New research shows the notorious Volt Typhoon threat group was able to remain undetected in the US electric grid for nearly a year, and experts have told ITPro the incident highlights rampant OT security failures.
Operational technology (OT) security specialist Dragos published a report covering a specific intrusion that affected a local public utility in Massachusetts, the Littleton Electric Light and Water Department (LELWD) in 2023.
It transpired that the intrusion was first discovered in November 2023 while LELWD was implementing a number of OT security solutions. The specific group in question was identified by Dragos as VOLTZITE, a group it says overlaps with the Volt Typhoon collective.
An investigation into the intrusion revealed the group had likely had access to LELWD’s network since February 2023, totalling more than 300 days of access to its IT environment.
The report stated that further investigation determined that the compromised information did not impact any customer data and LELWD was able to change its network architecture to remove any potential leverage or access the adversary may still have had.
Dragos noted that the incident led to an acceleration in LELWD’s “cybersecurity journey” with the utility expediting the deployment of its OT security solutions as a result of the intrusion.
Ensar Seker, chief security officer at SOCRadar, said the incident demonstrates there are particularly worrying frailties in the critical national infrastructure (CNI) sector that need to be addressed.
"This latest Volt Typhoon intrusion into the US electric grid is a serious escalation in cyber-enabled espionage, highlighting the vulnerabilities of critical infrastructure (CI) in the face of persistent threats from nation-state actors,” he stated.
“The fact that Chinese hackers remained undetected for over 300 days inside a small public utility’s network is concerning, not only because of the extended dwell time but also because it reinforces the broader risks posed to larger, more complex CI networks."
This is not a new problem, but the industry needs to take action now
Seker noted that the group’s tactics usually involve persisting on the network of the target organization for as long as possible, giving them time to plan a more devastating future attack.
"This group is known for pre-positioning within US CI—not necessarily for immediate sabotage, but for future disruption scenarios. By embedding themselves in water and power utilities, they gain persistent access to industrial control systems (ICS) and operational technology (OT), which could be leveraged in a geopolitical crisis."
A CISA advisory on the Volt Typhoon published in the summer of 2023 warned that the group frequently employs living off the land (LOTL) techniques, using pre-installed tools to maintain persistence and burrow deeper into corporate networks.
The longer lifespan of OT devices used in many CNI organizations presents an ideal target for groups like Volt Typhoon, who can use the additional time to take advantage of the built-in systems to strengthen their foothold in the environment and plan future attacks.
Tim Mackey, head of software supply chain risk at Black Duck, said this represents a particular challenge for CNI organizations, with OT often becoming vulnerable many years after it was initially deployed and its security protection has run out.
"One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle,” he said.
“In effect, legacy best practices may not be up to the task of mitigating current threats or, worse, those that might be deployed in the coming years.”
"Since attackers know that critical infrastructure providers are measured in their up-time or service availability, once a device is compromised, attackers know that they have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic,” Mackey added.
RELATED WHITEPAPER
Speaking to ITPro, Dan Lattimer, area VP EMEA West at Semperis, said this is not a new problem, but the increasing prevalence of state-sponsored attacks targeting these devices means the industry must change how they manage them.
“OT assets are unique to organizations due to their lifespan. Historically, they have been treated rather separately to other IT assets. They have been deployed and managed with an operations-only lens, (i.e. keep them up and running)," he said.
"Upgrades and security initiatives do carry risk to these environments as they can potentially run into issues, like all projects can. No organization wants to accidentally cause an issue that stops water or electricity to thousands of households,” he said.
Lattimer noted that geopolitical factors will continue to heighten risks for operators in the CNI space and increase the likelihood of OT-related cyber attacks. With this in mind, he urged organizations to implement and maintain stringent upgrade practices.
“As with all corporate assets, organizations need to understand their assets, configure them securely, manage user access and permissions, and continuously review and update this along with upgrading where possible.”
MORE FROM ITPRO
- UK cyber experts on red alert after Salt Typhoon attacks on US telcos
- FCC orders telcos to sharpen up security after Salt Typhoon chaos
- Volt Typhoon is wreaking havoc again – this time on US internet providers
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Law enforcement needs to fight fire with fire on AI threatsNews UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Cybersecurity teams face unparalleled pressure, but they’re stepping up to the plateNews While cybersecurity teams are contending with rising workloads and chronic staffing issues, new research shows practitioners are still charging ahead and meeting targets.
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
-
8Base ransomware members snared in global police crackdownNews Members of the prolific 8Base ransomware gang have been snared in a joint police operation.
-
Developers can't get a handle on application security risksNews Research by Legit Security shows a majority of organizations have high risk applications in developer environments.
-
Compliant security with CDWwhitepaper Maximising the value of technology in an evolving defence sector
-
Protect your organization with Microsoft 365whitepaper Maximising the value of technology in an evolving defence sector
