A small electric and water utility in Massachusetts, the Littleton Electric Light and Water Departments (LELWD), recently fell victim to a sophisticated Chinese advanced persistent threat (APT) group known as Volt Typhoon. The breach, lasting over 300 days, was only discovered in November 2023, thanks to the efforts of industrial cybersecurity firm Dragos.
The attack on LELWD, which serves the towns of Littleton and Boxborough, highlighted the growing threats to critical U.S. infrastructure posed by groups like Volt Typhoon. This specific APT group, linked to the Chinese government, has been involved in multiple attacks on energy, water, and communication networks in the United States. Dragos has been tracking a related threat group named VOLTZITE, known for targeting industrial entities.
Upon discovering the intrusion, LELWD, in collaboration with Dragos, quickly responded to investigate and mitigate the attack. Using Dragos’ Operational Technology (OT) security tools, the utility was able to uncover the hackers’ advanced techniques, such as server message block traversal and remote desktop protocol lateral movement. These methods could have potentially allowed the attackers to access critical systems within the network. Fortunately, sensitive customer data remained uncompromised, and the utility was able to secure its network to prevent further hacker access.
The incident underscored the crucial role of OT-specific cybersecurity solutions for utilities and critical infrastructure. Dragos emphasized the importance of having the right tools and expert support to effectively combat such threats. As attacks on critical infrastructure continue to rise, experts are warning that small utilities must be just as prepared as larger corporations, as attackers are increasingly targeting organizations of all sizes.
Gunter Ollmann, Chief Technology Officer at Cobalt, highlighted Volt Typhoon’s use of zero-days and its strategic targeting of industries with inadequate security measures. Ollmann stressed the need for regular assessments of vulnerabilities within an organization’s systems to prevent such attacks effectively.
The prolonged lifespan of devices in critical infrastructure poses a significant challenge for cybersecurity. Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, pointed out that legacy best practices may not be sufficient against modern threats. Attackers are aware of the uptime requirements of critical infrastructure providers, allowing them to plan targeted attacks once a device is compromised.
Nathaniel Jones, Vice President of Threat Research at Darktrace, mentioned the evolving tactics of threat actors targeting critical national infrastructure (CNI). Groups like Volt Typhoon are building vast botnets of IoT and Internet-facing devices to evade detection and attribution. Jones stressed the importance of good cyber hygiene, proactive security measures, and collaboration between IT and OT teams to defend against these increasingly sophisticated attacks.
Donovan Tindill, Director of OT Cybersecurity at DeNexus, highlighted the challenges faced by all organizations in detecting and responding to threat actors within their network environments. Tindill emphasized the need for strict network isolation and adherence to cybersecurity best practices outlined under NERC CIP regulations.
Agnidipta Sarkar, Vice President of CISO Advisory at ColorTokens, emphasized the need for foundational cyber defense capabilities to limit the impact of cyberattacks on OT/ICS entities. Sarkar encouraged a shift toward preventing the proliferation of attacks, rather than solely focusing on stopping individual incidents.
Overall, the breach at LELWD serves as a stark reminder of the persistent and evolving threats faced by critical infrastructure providers. As attacks become more sophisticated and widespread, organizations must prioritize cybersecurity measures to safeguard their operations and infrastructure from malicious actors.