A case study published yesterday has detailed the intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid. The threat actors had been in the Littleton Electric Light and Water Departments (LELWD) — a small public power utility in MA — network for over 300 days.
Ensar Seker, Chief Security Officer at SOCRadar had this comment:
“This latest Volt Typhoon intrusion into the US electric grid is a serious escalation in cyber-enabled espionage, highlighting the vulnerabilities of critical infrastructure (CI) in the face of persistent threats from nation-state actors. The fact that Chinese hackers remained undetected for over 300 days inside a small public utility’s network is concerning, not only because of the extended dwell time but also because it reinforces the broader risks posed to larger, more complex CI networks.”
“This group is known for pre-positioning within US CI—not necessarily for immediate sabotage, but for future disruption scenarios. By embedding themselves in water and power utilities, they gain persistent access to industrial control systems (ICS) and operational technology (OT), which could be leveraged in a geopolitical crisis.”
“The 300-day undetected presence underscores the need for better visibility in ICS/OT networks. Traditional IT-centric security approaches often fail to detect threats in air-gapped or segmented OT environments until adversaries attempt lateral movement or trigger suspicious activities.”
“LELWD is a small public utility, but this attack demonstrates that threat actors don’t always go for high-profile targets first. Small, underfunded utilities can serve as low-hanging fruit, allowing adversaries to test tactics, develop footholds, and pivot toward larger targets.”
“With China’s continued focus on US CI, the long-term concern is that such intrusions could eventually transition from intelligence gathering to active disruption—potentially affecting power grids, water systems, or transportation networks in times of geopolitical tension.”
“Threat actors will increasingly compromise ICS security providers or managed service firms to gain access to multiple critical infrastructure targets at scale. This incident will likely lead to tighter US government scrutiny over critical infrastructure cybersecurity, pushing for mandatory threat hunting and network monitoring in OT environments.”
“Since traditional security tools struggle in air-gapped OT environments, the adoption of AI-driven anomaly detection will become a priority for utilities to identify stealthy intrusions earlier.”
Volt Typhoon is a today problem that needs immediate action at multiple levels. Sadly that doesn’t seem to be happening which means that this threat actor, and ones like them are just going to cause trouble for the foreseeable future.
UPDATE: James McQuiggan, Security Awareness Advocate at KnowBe4 adds this comment:
“Nation-state cyber actors continue to breach and gain access to critical U.S. infrastructure facilities and embed themselves, monitoring operations and preparing for future leverage or disruption.”
“The Volt Typhoon operation and other similar operating groups are evidence that the U.S. could enter into a cyber Cold War, with the enemy on the other side of the world going undetected for months while they exploit IT-OT gaps in an organization’s cybersecurity technology or users.”
“Organizations must move beyond passive monitoring to proactive threat hunting and network segmentation, and they must leverage the various intelligence sharing groups to work towards disrupting these persistent threats.”
“Cybersecurity is a continuous risk reduction effort with updated defense-in-depth cybersecurity initiatives to force adversaries to adjust constantly. Additionally, critical infrastructure must improve its resiliency to guard the nation’s infrastructure.”
UPDATE #2: Ted Miracco, CEO, Approov had this comment:
“Volt Typhoon’s 300-day foothold in the U.S. electric grid was a blueprint for future sabotage. Against nation-state actors this sophisticated, only a Zero Trust, intelligence-driven defense can outmatch their persistence. Assume compromise, segment ruthlessly, and hunt threats before they strike.”
Evan Dornbush, former NSA cybersecurity expert follows with this:
“Attackers have an unfair and perpetual advantage because they monopolize output from the vulnerability research community. Until defenders can effectively engage the audience that produces the zero day exploits attackers rely on, defenders will always be reacting post-attack rather than taking proactive measures.
“The re-emergence of network threat detection is critical in adversary discovery. While overall I’m an AI skeptic, if there’s one area that continues to show promise, consider investing in AI-based NDR solutions, which Dragos’ marketing team reminds us can be very effective at picking out lateral movement and other abnormal traffic from your network, far more efficiently than log file analysis.”
