastructure in espionage operations. The threat actor has since made many headlines due to its sophistication, its botnets, and its use of zero-days.
Dragos reported one year ago that Volt Typhoon, which the company tracks as Voltzite, had been collecting sensitive OT data from hacked organizations. The security firm warned that while it had not been observed hacking ICS and causing disruption, Volt Typhoon could pose a serious threat to such systems.
In the case of the LELWD power utility, the hackers were seen collecting data on OT systems, Dragos told SecurityWeek.
“The significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim’s environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations,” Dragos said.
“This information can be pivotal for helping the adversary know exactly where to attack when, or if, they decide to utilize a Stage 2 capability in the future,” it added.
Stage 2 in the ICS Cyber Kill Chain means that hackers can develop and test specific and meaningful attacks on industrial control systems. Volt Typhoon is one of the several active threat groups tracked by Dragos that have such capabilities.
Dragos also told SecurityWeek that Volt Typhoon was in many cases — outside of the LELWD hack — observed exfiltrating geographic information system (GIS) data containing critical information about the spatial layout of energy systems.
“Exfiltrated data and persistent access to OT systems could be employed as a means for actions on objectives in the future,” the security firm explained.
Volt Typhoon Hackers Dwelled in US Electric for 300+ Days: Report
Dragos shared some details describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
ICS Patch Tuesday March 2025: Security Advisories by CISA, Schneider Electric, Siemens
Industrial giants Siemens and Schneider Electric have released March 2025 Patch Tuesday ICS security advisories.
ICS Patch Tuesday September 2024: Advisories Published by ABB, Siemens, Schneider, CISA
For September 2024, two dozen ICS Patch Tuesday advisories were published by Siemens, Schneider Electric, CISA and ABB.
Iran-Linked “Cyber Av3ngers” Hackers Compromise Control System at Pennsylvania Water Utility
Iran-Linked "Cyber Av3ngers" hackers compromised an industrial control system at the Municipal Water Authority of Aliquippa (MWAA) in Pennsylvania.
CISA Announces Free Vulnerability Scanning for Water Utilities
CISA announced a new vulnerability scanning service designed to help water utilities identify and address security holes that could expose their systems to remote attacks.
NSA, CISA Explain How Adversaries Plan and Execute ICS/OT Attacks
A joint advisory describes five typical steps involved in planning and executing an attack on Industrial control systems (ICS) and other operational technology (OT) systems
All ICS Vendors Impacted by OT:Icefall Vulnerabilities Have Released Advisories
All ICS vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations.
Russia-Linked Pipedream/Incontroller ICS Malware Designed to Target Energy Facilities
A modular ICS attack framework and a collection of custom-made tools, can be used by threat actors to target ICS and SCADA devices, including programmable logic controllers (PLCs) from Schneider Electric and Omron, and OPC UA servers.
Intelligence Gathering on U.S. Critical Infrastructure
How Open Source Intelligence can be applied to reconnaissance on critical infrastructure. In many cases it’s possible to narrow a search to specific buildings like power plants, wastewater plants, or chemical and manufactured facilities. The research consists of 26,000 exposed devices in United States.