CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Chinese State Hackers Maintained Year-Long Access to U.S. Electric Utility Network

By Leave a Comment

Dragos has confirmed that Volt Typhoon, a Chinese state-sponsored threat group, maintained covert access to the network of Littleton Electric Light and Water Department (LELWD) in Massachusetts for over 300 days.

The attack, linked to the VOLTZITE group — a subset of Volt Typhoon — marks the first documented case of this advanced persistent threat (APT) infiltrating a U.S. power utility.

The breach was first uncovered in November 2023, when the FBI alerted LELWD to a potential network compromise just before Thanksgiving. The Dragos Platform, which had been deployed at the utility in August 2023 but had not yet fully integrated OT Watch, was immediately leveraged to investigate the intrusion. It was soon discovered that the attackers had been inside LELWD's network since February 2023, gathering operational technology (OT) data, including SCADA-related information, geospatial intelligence, and other details critical to energy grid operations.

Chinese reconnaissance operations

Unlike typical ransomware attacks or disruptive cyber operations, Volt Typhoon is known for its stealthy, espionage-driven approach. The hackers infiltrated LELWD's network and remained undetected for nearly a year, mapping its infrastructure and exfiltrating OT-specific data. The long dwell time suggests that the group was focused on reconnaissance, potentially laying the groundwork for future disruptive attacks.

The breach involved several key aspects that highlight the sophistication of the attack. The hackers engaged in SCADA and OT data theft, extracting detailed insights into the utility's operational framework. This information could allow them to pinpoint vulnerabilities for future exploitation, potentially setting the stage for more disruptive attacks.

They also demonstrated persistent access, maintaining a foothold in the system for nearly a year without triggering alerts — an indication of their patience and technical expertise. Additionally, Volt Typhoon relied on living-off-the-land techniques, using built-in system tools to evade detection and bypass traditional signature-based defenses, making their presence far more difficult to identify.

Response and risk to national security

Once the breach was confirmed, Dragos worked closely with the FBI, the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) to contain and remediate the threat. The attackers' movements were traced through Server Message Block (SMB) traversal maneuvers and Remote Desktop Protocol (RDP) lateral movement, indicating an effort to spread within the network.

Fortunately, the investigation determined that no customer-sensitive data was compromised. However, the breach underscores the evolving risk landscape for U.S. critical infrastructure, highlighting the need for stronger OT cybersecurity measures. Given Volt Typhoon's track record of targeting telecommunications, defense, and energy sectors, this incident represents a significant escalation in their operations against American utilities.

About Amar Ćemanović

Amar Ćemanović is an experienced editor and trained engineer with a keen eye for detail and a passion for technology. 
Based in Bosnia, Amar specializes in producing high-quality, engaging content. He holds a Master’s degree in engineering, which helps him maintain a meticulous approach to all editorial work. Amar brings a well-rounded knowledge base, covering everything from tech solutions to privacy tools.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *