A recent case study by Dragos, a cybersecurity firm specializing in industrial control systems (ICS), reveals that Volt Typhoon, a Chinese state-sponsored hacking group, infiltrated the US electric grid for over 300 days. The breach, which targeted the Littleton Electric Light and Water Department (LELWD) in Massachusetts, was discovered in November 2023, though the hackers had been lurking in the network since February 2023.
Prolonged Access to Critical Infrastructure
Volt Typhoon’s intrusion occurred as LELWD was in the process of implementing Dragos’s operational technology (OT) security solutions. The breach underscores the growing threat to critical infrastructure as Volt Typhoon focused on stealing sensitive OT data, particularly related to energy grid operations and geographic information systems (GIS) that map the layout of these systems.
A Dangerous Prelude to Potential Attacks
Dragos emphasized the significance of the breach, noting that the stolen data could be pivotal for any future cyber-attacks on industrial control systems. The hackers’ ability to maintain persistent access for an extended period gives them the tools to plan highly targeted attacks in future phases, known as Stage 2 in the ICS Cyber Kill Chain.
While the intrusion did not disrupt operations, the stolen data could enable Volt Typhoon to plan strategic attacks on critical energy infrastructure in the future, exploiting the OT vulnerabilities they’ve uncovered.
The Growing Threat from Volt Typhoon
First identified in May 2023 by Microsoft, Volt Typhoon has since become notorious for its sophistication and use of botnets and zero-day vulnerabilities to target U.S. critical infrastructure. Dragos warned that while Volt Typhoon has not yet caused operational disruption, its capabilities could pose a significant threat to industrial control systems (ICS) if left unchecked.
References:
- Dragos Case Study on Volt Typhoon [Dragos]
- securityweek.com
- Microsoft’s Report on Volt Typhoon [Microsoft]
