The portion of China’s Typhoon Volt The Advanced Persistent Threat (APT) which focuses on the infiltration of operational technology (OT) networks into critical infrastructure has already carried out reconnaissance and enumeration of numerous US-based power companies, also targeting Electrical transmission and distribution in African nations.
That’s according to OT security specialist Dragos, who found that the OT threat, which he nicknamed “Voltzite,” has “knocked on the door” of compromising physical industrial control systems (ICS) in power sector targets, although so far their incursions have been limited to IT networks that connect to the OT footprint.
The findings confirm recent statements by the US government that the state-sponsored threat is such preposition themselves in order to sow chaos and interrupt the national electricity grid in the event of military conflict.
“When we look at the Volt Typhoon, we see that it is a world-class team, a strategic adversary, well-resourced and very sophisticated,” said Robert M. Lee, founder and CEO of Dragos, during a media roundtable this week. “And when we look at what we track, which is Voltzite, that’s the OT part and the OT focus [of that group]. We can validate the US government’s focus on Volt Typhoon and we can validate their attack on strategic power sites.”
Case Study: Typhoon Volt lurks inside a medium-sized electric utility
In one case Dragos investigated, Voltzite compromised a medium-sized power company in the United States and managed to remain hidden “for over 300 days,” according to Lee.
“It was very clear that the adversary, although confined to the corporate IT network, was explicitly trying to break into the OT network,” he explained. “They were knocking on the door, they were doing everything that you would expect to explicitly go into the energy operations networks.”
Further analysis showed that the APT was looking for data that could help its efforts to move into physical control systems.
“I can confirm that they were stealing a lot of OT-specific data and insights, SCADA and GIS-related information, and things that would be useful in future disruptive attacks,” Lee explained. “It was clear that Voltzite was thinking specifically about key targets and how to eliminate power in the future, based on what they were stealing.”
To help contain the threat, Lee said the company has been gathering threat intelligence findings from the response to the incident, sharing them with other potential Voltzite targets and the federal government.
Volt Typhoon expands business
Since I’ve been publicly released in May 2023Volt Typhoon (also known as Bronze Silhouette, Vanguard Panda, and UNC3236) is known to have compromised the US territory of Guam, telecommunications providers, military bases, and US Emergency Management Organizationamong others.
Dragos’ investigations uncovered evidence of Volt Typhoon expansionand that Voltzite specifically had not only cast a wide net between U.S. power companies and some targets in Africa, but that it overlaps with UTA0178, a cluster of threat activity monitored by Volexity that was exploiting Ivanti VPN zero-day vulnerability to the ICS objectives as early as December.
Additionally, last month Dragos was found to be conducting extensive reconnaissance of a U.S. telecommunications provider’s external network gateways and found evidence that Voltzite had compromised a company’s emergency services geospatial information systems (GIS) network. large city in the United States.
“What concerns us is not just that they have deployed very specific capabilities to create disruption,” Lee said. “The concern is about the targets they have chosen, through satellites, telecommunications and the generation, transmission and distribution of electrical energy,” which he stressed are carefully chosen for their ability to cause maximum disruption to American lives if they were to be taken offline.
Voltzite’s stealthy cyber intrusion tactics
The Dragos investigation demonstrated that Voltzite uses various techniques for credential access and lateral movement once inside a network. Its hallmark, like that of the larger Volt Typhoon threat, is its use of legitimate tools and live off the land (LotL) to avoid signature detection.
One tactic includes using csvde.exe, a native Windows binary used to import and export data from Active Directory Domain Services using the CSV file format. In other cases, it uses volume shadow copies (that is, cloned images of the Windows operating system that can be used as backups) and extracting the NTDS.dit Active Directory database from a domain controller, which enumerates user accounts, groups, and computer and, most importantly, contains hashes of users’ passwords.
Source: Dragos
“Under normal circumstances, the NTDS.dit file cannot be opened or copied as it is used by Active Directory on the machine,” according to Dragos’ annual OT threat report, which is expected to be released next week. “To bypass this protection, hackers commonly use the Volume Shadow Copy Service to create a cloned image of the operating system and save it to a disk. Then the adversary can exfiltrate the copy of NTDS.dit residing in the shadow copy without any problems , because that version of the file is not used by any process.”
Subsequently, Voltzite can perform hash cracking or use “hash passing” techniques to authenticate itself as a user.
While Voltzite is known for using minimal tools, it used the FRP reverse proxy tool and multiple web shells to funnel data to a command and control (C2) server, according to the Dragos report, which contains a list of LotL binaries that Voltzite is using.
Utilities should act now on cyber defense
While its disruptive intentions are clear, so far Dragos has not seen Voltzite successfully demonstrate actions or capabilities that could disrupt, degrade, or destroy ICS/OT assets or operations. However, this does not mean that things will not change.
Aura Sabadus, energy markets specialist at Independent Commodity Intelligence Services (ICIS), notes that attacks against energy utilities more than doubled between 2020 and 2022, with hackers disabling transmission systems or power plants . With new entrants like Volt Typhoon posing an existential threat to critical gas, electricity and water infrastructure, increased investment will be needed to avert the worst-case scenario.
“Although many utilities around the world dedicate significant budgets to combating cyber attacks, many companies remain in reactive mode and do not appear to have a long-term strategy,” he says. “Large investments are needed to respond to the growing risks, but at the same time they could also eat into the budgets needed to scale up forms of renewable generation.”
To strengthen protection, Dragos recommends organizations implement the SANS Institute’s 5 Critical Controls for World-Class OT Cybersecurity:
-
Develop an operations-based incident response (IR) plan with targeted system integrity and recovery capabilities during an attack – exercises designed to strengthen risk scenarios and use cases tailored to the ICS environment.
-
Deploy architectures that support visibility, log collection, asset identification, segmentation, industrial “demilitarized zones,” and process communication enforcement.
-
Continuous network security monitoring of the ICS environment with protocol-aware toolsets and “system of systems” interaction analysis capabilities used to inform operations about potential risks to control.
-
Identify and inventory all remote access points and permitted target environments, on-demand access, and multi-factor authentication (MFA), where possible, jump host environments.
-
Adopt risk-based vulnerability management.