Industrial cybersecurity firm Dragos has shared some details describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
The target was Littleton Electric Light and Water Departments (LELWD), a small public power utility in Massachusetts that serves Littleton and Boxborough. The utility had been in the process of implementing Dragos operational technology (OT) security solutions when the intrusion was detected, which led to an expedited deployment.
A case study published by Dragos focuses on the benefits of its solutions, including how they can be used to detect such intrusions and protect OT organizations against threats.
However, the industrial cybersecurity firm has shared some additional details with SecurityWeek.
Dragos said the LELWD breach was discovered in November 2023, just before Thanksgiving, and an investigation showed that the hackers had been in the organization’s network since February 2023, for more than 300 days.
The existence of Volt Typhoon came to light in May 2023, when Microsoft reported that the group, which the tech giant linked to the Chinese government, had been targeting US critical infrastructure in espionage operations. The threat actor has since made many headlines due to its sophistication, its botnets, and its use of zero-days.
Dragos reported one year ago that Volt Typhoon, which the company tracks as Voltzite, had been collecting sensitive OT data from hacked organizations. The security firm warned that while it had not been observed hacking ICS and causing disruption, Volt Typhoon could pose a serious threat to such systems.
In the case of the LELWD power utility, the hackers were seen collecting data on OT systems, Dragos told SecurityWeek.
“The significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim’s environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations,” Dragos said.
“This information can be pivotal for helping the adversary know exactly where to attack when, or if, they decide to utilize a Stage 2 capability in the future,” it added.
Stage 2 in the ICS Cyber Kill Chain means that hackers can develop and test specific and meaningful attacks on industrial control systems. Volt Typhoon is one of the several active threat groups tracked by Dragos that have such capabilities.
Dragos also told SecurityWeek that Volt Typhoon was in many cases — outside of the LELWD hack — observed exfiltrating geographic information system (GIS) data containing critical information about the spatial layout of energy systems.
“Exfiltrated data and persistent access to OT systems could be employed as a means for actions on objectives in the future,” the security firm explained.
Volt Typhoon Hackers Dwelled in US Electric for 300+ Days: Report
Dragos shared some details describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
Water Treatment Facility in Arkansas City Switches to Manual Mode After Suspected Cyberattack
Arkansas City said a cybersecurity issue at its Water Treatment Facility on September 22, 2024 forced the facility to switch to manual operations.
Iran-Linked “Cyber Av3ngers” Hackers Compromise Control System at Pennsylvania Water Utility
Iran-Linked "Cyber Av3ngers" hackers compromised an industrial control system at the Municipal Water Authority of Aliquippa (MWAA) in Pennsylvania.
Russian Sandworm Hackers Target Ukraine’s Power Grid in Coordinated Cyber-Physical Attack
Russia’s Sandworm hackers disrupted power in Ukraine using a novel attack against operational technology (OT) coordinated with missile strikes.
Deep Dive: PIPEDREAM/Incontroller ICS Attack Framework
In this session, Mark Plemmons, Sr. Director for Threat Intelligence at Dragos, dives deep into the technical details and real-world impact on the modular ICS attack framework known as PIPEDREAM/Incontroller
Researchers Use IoT and IT to Deliver Ransomware Attack Against OT
Critical industries must prepare themselves for a new wave of ransomware attacks specifically targeting OT
Colonial Pipeline Still Mostly Offline After Ransomware Attack
The Colonial Pipeline is working on a restart plan after a ransomware attack triggered the company to halt all pipeline operations on May 7, 2021.
The Past & Future of Integrity Attacks in ICS Environments (Video)
Integrity-based attacks can produce significant impacts through undermining a physical process and calling into doubt the viability of a specific facility.
The Growing Threat of Drones
Drones are an increasing threat to industrial sites, enabling various attacks (cyber and physical) that historically were only possible in close proximity to a facility or device.
Side-Channel Attacks Put Critical Infrastructure at Risk
ICS Devices Vulnerable to Side-Channel Attacks: Researcher Shows (Eduard Kovacs - SecurityWeek) Side-channel attacks can pose a serious threat to industrial control systems (ICS), a researcher warned last month at SecurityWeek’s ICS Cyber Security Conference in Atlanta, GA. Demos Andreou, a lead engineer at power management company Eaton, has conducted an analysis of protection devices typically used in the energy sector, specifically in power distribution stations. Side-channel attacks can be used to extract data from a system based on information gained by observing