Summary: In a recent report and case study, Dragos details their work helping a combined electric and water utility remediate the impact of a cyber attack from the Chinese-affiliated threat group known as Volt Typhoon.

Analyst Note: Dragos stated this attack was later determined to be part of a larger effort by China’s government to preposition themselves within U.S. critical infrastructure. The utility noticed its systems were breached before Thanksgiving 2023 and, after further investigation, it was revealed that Volt Typhoon had been in the utility’s systems since February 2023, a 10-month period of time. Notably, the report indicates that Volt Typhoon’s apparent goals aren’t solely to maintain persistent access.

A Dragos expert explains: “The significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim's environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations.”

Utilities are recommended to review WaterISAC’s previous coverage of Volt Typhoon, review the remediation and mitigation recommendations included, and remain alert to the ongoing threat climate.

Original Source: https://therecord.media/volt-typhoon-hackers-utility-months

Additional Reading:

• People's Republic of China Cyber Threat
• (TLP:CLEAR) WaterISAC Advisory – PRC-sponsored Volt Typhoon Activity and Supplemental Living Off the Land Guidance
• Threat Awareness – CISA and FBI Release Joint Statement as Volt Typhoon’s Botnet Resurfaces
• (TLP:AMBER) Volt Typhoon Cyber Tactics Warrant Proactive Defense of US Critical Infrastructure Networks

Related WaterISAC PIRs: 6, 6.1, 7, 7.1, 8, 9, 10, 10.2, 12