Industrial cybersecurity firm Dragos has shared some details describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
The target was Littleton Electric Light and Water Departments (LELWD), a small public power utility in Massachusetts that serves Littleton and Boxborough. The utility had been in the process of implementing Dragos operational technology (OT) security solutions when the intrusion was detected, which led to an expedited deployment.
A case study published by Dragos focuses on the benefits of its solutions, including how they can be used to detect such intrusions and protect OT organizations against threats.
However, the industrial cybersecurity firm has shared some additional details with SecurityWeek.
Dragos said the LELWD breach was discovered in November 2023, just before Thanksgiving, and an investigation showed that the hackers had been in the organization’s network since February 2023, for more than 300 days.
The existence of Volt Typhoon came to light in May 2023, when Microsoft reported that the group, which the tech giant linked to the Chinese government, had been targeting US critical infrastructure in espionage operations. The threat actor has since made many headlines due to its sophistication, its botnets, and its use of zero-days.
Dragos reported one year ago that Volt Typhoon, which the company tracks as Voltzite, had been collecting sensitive OT data from hacked organizations. The security firm warned that while it had not been observed hacking ICS and causing disruption, Volt Typhoon could pose a serious threat to such systems.
In the case of the LELWD power utility, the hackers were seen collecting data on OT systems, Dragos told SecurityWeek.
“The significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim’s environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations,” Dragos said.
“This information can be pivotal for helping the adversary know exactly where to attack when, or if, they decide to utilize a Stage 2 capability in the future,” it added.
Stage 2 in the ICS Cyber Kill Chain means that hackers can develop and test specific and meaningful attacks on industrial control systems. Volt Typhoon is one of the several active threat groups tracked by Dragos that have such capabilities.
Dragos also told SecurityWeek that Volt Typhoon was in many cases — outside of the LELWD hack — observed exfiltrating geographic information system (GIS) data containing critical information about the spatial layout of energy systems.
“Exfiltrated data and persistent access to OT systems could be employed as a means for actions on objectives in the future,” the security firm explained.
Volt Typhoon Hackers Dwelled in US Electric for 300+ Days: Report
Dragos shared some details describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
Side-Channel Attacks Put Critical Infrastructure at Risk
ICS Devices Vulnerable to Side-Channel Attacks: Researcher Shows (Eduard Kovacs - SecurityWeek) Side-channel attacks can pose a serious threat to industrial control systems (ICS), a researcher warned last month at SecurityWeek’s ICS Cyber Security Conference in Atlanta, GA. Demos Andreou, a lead engineer at power management company Eaton, has conducted an analysis of protection devices typically used in the energy sector, specifically in power distribution stations. Side-channel attacks can be used to extract data from a system based on information gained by observing
ICS Honeypot Highlights Danger to Critical Systems From Criminal Hackers
(SecurityWeek - Kevin Townsend) - Security firm Cybereason established a sophisticated honeypot masquerading as a power transmission substation for a major electricity provider. The purpose was to attract attackers and analyze how they operate against the energy sector of the critical infrastructure. Within two days of going live on June 17, the honeypot developed and operated by Cybereason was found, prepped by a black-market reseller, and sold on in the dark web underworld. xDedic RDP Patch was found in the environment.