Related
This entry was posted on March 12, 2025 at 1:19 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days
A case study published yesterday has detailed the intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid. The threat actors had been in the Littleton Electric Light and Water Departments (LELWD) — a small public power utility in MA — network for over 300 days.
Ensar Seker, Chief Security Officer at SOCRadar had this comment:
“This latest Volt Typhoon intrusion into the US electric grid is a serious escalation in cyber-enabled espionage, highlighting the vulnerabilities of critical infrastructure (CI) in the face of persistent threats from nation-state actors. The fact that Chinese hackers remained undetected for over 300 days inside a small public utility’s network is concerning, not only because of the extended dwell time but also because it reinforces the broader risks posed to larger, more complex CI networks.”
“This group is known for pre-positioning within US CI—not necessarily for immediate sabotage, but for future disruption scenarios. By embedding themselves in water and power utilities, they gain persistent access to industrial control systems (ICS) and operational technology (OT), which could be leveraged in a geopolitical crisis.”
“The 300-day undetected presence underscores the need for better visibility in ICS/OT networks. Traditional IT-centric security approaches often fail to detect threats in air-gapped or segmented OT environments until adversaries attempt lateral movement or trigger suspicious activities.”
“LELWD is a small public utility, but this attack demonstrates that threat actors don’t always go for high-profile targets first. Small, underfunded utilities can serve as low-hanging fruit, allowing adversaries to test tactics, develop footholds, and pivot toward larger targets.”
“With China’s continued focus on US CI, the long-term concern is that such intrusions could eventually transition from intelligence gathering to active disruption—potentially affecting power grids, water systems, or transportation networks in times of geopolitical tension.”
“Threat actors will increasingly compromise ICS security providers or managed service firms to gain access to multiple critical infrastructure targets at scale. This incident will likely lead to tighter US government scrutiny over critical infrastructure cybersecurity, pushing for mandatory threat hunting and network monitoring in OT environments.”
“Since traditional security tools struggle in air-gapped OT environments, the adoption of AI-driven anomaly detection will become a priority for utilities to identify stealthy intrusions earlier.”
Volt Typhoon is a today problem that needs immediate action at multiple levels. Sadly that doesn’t seem to be happening which means that this threat actor, and ones like them are just going to cause trouble for the foreseeable future.
UPDATE: James McQuiggan, Security Awareness Advocate at KnowBe4 adds this comment:
“Nation-state cyber actors continue to breach and gain access to critical U.S. infrastructure facilities and embed themselves, monitoring operations and preparing for future leverage or disruption.”
“The Volt Typhoon operation and other similar operating groups are evidence that the U.S. could enter into a cyber Cold War, with the enemy on the other side of the world going undetected for months while they exploit IT-OT gaps in an organization’s cybersecurity technology or users.”
“Organizations must move beyond passive monitoring to proactive threat hunting and network segmentation, and they must leverage the various intelligence sharing groups to work towards disrupting these persistent threats.”
“Cybersecurity is a continuous risk reduction effort with updated defense-in-depth cybersecurity initiatives to force adversaries to adjust constantly. Additionally, critical infrastructure must improve its resiliency to guard the nation’s infrastructure.”
UPDATE #2: Ted Miracco, CEO, Approov had this comment:
“Volt Typhoon’s 300-day foothold in the U.S. electric grid was a blueprint for future sabotage. Against nation-state actors this sophisticated, only a Zero Trust, intelligence-driven defense can outmatch their persistence. Assume compromise, segment ruthlessly, and hunt threats before they strike.”
Evan Dornbush, former NSA cybersecurity expert follows with this:
“Attackers have an unfair and perpetual advantage because they monopolize output from the vulnerability research community. Until defenders can effectively engage the audience that produces the zero day exploits attackers rely on, defenders will always be reacting post-attack rather than taking proactive measures.
“The re-emergence of network threat detection is critical in adversary discovery. While overall I’m an AI skeptic, if there’s one area that continues to show promise, consider investing in AI-based NDR solutions, which Dragos’ marketing team reminds us can be very effective at picking out lateral movement and other abnormal traffic from your network, far more efficiently than log file analysis.”
Share this:
Like this:
Related
This entry was posted on March 12, 2025 at 1:19 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.