Under the Radar: How Volt Typhoon Hackers Infiltrated a U.S. Power Utility for 300 Days

In a concerning development for critical infrastructure security, the Littleton Electric Light and Water Departments (LELWD) in Massachusetts was the target of a sophisticated cyber intrusion by Chinese state-sponsored hackers that went undetected for nearly a year. This incident highlights the growing threats faced by utilities of all sizes and the importance of robust operational technology (OT) security measures.

 The Volt Typhoon Breach: A Timeline

The intrusion by the threat group known as Volt Typhoon (or “VOLTZITE” as identified by Dragos) began in February 2023 but wasn’t discovered until November 2023, just before Thanksgiving. The breach came to light when the FBI contacted LELWD’s management to alert them of a potential compromise.

Nick Lawler, LELWD’s general manager, initially thought the call might be a scam. When the FBI agent asked for his personal email address to send a diagnostic link, Lawler refused and instead arranged for the agents to visit the utility’s offices. The following Monday, representatives from both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) arrived at LELWD to investigate the breach.

 The Attack: What Systems Were Impacted

According to the investigation, Volt Typhoon gained initial access to LELWD’s network through a vulnerable FortiGate 300D firewall that hadn’t received a critical security update. Fortinet had patched this vulnerability in December 2022, but LELWD’s managed service provider at the time had failed to update the firmware.

Once inside, the hackers employed various techniques including:

• Server message block (SMB) traversal maneuvers
• Remote desktop protocol (RDP) lateral movement
• Living off the land tactics using pre-installed tools

The attackers mainly focused on exfiltrating specific operational technology (OT) data, particularly information related to:

• OT operating procedures
• Spatial layout data relating to energy grid operations
• Network architecture details

This type of reconnaissance is particularly concerning as it suggests the hackers were gathering intelligence that could potentially be used for future disruptive cyberattacks against critical infrastructure.

 Dragos Security’s Role in Mitigation

LELWD had actually been working with Dragos, an industrial cybersecurity firm specializing in OT security, before the breach was discovered. The utility had joined an American Public Power Association (APPA) government-funded program designed to help smaller public utilities enhance their cybersecurity posture.

When the breach was uncovered, Dragos was able to:

1. Accelerate deployment: Dragos bypassed the planned onboarding timeline to quickly implement their platform and respond to the threat.
2. Identify malicious activity: Using their OT Watch threat hunting services, Dragos confirmed the extent of the intrusion and pinpointed the attackers’ activities.
3. Contain and eradicate: Their team helped LELWD remove the threat actors from the network and secure it against further intrusion.
4. Provide ongoing protection: Dragos implemented comprehensive OT security measures, including asset visibility, threat detection, vulnerability management, network segmentation analysis, and incident response guidance.

Josh DeTerra, LELWD’s supervising engineer, noted that the visibility provided by the Dragos Platform was “a game-changer” for their operations, allowing them to see which IP addresses should or shouldn’t be communicating with each other.

 Lessons Learned and Broader Implications

The LELWD incident demonstrates several critical lessons for critical infrastructure security:

1. Size doesn’t matter to attackers: Even smaller utilities can be targets for sophisticated state-sponsored threat actors.
2. Dwell time is a significant concern: The 300+ days that Volt Typhoon remained undetected gave them ample opportunity to gather intelligence and potentially establish persistent access.
3. OT security requires specialized expertise: Traditional IT security approaches are insufficient for protecting operational technology environments.
4. Supply chain vulnerabilities: The unpatched firewall highlights how vendor management and timely updates are essential security components.

 How CinchOps Can Help Secure Your Business

The Volt Typhoon attack on LELWD underscores the critical importance of proactive cybersecurity measures for organizations of all sizes, especially those managing critical infrastructure. At CinchOps, we specialize in helping businesses strengthen their security posture through comprehensive solutions tailored to their specific needs.

Our approach includes:

• Comprehensive vulnerability assessments to identify and remediate potential entry points before attackers can exploit them
• 24/7 monitoring and threat detection to minimize dwell time and rapidly respond to suspicious activities
• OT/IT security integration to ensure proper segmentation while maintaining visibility across all systems
• Patch management services to keep critical systems updated against known vulnerabilities
• Security awareness training to help your team recognize and respond to potential threats
• Incident response planning to ensure you’re prepared if a breach occurs

Don’t wait until after a breach to address your cybersecurity needs. Contact CinchOps today to learn how we can help protect your critical assets from sophisticated threats like Volt Typhoon.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

FREE SECURITY ASSESSMENT