A recent cybersecurity breach has thrown into stark relief the vulnerabilities affecting the energy grid in the United States. Security researchers from Dragos disclosed that the Volt Typhoon advanced persistent threat (APT) group, believed to be affiliated with China, maintained unauthorized access to the operational technology network of the Littleton Electric Light and Water Departments (LELWD) in Massachusetts for nearly a year.
The intrusion, lasting from February to November 2024, raised alarm bells regarding the security of critical national infrastructure. “One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle,” said Tim Mackey, head of software supply chain risk strategy at Black Duck.
As concerns mount about the implications of artificial intelligence in cyber warfare, Nathaniel Jones, vice president of threat research at Darktrace, highlighted that the ramifications for critical national infrastructure are increasingly dangerous. He described the situation as a “continued and growing concern with the applications of AI-based capabilities for both offensive and defensive teams.”
The specific targeting of critical national infrastructure indicates that the motivations of groups like Volt Typhoon extend beyond mere data theft. Donovan Tindill, director of OT cybersecurity at DeNexus, elaborated on the potential geopolitical ramifications of such cyber intrusions, stating that attackers could manipulate operational technology systems to achieve specific goals. This includes:
Qualifying
- Manipulating OT systems for defined objectives - Utilizing data for ransom or extortion - Mapping the electrical grid’s structure to exploit vulnerabilities - Identifying supply chain relationships for possible disruption - Stealing proprietary intellectual property, including manufacturing processes - Understanding internal systems configurations and operations.
Looking Ahead
Dragos revealed that Volt Typhoon employed sophisticated techniques such as Server Message Block (SMB) traversal and Remote Desktop Protocol (RDP) lateral movement to navigate within the LELWD network. Fortunately, the utility was able to contain the threat and fortify its network to withstand future threats. Notably, there was no compromise of customer-sensitive data during this cyber incident.
Agnidipta Sarkar, vice president of CISO advisory at ColorTokens, emphasized the necessity for a proactive defense strategy. “Attack sophistication is on the rise, and OT/ICS organizations shut down when faced with a cyber-attack. Unfortunately, cyber OT leadership is focusing on stopping attacks instead of stopping the proliferation of attacks,” he stated.
Looking Ahead
The aim of the attackers was to gather intelligence, focusing on operational technology procedures and the spatial arrangements of the energy grid. “This information is crucial for planning future attacks targeting the OT network controlling physical functions,” asserted Josh Hanrahan, principal hunter at Dragos.
Through its OT Watch platform, Dragos was pivotal in detecting the intrusion and assisting LELWD in eradicating Volt Typhoon from its network. The firm provided extensive recommendations to bolster LELWD’s operational technology security, covering aspects such as asset visibility, threat detection and response, vulnerability management, and incident response best practices.
The emergence of Volt Typhoon, which has also been known by aliases like Bronze Silhouette and UNC3236, has raised red flags since it first drew public attention in May 2023. The group is notorious for targeting a range of sectors including military bases, telecom firms, and even emergency management organizations across U.S. territories. Their preferred method for initial network access often involves utilizing a botnet created through the compromise of SOHO (Small Office/Home Office) routers.
Despite law enforcement efforts to dismantle some of these botnets, Dragos warns that the threat posed by Volt Typhoon and its affiliates remains persistent, particularly in relation to critical infrastructure in the U.S. and allied nations. The evolving landscape of cyber threats necessitates that organizations fortify their defenses with a comprehensive strategy. Key recommendations include thorough monitoring, asset inventory management, and effective response plans to mitigate risks.
Ultimately, ensuring the security of the U.S. energy grid is not just a technical necessity but a national imperative. The lessons learned from situations like the Volt Typhoon attack must be taken seriously as the stakes continue to rise in the realm of cybersecurity.