New research shows the notorious Volt Typhoon threat group was able to remain undetected in the US electric grid for nearly a year, and experts have told ITPro the incident highlights rampant OT security failures.
Operational technology (OT) security specialist Dragos published a report covering a specific intrusion that affected a local public utility in Massachusetts, the Littleton Electric Light and Water Department (LELWD) in 2023.
It transpired that the intrusion was first discovered in November 2023 while LELWD was implementing a number of OT security solutions. The specific group in question was identified by Dragos as VOLTZITE, a group it says overlaps with the Volt Typhoon collective.
An investigation into the intrusion revealed the group had likely had access to LELWD’s network since February 2023, totalling more than 300 days of access to its IT environment.
The report stated that further investigation determined that the compromised information did not impact any customer data and LELWD was able to change its network architecture to remove any potential leverage or access the adversary may still have had.
Dragos noted that the incident led to an acceleration in LELWD’s “cybersecurity journey” with the utility expediting the deployment of its OT security solutions as a result of the intrusion.
Ensar Seker, chief security officer at SOCRadar, said the incident demonstrates there are particularly worrying frailties in the critical national infrastructure (CNI) sector that need to be addressed.
"This latest Volt Typhoon intrusion into the US electric grid is a serious escalation in cyber-enabled espionage, highlighting the vulnerabilities of critical infrastructure (CI) in the face of persistent threats from nation-state actors,” he stated.
“The fact that Chinese hackers remained undetected for over 300 days inside a small public utility’s network is concerning, not only because of the extended dwell time but also because it reinforces the broader risks posed to larger, more complex CI networks."
This is not a new problem, but the industry needs to take action now
Seker noted that the group’s tactics usually involve persisting on the network of the target organization for as long as possible, giving them time to plan a more devastating future attack.
"This group is known for pre-positioning within US CI—not necessarily for immediate sabotage, but for future disruption scenarios. By embedding themselves in water and power utilities, they gain persistent access to industrial control systems (ICS) and operational technology (OT), which could be leveraged in a geopolitical crisis."
A CISA advisory on the Volt Typhoon published in the summer of 2023 warned that the group frequently employs living off the land (LOTL) techniques, using pre-installed tools to maintain persistence and burrow deeper into corporate networks.
The longer lifespan of OT devices used in many CNI organizations presents an ideal target for groups like Volt Typhoon, who can use the additional time to take advantage of the built-in systems to strengthen their foothold in the environment and plan future attacks.
Tim Mackey, head of software supply chain risk at Black Duck, said this represents a particular challenge for CNI organizations, with OT often becoming vulnerable many years after it was initially deployed and its security protection has run out.
"One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle,” he said.
“In effect, legacy best practices may not be up to the task of mitigating current threats or, worse, those that might be deployed in the coming years.”
"Since attackers know that critical infrastructure providers are measured in their up-time or service availability, once a device is compromised, attackers know that they have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic,” Mackey added.
Speaking to ITPro, Dan Lattimer, area VP EMEA West at Semperis, said this is not a new problem, but the increasing prevalence of state-sponsored attacks targeting these devices means the industry must change how they manage them.
“OT assets are unique to organizations due to their lifespan. Historically, they have been treated rather separately to other IT assets. They have been deployed and managed with an operations-only lens, (i.e. keep them up and running)," he said.
"Upgrades and security initiatives do carry risk to these environments as they can potentially run into issues, like all projects can. No organization wants to accidentally cause an issue that stops water or electricity to thousands of households,” he said.
Lattimer noted that geopolitical factors will continue to heighten risks for operators in the CNI space and increase the likelihood of OT-related cyber attacks. With this in mind, he urged organizations to implement and maintain stringent upgrade practices.
“As with all corporate assets, organizations need to understand their assets, configure them securely, manage user access and permissions, and continuously review and update this along with upgrading where possible.”
MORE FROM ITPRO
