A sophisticated cyberattack by the Chinese advanced persistent threat (APT) group, Volt Typhoon, struck a power utility in Massachusetts in 2023. This prolonged attack aimed to extract sensitive data related to the operational technology (OT) infrastructure of the Little Electric Light and Water Departments (LELWD). This marks the first known instance of Volt Typhoon breaching a U.S. power utility, following a series of previous attacks on telecom providers and critical infrastructure worldwide.
Coordinated Response to the Cyberattack
The attack, orchestrated by Volt Typhoon’s subgroup Voltzite, led to a joint response from the FBI and cybersecurity firm Dragos. Their findings, detailed in a newly released case study, shed light on the scope of the intrusion and the mitigation efforts undertaken. Robert M. Lee, founder and CEO of Dragos, hinted at this breach in early 2024 but refrained from revealing specific details at the time.
LELWD, serving the communities of Littleton and Boxborough, was alerted to the breach when Assistant General Manager David Ketchen received a call from the FBI in November 2023. By the following Monday, federal agents and representatives from the Cybersecurity and Infrastructure Security Agency (CISA) were on-site to assess the situation. Investigators discovered that Voltzite had maintained access to the network for an extended period—reportedly over 300 days—employing advanced techniques such as server message block traversal maneuvers and remote desktop protocol lateral movement to navigate the infrastructure.
Dragos’ principal hunter, Josh Hanrahan, explained that the attackers targeted data related to OT operating procedures and spatial layouts of energy grid operations. Such intelligence could allow adversaries to pinpoint critical weak spots, potentially enabling a Stage 2 attack in the future that could disrupt physical operations.
Mitigation and Security Enhancements
The breach was identified using Dragos’ OT Watch platform, which specializes in monitoring critical infrastructure for threats. Following detection, security teams successfully eradicated Voltzite from the network and reinforced security measures to prevent re-entry.
Further investigation confirmed that no customer-sensitive data had been compromised. The utility responded by redesigning its network architecture to neutralize any strategic advantage the attackers had gained. Dragos also recommended enhanced asset visibility, threat detection, vulnerability management, network segmentation, and incident response protocols to bolster future security.
Volt Typhoon, also known by aliases such as Bronze Silhouette, Vanguard Panda, and UNC3236, has been an active threat since at least May 2023. The group has previously infiltrated telecom providers, military bases, and emergency management organizations, extending its reach beyond U.S. territories to allied nations.
Their attack method typically involves leveraging a botnet of compromised small office/home office (SOHO) routers. Although law enforcement dealt a significant blow to this botnet in early 2023, experts at Dragos anticipate continued attacks targeting critical infrastructure into 2025. The group’s primary method of entry is exploiting vulnerabilities in Internet-facing VPN appliances and firewalls, making patch management and system integrity crucial for defenders of OT networks.
Defensive Strategies Against Voltzite Attacks
Given Voltzite’s ability to blend seamlessly into trusted networks and exploit legitimate tools, cybersecurity teams must remain vigilant. Dragos advises OT network providers to monitor for unusual lateral movement, analyze traffic patterns, and verify any suspicious activity originating from employee accounts. Strengthening cybersecurity measures and proactively addressing vulnerabilities will be key in mitigating future attacks from this persistent threat actor.
