(Credit: Lelwd.com)
In late 2023, the general manager of a Massachusetts public utility company got a surprising phone call. It was an FBI agent, who told him that the Littleton Electric Light and Water Departments (LELWD) were being hacked.
Nick Lawler tells The Register that he initially thought it was a scam. But a notorious Chinese-state sponsored hacking group known as Volt Typhoon had indeed breached LELWD and was poking around its systems for over 300 days.
At the time, LELWD had been installing sensors from cybersecurity firm Dragos with the help of Department of Energy grants awarded by the American Public Power Association (APPA). "The sensors helped LELWD confirm the extent of the malicious activity on the system and pinpoint when and where the attackers were going on the utility’s networks," the APPA said last year.
Today, Dragos released a case study about the hack, which it blamed on Voltzite, a "sophisticated threat group...that overlaps with Volt Typhoon."
The call from the FBI forced Dragos "to deploy quickly and bypass the planned onboarding timeline" for the LELWD, it says. It discovered that Volt Typhoon "had persistent access to LELWD’s network."
Hackers were looking for specific data related to [operational technology] operating procedures and spatial layout data relating to energy grid operations,” Dragos tells SecurityWeek. In the end, Dragos confirmed the compromised systems did not contain "customer-sensitive data," and LEWLD changed their network architecture to kick Volt Typhoon out, the case study says.
Volt Typhoon has been active since 2021. As Microsoft outlined in 2023, Volt Typhoon focuses on "espionage and information gathering." It aims to breach and maintain access to critical systems as long as possible without detection.
A year ago, the FBI, NSA, and Cybersecurity and Infrastructure Security Agency (CISA) issued a 45-page report that said Salt Typhoon had been successfully infiltrating critical infrastructure systems in the US, and in some cases, maintaining access for more than five years.
It's now clear the LEWLD was one of those their targets. Groups like Volt Typhoon, "don’t always go for high-profile targets first," Ensar Seker, Chief Security Officer at SOCRadar, tells us. "Small, underfunded utilities can serve as low-hanging fruit, allowing adversaries to test tactics, develop footholds, and pivot toward larger targets."
Lawler, the utility's general manager, told the APPA last year he was "operating without an in-house IT team."
Another Chinese hacking group known as Salt Typhoon made headlines last year for attacking US telecom companies, which Sen. Mark Warner (D-Va.) called the "worst telecom hack in our nation's history—by far."
Other groups, sponsored by adversaries like Iran and China, are trying to gain access to US critical infrastructure, including drinking water systems, the US Environmental Protection Agency (EPA) warned in May 2024.
"The Volt Typhoon operation and other similar operating groups are evidence that the US could enter into a cyber Cold War, with the enemy on the other side of the world going undetected for months while they exploit gaps in an organization's cybersecurity technology or users," James McQuiggan, Security Awareness Advocate at KnowBe4, tells us.