Industrial cybersecurity firm Dragos has shared some details describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
The target was Littleton Electric Light and Water Departments (LELWD), a small public power utility in Massachusetts that serves Littleton and Boxborough. The utility had been in the process of implementing Dragos operational technology (OT) security solutions when the intrusion was detected, which led to an expedited deployment.
A case study published by Dragos focuses on the benefits of its solutions, including how they can be used to detect such intrusions and protect OT organizations against threats.
However, the industrial cybersecurity firm has shared some additional details with SecurityWeek.
Dragos said the LELWD breach was discovered in November 2023, just before Thanksgiving, and an investigation showed that the hackers had been in the organization’s network since February 2023, for more than 300 days.
The existence of Volt Typhoon came to light in May 2023, when Microsoft reported that the group, which the tech giant linked to the Chinese government, had been targeting US critical infrastructure in espionage operations. The threat actor has since made many headlines due to its sophistication, its botnets, and its use of zero-days.
Dragos reported one year ago that Volt Typhoon, which the company tracks as Voltzite, had been collecting sensitive OT data from hacked organizations. The security firm warned that while it had not been observed hacking ICS and causing disruption, Volt Typhoon could pose a serious threat to such systems.
In the case of the LELWD power utility, the hackers were seen collecting data on OT systems, Dragos told SecurityWeek.
“The significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim’s environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations,” Dragos said.
“This information can be pivotal for helping the adversary know exactly where to attack when, or if, they decide to utilize a Stage 2 capability in the future,” it added.
Stage 2 in the ICS Cyber Kill Chain means that hackers can develop and test specific and meaningful attacks on industrial control systems. Volt Typhoon is one of the several active threat groups tracked by Dragos that have such capabilities.
Dragos also told SecurityWeek that Volt Typhoon was in many cases — outside of the LELWD hack — observed exfiltrating geographic information system (GIS) data containing critical information about the spatial layout of energy systems.
“Exfiltrated data and persistent access to OT systems could be employed as a means for actions on objectives in the future,” the security firm explained.
Volt Typhoon Hackers Dwelled in US Electric for 300+ Days: Report
Dragos shared some details describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
ICS Patch Tuesday September 2024: Advisories Published by ABB, Siemens, Schneider, CISA
For September 2024, two dozen ICS Patch Tuesday advisories were published by Siemens, Schneider Electric, CISA and ABB.
Russian Sandworm Hackers Target Ukraine’s Power Grid in Coordinated Cyber-Physical Attack
Russia’s Sandworm hackers disrupted power in Ukraine using a novel attack against operational technology (OT) coordinated with missile strikes.
Rockwell Automation to Acquire ICS/OT Security Firm Verve Industrial
Industrial giant Rockwell Automation announced on Monday that it has signed a definitive agreement to acquire Verve Industrial Protection, a cybersecurity company specializing in industrial control systems (ICS) and operational technology (OT). Verve’s managed OT/ICS security platform provides asset inventory, vulnerability management, patch management, configuration management, SIEM, incident response, and backup and restore capabilities. In addition, the company provides network segmentation, vulnerability assessment, system hardening, automation engineering, and consulting services. The deal enables Rockwell Automation to expand and strengthen its offering. Financial details have
Radiflow, Cyolo Team Up to Secure OT Networks Against Unauthorized Devices
Radiflow and Cyolo partnership will allow organizations implement a seamless, single sign-on experience for remote and third-party vendors, while significantly enhancing network security.
CISA Announces Free Vulnerability Scanning for Water Utilities
CISA announced a new vulnerability scanning service designed to help water utilities identify and address security holes that could expose their systems to remote attacks.
Yokogawa to Sell Unidirectional Gateways from Waterfall Security Solutions Under New Partnership
Yokogawa will offer Unidirectional Gateway cybersecurity products from Waterfall Security Solutions under a new collaboration
Schneider Electric Teams With BitSight on OT Risk Detection
Schneider Electric partnered with BitSight to develop a OT risk identification and threat intelligence capability
All ICS Vendors Impacted by OT:Icefall Vulnerabilities Have Released Advisories
All ICS vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations.
2023 Full Day ICS Cybersecurity Training Courses
Conference attendees can register for optional full-day ICS cybersecurity training sessions that take place on Monday, October 24th, 2022.