The portion of China's Volt Typhoon advanced persistent threat (APT) that focuses on infiltrating operational technology (OT) networks in critical infrastructure has already performed reconnaissance and enumeration of multiple US-based electric companies, while also targeting electric transmission and distribution organizations in African nations.
That's according to OT security specialist Dragos, which found that the OT threat, which it has dubbed "Voltzite," has been "knocking on the door" of compromising physical industrial control systems (ICSes) at electric-sector targets, though so far their incursions have been limited to the IT networks that connect to the OT footprint.
The findings corroborate recent declarations by the US government that the state-sponsored threat is pre-positioning itself to be able to sow chaos and disrupt the power grid domestically in the case of military conflict.
"When we look at Volt Typhoon, that is an A-player team, a strategic adversary, well resourced and very sophisticated," said Robert M. Lee, founder and CEO at Dragos, during a media roundtable this week. "And when we look at what we track, which is Voltzite, that's the OT portion and the OT focus [of that group]. We can validate US government's focus on Volt Typhoon, and we can validate their targeting of strategic electric sites."
Case Study: Volt Typhoon Lurks Inside Midsize Power Company
In one case that Dragos investigated, Voltzite compromised a midsize electric utility in the US and managed to stay hidden "for well over 300 days," according to Lee.
"It was very clear that the adversary, though contained to the enterprise IT network, was explicitly trying to get into the OT network there," he explained. "They were knocking on the door, they were doing everything that you'd expect to explicitly get into the power operations networks."
Further analysis showed that the APT was hunting for data that could aid its efforts to cross over into physical control systems.
"I can confirm that they were stealing a lot of OT-specific data and insights, and SCADA-related information and GIS-related information, and things that would be useful in future disruptive attacks," Lee explained. "It was clear that Voltzite was specifically thinking about key targets and how to take down power in the future, based on what they were stealing."
To help keep the threat contained, Lee said the firm packaged up its threat intelligence findings from the incident response, sharing them with other potential Voltzite targets as well as the federal government.
Volt Typhoon Expands Activity
Since being publicly outed in May 2023, Volt Typhoon (aka Bronze Silhouette, Vanguard Panda, and UNC3236) is known to have compromised the US territory of Guam, telecom providers, military bases, and the United States emergency management organization, among others.
Dragos' own investigation uncovered evidence of Volt Typhoon expansion, and that Voltzite specifically had not only cast a wide net across US power companies and some targets in Africa, but that it overlaps with UTA0178, a threat activity cluster tracked by Volexity that was exploiting Ivanti VPN zero-day vulnerabilities at ICS targets back in December.
Further, last month Dragos discovered it conducting extensive reconnaissance of a US telecommunications provider's external network gateways and found evidence that Voltzite compromised a large US city's emergency services geospatial information systems (GIS) network.
"What is concerning to us is not just that they've deployed very specific capabilities to do disruption," Lee said. "The concern is the targets they have picked, across satellite, telecommunications, and electric power generation, transmission, and distribution," which he stressed are cherry-picked for their ability to cause the most disruption to American lives should they be taken offline.
Voltzite's Stealthy Cyber-Intrusion Tactics
The Dragos investigation showed that Voltzite uses various techniques for credential access and lateral movement once inside a network. Its hallmark, like that of the broader Volt Typhoon threat, is using legitimate tools and living off the land (LotL) to avoid signature detection.
One tactic includes the use of csvde.exe, a native Windows binary used for importing and exporting data from Active Directory Domain Services using the CSV file format. In other cases, it uses Volume Shadow Copies (i.e., cloned images of the Windows operating system that can be used as backups), and the extraction of the NTDS.dit Active Directory database from a domain controller, which enumerates user accounts, groups, and computers, and most importantly, contains the hashes of user passwords.
Source: Dragos
"Under normal circumstances, the NTDS.dit file cannot be opened or copied as it is in use by Active Directory on the machine," according to Dragos' annual OT threat report, which is due to be released next week. "To circumvent this protection, adversaries commonly use the Volume Shadow Copy Service to create a cloned image of the operating system and save it to a disk. Then the adversary can exfiltrate the copy of NTDS.dit residing in the shadow copy with no issues, as that file version is not in use by any processes."
After that, Voltzite can perform hash cracking or use "pass the hash" techniques to authenticate as a user.
While Voltzite is known for using minimal tooling, it has used the FRP reverse proxy tool and multiple Web shells to channel data to a command-and-control (C2) server, according to the Dragos report, which contains a list of the LotL binaries that Voltzite is using.
Utilities Should Act Now on Cyber Defense
While its disruptive intentions are clear, so far Dragos has not seen Voltzite successfully display actions or capabilities that could disrupt, degrade, or destroy ICS/OT assets or operations. That doesn't mean things won't change, however.
Aura Sabadus, an energy markets specialist at Independent Commodity Intelligence Services (ICIS), notes that attacks against energy utilities more than doubled between 2020 and 2022, with hackers disabling transmission systems or power plants. With new entrants like Volt Typhoon representing an existential threat to critical gas, electricity and water infrastructure, more investment will be necessary to ward off the worst-case scenario.
"Although many utilities across the globe dedicate significant budgets to fight cyberattacks, many companies remain in reactive mode and do not seem to have a long-term strategy," she says. "Large investments are needed to respond to the growing risks, but at the same time they may also be eating into the budgets that are required to scale up renewable forms of generation."
To bolster protection, Dragos recommends that organizations implement the SANS Institute's 5 Critical Controls for World-Class OT Cybersecurity:
Craft an operations-informed incident response (IR) plan with focused system integrity and recovery capabilities during an attack — exercises designed to reinforce risk scenarios and use cases tailored to the ICS environment.
Deploy architectures that support visibility, log collection, asset identification, segmentation, industrial "demilitarized zones," and process-communication enforcement.
Continuous network security monitoring of the ICS environment with protocol-aware toolsets and "system-of-systems" interaction analysis capabilities used to inform operations of potential risks to control.
Identify and take inventory of all remote access points and allowed destination environments, on-demand access, and multifactor authentication (MFA), where possible, jump host environments.
Employ risk-based vulnerability management.