An Energy Grid Cyberattack on US has exposed vulnerabilities within the US power grid. Security researchers at Dragos uncovered a prolonged cyber intrusion by the Volt Typhoon advanced persistent threat (APT) group, a threat actor linked to China.
The intrusion targeted Littleton Electric Light and Water Departments (LELWD), a small public power utility in Massachusetts. Volt Typhoon maintained unauthorized access to LELWD’s operational technology (OT) network for nearly a year, from February to November 2024.
“One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle.”
Tim Mackey, head of software supply chain risk strategy at Black Duck, warned
Nathaniel Jones, vice president of threat research at Darktrace, added that the impact on Critical National Infrastructure (CNI) is a “continued and growing concern with the applications of AI-based capabilities for both offensive and defensive teams.”
The targeting of CNI entities suggests a strategic goal beyond simple data theft. Donovan Tindill, director of OT cybersecurity at DeNexus, noted that exfiltrating OT data allows attackers to gain geopolitical leverage:
- Understand system configurations and operations.
- Steal intellectual property (e.g., manufacturing techniques).
- Identify supply chain relationships for potential disruption.
- Map the electrical grid’s structure and criticality.
- Use data for ransom or extortion.
- Manipulate OT systems for specific objectives.
Dragos’ investigation revealed Volt Typhoon’s tactics, including Server Message Block (SMB) traversal and Remote Desktop Protocol (RDP) lateral movement. LELWD successfully contained the threat and reconfigured its network to prevent further exploitation. Importantly, no customer-sensitive data was compromised during the US Grid Cyberattack in Massachusetts.
Agnidipta Sarkar, vice president of CISO advisory at ColorTokens, emphasized the need for a proactive approach.
“Attack sophistication is on the rise, and OT/ICS organizations shut down when faced with a cyber-attack. Unfortunately, cyber OT leadership is focusing on stopping attacks instead of stopping the proliferation of attacks.”
The attackers aimed to exfiltrate data related to OT operating procedures and the spatial layout of the energy grid.
Josh Hanrahan, principal hunter at Dragos, explained that this information is crucial for planning future attacks targeting the OT network controlling physical functions.
Dragos’ Mitigation of the US Energy Grid Cyberattack
Dragos, using its OT Watch platform, identified the intrusion and assisted LELWD in removing Voltzite from its network and implementing additional security measures. The investigation determined that no customer-sensitive data was compromised.
Dragos also provided recommendations to enhance LELWD’s OT security, including asset visibility and inventory, threat detection and response, vulnerability management, network segmentation analysis, and incident response guidance.
Since its public exposure in May 2023, Volt Typhoon (also known as Bronze Silhouette, Vanguard Panda, and UNC3236) has targeted various entities, including telecom providers, the US territory of Guam, military bases, and US emergency management organizations.
The group often uses a botnet created by compromising SOHO routers for initial access. While law enforcement disrupted this botnet, Dragos anticipates continued attacks by Volt Typhoon and its subgroups, particularly targeting critical infrastructure in the US and Western-aligned nations. For more on the evolving threat landscape, see our article on Top 10 Ransomware Groups of 2024.
Dragos recommends that organizations defending OT networks implement:
- Effective patch management.
- Robust system integrity plans for internet-facing assets (VPN appliances, firewalls).
- Monitoring of attack behaviors to identify unusual lateral movement and suspicious user activity.
The Volt Typhoon intrusion highlights the urgent need for strengthened monitoring and defense strategies within CNI organizations.
Sustained investment in security expertise, technology, and risk mitigation is essential to protect the electric grid and other vital infrastructure from increasingly sophisticated threats. Understanding the Threat Actors behind these attacks is crucial for effective mitigation.
Helpful Reads:
