Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity
Voltzite, the APTs subset that focuses on OT networks and critical infrastructure, has also compromised targets in Africa.
The portion of
Chinas Volt Typhoon
advanced persistent threat (APT) that focuses on infiltrating operational technology (OT) networks in critical infrastructure has already performed reconnaissance and enumeration of multiple US-based electric companies, while also targeting electric transmission and distribution organizations in African nations.
Thats according to OT security specialist Dragos, which found that the OT threat, which it has dubbed Voltzite, has been knocking on the door of compromising physical industrial control systems (ICSes) at electric-sector targets, though so far their incursions have been limited to the IT networks that connect to the OT footprint.
The findings corroborate recent declarations by the US government that the state-sponsored threat is
pre-positioning itself to be able to sow chaos
and disrupt the power grid domestically
in the case of military conflict
.
When we look at Volt Typhoon, that is an A-player team, a strategic adversary, well resourced and very sophisticated, said Robert M. Lee, founder and CEO at Dragos, during a media roundtable this week. And when we look at what we track, which is Voltzite, thats the OT portion and the OT focus [of that group]. We can validate US governments focus on Volt Typhoon, and we can validate their targeting of strategic electric sites.
In one case that Dragos investigated, Voltzite compromised a midsize electric utility in the US and managed to stay hidden for well over 300 days, according to Lee.
It was very clear that the adversary, though contained to the enterprise IT network, was explicitly trying to get into the OT network there, he explained. They were knocking on the door, they were doing everything that youd expect to explicitly get into the power operations networks.
Further analysis showed that the APT was hunting for data that could aid its efforts to cross over into physical control systems.
I can confirm that they were stealing a lot of OT-specific data and insights, and SCADA-related information and GIS-related information, and things that would be useful in future disruptive attacks, Lee explained. It was clear that Voltzite was specifically thinking about key targets and how to take down power in the future, based on what they were stealing.
To help keep the threat contained, Lee said the firm packaged up its threat intelligence findings from the incident response, sharing them with other potential Voltzite targets as well as the federal government.
Since being
publicly outed in May 2023
, Volt Typhoon (aka Bronze Silhouette, Vanguard Panda, and UNC3236) is known to have compromised the US territory of Guam, telecom providers, military bases, and the
United States emergency management organization
, among others.
Dragos own investigation uncovered evidence of
Volt Typhoon expansion
, and that Voltzite specifically had not only cast a wide net across US power companies and some targets in Africa, but that it overlaps with UTA0178, a threat activity cluster tracked by Volexity that was exploiting
Ivanti VPN zero-day vulnerabilities
at ICS targets back in December.
Further, last month Dragos discovered it conducting extensive reconnaissance of a US telecommunications providers external network gateways and found evidence that Voltzite compromised a large US citys emergency services geospatial information systems (GIS) network.
What is concerning to us is not just that theyve deployed very specific capabilities to do disruption, Lee said. The concern is the targets they have picked, across satellite, telecommunications, and electric power generation, transmission, and distribution, which he stressed are cherry-picked for their ability to cause the most disruption to American lives should they be taken offline.
The Dragos investigation showed that Voltzite uses various techniques for credential access and lateral movement once inside a network. Its hallmark, like that of the broader Volt Typhoon threat, is using legitimate tools and
living off the land (LotL)
to avoid signature detection.
One tactic includes the use of csvde.exe, a native Windows binary used for importing and exporting data from Active Directory Domain Services using the CSV file format. In other cases, it uses Volume Shadow Copies (i.e., cloned images of the Windows operating system that can be used as backups), and the extraction of the NTDS.dit Active Directory database from a domain controller, which enumerates user accounts, groups, and computers, and most importantly, contains the hashes of user passwords.
Under normal circumstances, the NTDS.dit file cannot be opened or copied as it is in use by Active Directory on the machine, according to Dragos annual OT threat report, which is due to be released next week. To circumvent this protection, adversaries commonly use the Volume Shadow Copy Service to create a cloned image of the operating system and save it to a disk. Then the adversary can exfiltrate the copy of NTDS.dit residing in the shadow copy with no issues, as that file version is not in use by any processes.
After that, Voltzite can perform hash cracking or use pass the hash techniques to authenticate as a user.
While Voltzite is known for using minimal tooling, it has used the FRP reverse proxy tool and multiple Web shells to channel data to a command-and-control (C2) server, according to the Dragos report, which contains a list of the LotL binaries that Voltzite is using.
While its disruptive intentions are clear, so far Dragos has not seen Voltzite successfully display actions or capabilities that could disrupt, degrade, or destroy ICS/OT assets or operations. That doesnt mean things wont change, however.
Aura Sabadus, an energy markets specialist at Independent Commodity Intelligence Services (ICIS), notes that attacks against energy utilities more than doubled between 2020 and 2022, with hackers disabling transmission systems or power plants. With new entrants like Volt Typhoon representing an existential threat to critical gas, electricity and water infrastructure, more investment will be necessary to ward off the worst-case scenario.
Although many utilities across the globe dedicate significant budgets to fight cyberattacks, many companies remain in reactive mode and do not seem to have a long-term strategy, she says. Large investments are needed to respond to the growing risks, but at the same time they may also be eating into the budgets that are required to scale up renewable forms of generation.
To bolster protection, Dragos recommends that organizations implement the SANS Institutes 5 Critical Controls for World-Class OT Cybersecurity:
Craft an operations-informed incident response (IR) plan with focused system integrity and recovery capabilities during an attack — exercises designed to reinforce risk scenarios and use cases tailored to the ICS environment.
Deploy architectures that support visibility, log collection, asset identification, segmentation, industrial demilitarized zones, and process-communication enforcement.
Continuous network security monitoring of the ICS environment with protocol-aware toolsets and system-of-systems interaction analysis capabilities used to inform operations of potential risks to control.
Identify and take inventory of all remote access points and allowed destination environments, on-demand access, and multifactor authentication (MFA), where possible, jump host environments.
Employ risk-based vulnerability management.
Tags:
Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity