The threat group Volt Typhoon (also known as VOLTZITE) has been known to be active since 2021, representing an advanced persistent threat (APT) primarily to organizations in the United States. Alleged to be a Chinese state-sponsored group, Volt Typhoon is often spotted carrying out espionage, compromising infrastructure, spreading malware, and more.
The focus on critical infrastructure in these attacks demonstrates the significance of the threat posed by the group. Attempting to establish a persistent presence enables threat actors to launch further attacks down the line, a common tactic of groups like this. A case study by industrial cybersecurity company Dragos details Volt Typhoon’s 2023 intrusion of the Littleton Electric Light and Water Departments (LELWD) network in Massachusetts, demonstrating the group’s ability and motivation to compromise critical infrastructure organizations, including small ones with fewer resources for threat fighting.
The LELWD Breach: A Timeline
The intrusion into LELWD’s systems began in February 2023 and was discovered over 300 days later. Without knowing about the threat, LELWD was already taking steps to “gain visibility of its OT assets, secure IT-OT network traffic, and monitor communications between OT devices and systems.” The Dragos Platform was deployed in August, but the utility company did not have threat-hunting services from OT Watch integrated fully; the process was expedited by the FBI’s alerting LELWD to their discovery of a potential network compromise in November.
The investigation revealed that the threat actors gained initial access to LELWD’s network by taking advantage of a vulnerability in the FortiGate 300D firewall that had missed a critical security update. After infiltrating the network, the threat actors used a variety of tactics to maintain their presence, exfiltrate OT data, and more. While there were no disruptions to Industrial Control Systems during this prolonged intrusion, the establishment of this kind of persistent presence often indicates an intention to continue carrying out attacks within the network.
Volt Typhoon’s Modus Operandi
According to a joint advisory from the United States CISA, NSA, FBI, and several other international organizations, Volt Typhoon tailors attacks and tactics to the specific target, but its threat actors tend to follow similar behavior patterns. The threat group typically establishes a presence by exploiting security gaps in public-facing appliances, both zero-day flaws and known, unpatched vulnerabilities. They often achieve this after conducting extensive research into the target prior to compromising the network.
After infiltrating the target’s network, Volt Typhoon actors attempt to gain administrator-level access in order to escalate their privileges and move laterally. They engage in living-off-the-land (LotL) techniques, using native systems and applications to carry out their threat activity, primarily espionage and data exfiltration. This, in combination with other ATP tactics, helps the threat actors go undetected for long periods of time. Some Volt Typhoon incidents also include the harvesting of geographic information systems (GIS) data concerning the systems’ spatial layout.
Implications for US Critical Infrastructure
While some may assume that small public utilities like LELWD are unlikely targets in attacks like these, the truth is that they are particularly vulnerable due to their size and often limited resources for incident prevention and remediation. Attacks on smaller organizations may not offer the same level of payout as attacks on larger organizations, but it can still disrupt crucial operations and cause catastrophic damage, and it shows the attackers’ persistence and dedication to compromising critical infrastructure.
There are many risks associated with prolonged, undetected intrusions like the extended presence of Volt Typhoon within LELWD’s network. Attackers maintaining a foothold in an organization can carry out a wide variety of harmful actions, including exfiltrating sensitive data, disrupting vital operations, deploying malware, and more. Even without ICS disruption, the OT data gathered in one of these extended reconnaissance missions can enable future attacks that do just that. Dragos warns that the espionage commonly seen in these attacks could easily evolve to sabotage.
Dragos’ Role and Response
When LELWD implemented the Dragos Platform and began integrating threat-hunting services by OT Watch, the utility did not yet know about the presence of Volt Typhoon within its systems. LELWD undertook the mission of hardening its defenses and landed on Dragos as the chosen cybersecurity partner due to industry reputation, OT security expertise, and other criteria aligning Dragos with LELWD’s security goals and available resources. When the FBI informed LELWD of the potential intrusion, Dragos and OT Watch stepped in and worked with government agencies to investigate and remediate the threat.
Many organizations lack adequate cybersecurity strategies in a constantly evolving threat landscape, and it is crucial for organizations like utility companies to harden their defenses against APTs and other pressing risks. The LELWD case study demonstrates the importance of proactively guarding against attacks and working with trusted security partners to establish a robust strategy for the detection, containment, and remediation of potential threats. Organizations of all types are encouraged to develop and implement sufficient measures, tools, and policies to detect and stop intrusions like this.
“One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices,” according to Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, a Burlington, Massachusetts-based provider of application security solutions. “Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle.” As such, it is crucial for organizations to reassess and update their security strategies to maintain effectiveness over time.
Conclusion
Hardening OT environments against intrusion is not a simple feat, nor is it a one-and-done task, but it is necessary to protect critical infrastructure from attacks. Organizations must implement measures for the detection, containment, and remediation of threats, as well as regularly evaluate their security measures for effectiveness and shift their tactics and solutions based on pertinent threat intelligence. Attacks targeting critical infrastructure and potentially posing risks to national security are on the rise, and it has never been more important for organizations to maintain vigilance, invest in strong security, and foster international cooperation against these threats.
