New research from security firm Dragos finds that Volt Typhoon, one of the primary groups of state-sponsored Chinese hackers menacing the US as of late, was able to dwell in the electric grid for more than 300 days beginning in early 2023.
Volt Typhoon penetrated a Massachusetts public power utility and used the access to quietly collect sensitive operational technology (OT) data. This information would be of interest in identifying the most vulnerable parts of the grid to hit in the event of an attack, reflecting broader ongoing concern about the various “Typhoon” groups positioning themselves within critical infrastructure and communications networks.
Volt Typhoon appeared to be gathering data usable in future shutdown attempts
According to the security researchers, Volt Typhoon compromised regional power provider Littleton Electric Light and Water Departments (LELWD) in February 2023. The breach was discovered in November 2023 when LELWD engaged Dragos as an OT security solutions provider. The initial breach took place about three months before Volt Typhoon began grabbing headlines in the wake of a Microsoft security reporting detailing its operations against US critical infrastructure.
The Dragos researchers say that Volt Typhoon’s MO is to quietly gather OT from electric grid providers (and other critical infrastructure sectors) without causing disruption. This points to intent to gather information on weak spots and store it away in the event of future conflict, something reinforced by research from Microsoft and other security firms into China’s state-supported hacking projects.
The researchers also found evidence that Volt Typhoon was targeting other electric grid providers throughout North America with active attacks during this period of time, and may have been targeting providers in Africa as well. The group also ranged beyond the electric grid to attack telecom companies and emergency services such as regional geographic information systems (GIS). CISA has previously tied Volt Typhoon to similar compromises in Guam, a major military base for the US in the Pacific.
The Dragos researchers say that the Volt Typhoon hackers were removed from LELWD during an expedited deployment of security services in November 2023, but only minimal detail about the incident can be publicly shared. CISA has previously said that there are likely more victims of the group out there that have not yet been identified and that some other compromises by Chinese state-sponsored sources have lasted as long as five years before being detected.
Unpleasant electric grid surprises continue to be uncovered
Though Volt Typhoon came to mainstream attention in mid-2023 (and kicked off a continuing storm of concern about Chinese penetration into the US electric grid and other critical systems), this incident provides further evidence that the group was in operation well prior to the initial Microsoft report. It is also another indication that more victims are out there waiting to be discovered, as the hackers quietly position themselves for mass service disruption in the case of a war breaking out over Taiwan.
Volt Typhoon has typically drawn most of its power from a massive botnet that it created primarily by exploiting home and small office routers with known and unaddressed vulnerabilities and that had mostly reached unsupported “end of life” status. A little over a year ago, the FBI was able to take down the primary “KV Botnet” used by the group. This did appear to slow it down somewhat, but the group is likely still exploiting unknowing victims and its activities have been joined by other major threats such as Salt Typhoon.
China has consistently denied that its hacking teams are involved in these critical infrastructure campaigns, and paints the whole thing as a smear campaign. But research conducted by teams such as Dragos paints a different picture; these breaches inarguably occurred, yet the attackers show very little interest in stealing potentially valuable customer information or holding these systems hostage.
All of that said, Volt Typhoon and its cohorts are not necessarily deeply into the electrical grid. A spokesperson from LELWD explained that the company only provides power to about 15,000 people in total in two small Massachusetts towns, and that it has no real access to the broader electrical grid. LELWD also says that the FBI told it there were about 200 other utility companies breached nationwide, but there is no indication of which ones or if they are of a comparable size.
The incident also illustrates that even advanced state-sponsored hackers are relying to a great degree on simply walking through gaping holes in security. The LELWD compromise stemmed from a FortiGate 300D firewall vulnerability that had been patched by Fortinet in 2022, but the utility’s prior managed services provider had failed to apply the patch well into 2023. LELWD general manager Nick Lawler has said that no particular reason has emerged for the utility to be specifically targeted, and it is most likely that the hackers were combing for visible vulnerabilities.
Ensar Seker, Chief Security Officer at SOCRadar, provides some additional insight into potential impact on the electric grid: “The 300-day undetected presence underscores the need for better visibility in ICS/OT networks. Traditional IT-centric security approaches often fail to detect threats in air-gapped or segmented OT environments until adversaries attempt lateral movement or trigger suspicious activities. LELWD is a small public utility, but this attack demonstrates that threat actors don’t always go for high-profile targets first. Small, underfunded utilities can serve as low-hanging fruit, allowing adversaries to test tactics, develop footholds, and pivot toward larger targets. With China’s continued focus on US CI, the long-term concern is that such intrusions could eventually transition from intelligence gathering to active disruption—potentially affecting power grids, water systems, or transportation networks in times of geopolitical tension. Threat actors will increasingly compromise ICS security providers or managed service firms to gain access to multiple critical infrastructure targets at scale. This incident will likely lead to tighter US government scrutiny over critical infrastructure cybersecurity, pushing for mandatory threat hunting and network monitoring in OT environments. Since traditional security tools struggle in air-gapped OT environments, the adoption of AI-driven anomaly detection will become a priority for utilities to identify stealthy intrusions earlier.”
Evan Dornbush, former NSA cybersecurity expert, adds: “Attackers have an unfair and perpetual advantage because they monopolize output from the vulnerability research community. Until defenders can effectively engage the audience that produces the zero day exploits attackers rely on, defenders will always be reacting post-attack rather than taking proactive measures. The re-emergence of network threat detection is critical in adversary discovery. While overall I’m an AI skeptic, if there’s one area that continues to show promise, consider investing in AI-based NDR solutions, which Dragos’ marketing team reminds us can be very effective at picking out lateral movement and other abnormal traffic from your network, far more efficiently than log file analysis.”
