ICS/OT security firm Dragos on Wednesday published a case study describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid.
The target was Littleton Electric Light and Water Departments (LELWD), a small public power utility in Massachusetts that serves Littleton and Boxborough. The utility had been in the process of implementing Dragos operational technology (OT) security solutions when the intrusion was detected, which led to an expedited deployment.
The case study published by Dragos focuses on the benefits of its solutions, including how they can be used to detect such intrusions and protect OT organizations against threats.
However, the industrial cybersecurity firm has shared some additional details with SecurityWeek.
Dragos said the LELWD breach was discovered in November 2023, just before Thanksgiving, and an investigation showed that the hackers had been in the organization’s network since February 2023, for more than 300 days.
The existence of Volt Typhoon came to light in May 2023, when Microsoft reported that the group, which the tech giant linked to the Chinese government, had been targeting US critical infrastructure in espionage operations. The threat actor has since made many headlines due to its sophistication, its botnets, and its use of zero-days.
Dragos reported one year ago that Volt Typhoon, which the company tracks as Voltzite, had been collecting sensitive OT data from hacked organizations. The security firm warned that while it had not been observed hacking ICS and causing disruption, Volt Typhoon could pose a serious threat to such systems.
In the case of the LELWD power utility, the hackers were seen collecting data on OT systems, Dragos told SecurityWeek.
“The significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim’s environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations,” Dragos said.
“This information can be pivotal for helping the adversary know exactly where to attack when, or if, they decide to utilize a Stage 2 capability in the future,” it added.
Stage 2 in the ICS Cyber Kill Chain means that hackers can develop and test specific and meaningful attacks on industrial control systems. Volt Typhoon is one of the several active threat groups tracked by Dragos that have such capabilities.
Dragos also told SecurityWeek that Volt Typhoon was in many cases — outside of the LELWD hack — observed exfiltrating geographic information system (GIS) data containing critical information about the spatial layout of energy systems.
“Exfiltrated data and persistent access to OT systems could be employed as a means for actions on objectives in the future,” the security firm explained.
Related: Nine Threat Groups Active in OT Operations in 2024
Related: Organizations Still Not Patching OT Due to Disruption Concerns
Related: Details Disclosed for SCADA Flaws That Could Facilitate Industrial Attacks
