Volt Typhoon, a sophisticated Chinese-based cyber-espionage group, has been making headlines for its recent focus on infiltrating operational technology (OT) networks in critical infrastructure, targeting US-based electric companies as well as electric transmission and distribution organizations in African nations. According to OT security specialist Dragos, the OT threat, known as “Voltzite,” has already begun reconnaissance and enumeration of multiple US-based electric companies, and has demonstrated its capabilities when it comes to compromising infrastructure. Dragos’ findings echo recent declarations by the US government and experts in the field, who have warned of the potential for chaos and disruption in the power grid, especially in the event of military conflict.
Robert M. Lee, founder and CEO at Dragos, highlighted the sophistication and strategic approach of Volt Typhoon, emphasizing the group’s well-resourced and strategic position as an A-player in the world of cyber-threats. He also pointed out that Voltzite, the OT-focused arm of the group, has demonstrated a clear focus on US strategic electric sites. The group has been described as persistent and stealthy, making incursions into IT networks that connect to the OT footprint, but without directly compromising the physical industrial control systems (ICS) at electric-sector targets.
A case study investigated by Dragos revealed that Voltzite managed to stay hidden within a midsize electric utility in the US for over 300 days, while actively attempting to breach the OT network. The group was found stealing OT-specific data, insights, and geospatial information, indicating that it was preparing for future disruptive attacks on power operations networks.
Since being exposed in May 2023, Volt Typhoon has reportedly expanded its activities to compromise US territories, telecom providers, military bases, and emergency management organizations, among others. Dragos identified evidence of Volt Typhoon’s expansion and the specific targeting of US power companies, African targets, and the exploitation of Ivanti VPN zero-day vulnerabilities. Additionally, Voltzite was found to have conducted extensive reconnaissance of a US telecommunications provider’s external network gateways, further underscoring the group’s interest in critical infrastructure targets.
The investigation also revealed that Voltzite’s cyber-intrusion tactics are characterized by the use of legitimate tools and living off the land (LotL) techniques to avoid signature detection. This approach includes the use of native Windows binaries, like csvde.exe, Volume Shadow Copies, and the extraction of the NTDS.dit Active Directory database from a domain controller, highlighting the group’s ability to exploit and exfiltrate sensitive information.
Despite the absence of direct evidence of disruptive capabilities to ICS/OT assets thus far, the potential for Voltzite to cause significant disruption to American lives through its targeting of satellite, telecommunications, and electric power generation, transmission, and distribution is a cause for concern.
As the threat of cyberattacks against energy utilities continues to grow, it is essential for organizations to adopt advanced security measures. Aura Sabadus, an energy markets specialist at Independent Commodity Intelligence Services (ICIS), emphasized the need for significant investment in cybersecurity to protect critical infrastructure from the growing risks posed by cyber-threats like Volt Typhoon. She stressed the importance of proactively implementing measures to mitigate the potential impacts of disruptive attacks on energy infrastructure.
In response to these threats, Dragos recommends that organizations implement the SANS Institute’s 5 Critical Controls for World-Class OT Cybersecurity. These include crafting operations-informed incident response plans, deploying architectures that support visibility and asset identification, continuous network security monitoring, identifying and managing remote access points, and employing risk-based vulnerability management.
As Volt Typhoon’s activities continue to raise concerns about the security and resilience of critical infrastructure, the need for organizations to adapt and strengthen their cyber-defense strategies is becoming increasingly urgent. The ongoing threat posed by sophisticated cyber-espionage groups underscores the importance of robust cybersecurity measures and risk mitigation strategies for securing critical infrastructure in the face of evolving threats.