Industrial cybersecurity firm Dragos has revealed that a small electric and water utility in Massachusetts was breached by a sophisticated Chinese advanced persistent threat (APT) group for over 300 days.
The attack targeted Littleton Electric Light and Water Departments (LELWD), which serves the towns of Littleton and Boxborough. According to a Dragos case study, the APT group, known as Volt Typhoon, had been inside LELWD’s network since February 2023 but was only discovered in November 2023, just before Thanksgiving.
Volt Typhoon, a group linked to the Chinese government, was first publicly identified by Microsoft in May 2023. Since then, the group has been tied to multiple attacks on critical U.S. infrastructure, including energy, water, and communications networks. Dragos tracks a related threat group under the name VOLTZITE, known for attacking industrial entities.
Strengthening Defenses
At the time of the attack, LELWD had already started working with Dragos to strengthen its cybersecurity defenses. However, once the intrusion was found, the utility was forced to speed up its security efforts.
Using Dragos’ Operational Technology (OT) security tools, LELWD and Dragos’ specialized OT Watch team quickly investigated the hackers’ actions. They found that the attackers had used advanced methods to move through the network, including server message block traversal and remote desktop protocol lateral movement — techniques that could allow hackers to reach critical systems.
Fortunately, no sensitive customer data was compromised, and the utility was able to adjust its network to block further hacker access.
Hard Lessons Learned
This incident shows how important OT-specific cybersecurity solutions are for utilities and critical infrastructure. LELWD’s quick response, aided by Dragos, helped remove the bad actors and secure the network.
“Having the right tools and expert support is essential when facing these kinds of threats,” Dragos said in its case study.
As attacks on US critical infrastructure become more common, experts say small utilities need to be just as prepared as large companies since attackers are now targeting organizations of all sizes.
Targeting Entities Behind in Security
“Volt Typhoon’s persistent capabilities often begin with the use of zero-days, and it’s sense to target industries that are often behind in their security procedures,” says Gunter Ollmann, CTO at Cobalt.
“While the main cause for concern here is certainly the length of time that attackers will dwell within a network to exfiltrate data or move laterally throughout networks, the key indicator of how to truly prevent these issues is once again down to having regular assessments of vulnerabilities within the tools you use. With offensive security measures, attackers trying to enter your network via vulnerabilities can be stopped in their tracks.”
Long Lifespan of Devices
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, says one of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. “Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle. In effect, legacy best practices may not be up to the task of mitigating current threats, or worse, those that might be deployed in the coming years.”
Mackey says since bad actors know that critical infrastructure providers are measured in their uptime or service availability, once a device is compromised, they know that they have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic.
Varying Methods, Long Term Goals
The varying methods of attack and long-term orientation of goals by malefactors will present unique challenges to CNI entities, says Nathaniel Jones, Vice President of Threat Research at Darktrace. “Many instances of CNI compromise have stemmed from the exploitation of internet-facing devices through both zero-day and known exploits. Even when CVE exploitation was not present, threat actors can and will rely on perimeter devices running external remote services for access. Indicators of Compromise (IoCs) are also increasingly proving less effective at deterring such attacks. IoCs are also increasingly proving less effective at deterring such attacks.”
Groups, such as Volt Typhoon, continue to build vast botnets of Internet of Things (IoT) and Internet-facing devices by exploiting unpatched systems, Jones explains. “Usage of these botnets and operational relay networks will assist in evading detection and attribution, as evidenced in specific cases investigated by the Darktrace team. Generally, APTs targeting CNI sectors are also increasingly relying on Living off the Land (LOTL) tactics to remain undetected.”
Aims Based on Operating Context
Malicious groups exploiting CNI networks may have differing aims based on their operating context, continues Jones. Certain APT groups may not have immediate objectives once persistence is obtained within CNI networks. State-sponsored actors may take a lay-and-wait approach, lurking within networks with minimal activity beyond beaconing, only increasing activity when outside strategic conditions change.
Certain threat actors will also leverage malware aimed at causing immediate disruption to suit their goals, says Jones. “This threat is particularly relevant for organizations with OT and ICS environments. As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network. By adopting good cyber hygiene, proactively securing your digital estate, and addressing any vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors.”
Facing the Same Challenges
Donovan Tindill, Director of OT Cybersecurity at DeNexus, says as described in the Dragos case study, all firms are faced with the same challenges (limited network visibility, identifying vulnerabilities, lack of skills, shared networks) and this makes it hard to identify, detect, and respond to threat actors within the environment.
“The fact the actor was in the environment for over 300 days is an indication of the organization’s detection capabilities. The most important OT lockdown will be its isolation from the business network, Internet, and remote access. The requirements for US Owner/Operators under NERC CIP for intermediary remote access, electronic security perimeters, and continuous monitoring are good practices that all OT industrials should apply to restrict access into their systems,” says Tindill
Focus on Stopping the Proliferation of Attacks
Agnidipta Sarkar, Vice President of CISO Advisory at ColorTokens, adds that attack sophistication is on the rise, and OT/ICS entities shut down when faced with a cyberattack. “Unfortunately, cyber OT leadership is focusing on stopping attacks instead of stopping the proliferation of attacks. We now know that it is not if, but when, the cyberattacks should happen. It’s time to invest in foundational cyber defense capabilities to dynamically change attack paths to limit the impact of any attack.”
Information Security Buzz News Editor: Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
