Chinese threat actor resided in US electric grid for almost one year

A case study from Dragos discusses an intrusion into the United States electric grid associated with Volt Typhoon, a Chinese threat actor. 

The case study describes the intrusion of Littleton Electric Light and Water Departments (LELWD), a small public power utility based in Massachusetts and serving Littleton and Boxborough. While in the process of installing an operational technology (OT) security solution, the intrusion was detected. This led to expedited deployment.

Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, comments, “Attack sophistication is on the rise and OT/industrial control systems (ISC) organizations shutdown when faced with a cyberattack. Unfortunately, cyber OT leadership are focusing on stopping attacks instead of stopping the proliferation of attacks. We now know that it is not if, but when, the cyberattacks should happen. It’s time to invest in foundational cyber defense capabilities to dynamically change attack paths to limit the impact of any attack.”

The intrusion was detected in November 2023, but an investigation revealed that Volt Typhoon had dwelled inside the network since February 2023. Below, cybersecurity experts share their insights. 

Security leaders weigh in 

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck:

One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices. Something that was designed and tested to the best practices available when it was released can easily become vulnerable to attacks using more sophisticated attacks later in its lifecycle. In effect, legacy best practices may not be up to the task of mitigating current threats, or worse those that might be deployed in the coming years. Since attackers know that critical infrastructure providers are measured in their up-time or service availability, once a device is compromised, attackers know that they have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic. 

Nathaniel Jones, Vice President of Threat Research at Darktrace:

Impact to critical national infrastructure (CNI) is a continued and growing concern with the applications of AI-based capabilities for both offensive and defensive teams. Over the past year, the Darktrace Threat Research Team has observed a significant, global increase in sophisticated threat actors targeting organizations within designated CNI. This trend is informed both by the heightened warnings from national intelligence agencies, as well as an overall focus of threat analysis on activity identified within customers in these industries. The targeting of CNI entities, and the subsequent operations following access, suggest threat actors may be building strategic pathways to yield geopolitical leverage in the event of conflict.

Moreover, malicious groups exploiting CNI networks may have differing aims based on their operating context. Some APT groups may not have immediate objectives once persistence is obtained within CNI networks. Potentially state-sponsored actors may take a lay-and-wait approach: opting to sit within networks with minimal activity beyond beaconing only increasing activity when outside strategic conditions change. Certain threat actors will also leverage malware aimed at causing immediate disruption to suit their goals. This threat is particularly relevant for organizations with OT and ICS environments. Darktrace Threat Research analysts recently noted an uptick in attacks in the energy sector motivated by disruption. The means of disruption observed by Darktrace ranged from an OT specific attack on Canadian energy provider’s PLC motor in the SCADA environment at a field substation, to multiple Fog ransomware attacks that successfully led to encryption. 

As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network. By adopting good cyber hygiene, proactively securing your digital estate, and addressing any vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors.

Donovan Tindill, Director of OT Cybersecurity at DeNexus:

Focusing on the exfiltration of OT data, difficulty detecting, and best way to exfiltrating OT data has the potential to be used for: 

• Understanding the configuration & operation of the target system, 
• Theft of intellectual property such as recipes, manufacturing procedures, techniques, etc. that can aid others in gaining a competitive advantage,
• Identify supply chain or third-party relationships, to cause an impact on a target through its relationships,
• Gain greater knowledge of the system as a whole, such as the design, operation, and behavior of a small portion of the electrical grid, and its criticality to the larger network,
• Ransom/extortion,
• Gaining knowledge in order to manipulate the OT system later towards a specific objective.

As described in the Dragos case study, all companies are faced with the same challenges (e.g., limited network visibility, identifying vulnerabilities, lack of skills, shared networks) and this makes it very difficult to identify, detect, and respond to threat actors within the environment. The fact the actor was in the environment for over 300 days is an indication of the organization’s detection capabilities.

The most important OT lockdown will be its isolation from the business network, Internet, and remote access. The requirements for U.S. Owner/Operators under NERC CIP for intermediary remote access, electronic security perimeters, and continuous monitoring are good practices that all OT industrials should apply to restrict access into their systems.