The portion of China's Volt Typhoon advanced persistent threat that focuses on infiltrating operational technology networks in critical infrastructure has already performed reconnaissance and enumeration of multiple US-based electric companies, while also targeting electric transmission and distribution organizations in African nations.
The findings corroborate recent declarations by the US government that the state-sponsored threat is pre-positioning itself to be able to sow chaos and disrupt the power grid domestically in the case of military conflict.
Further analysis showed that the APT was hunting for data that could aid its efforts to cross over into physical control systems.
To help keep the threat contained, Lee said the firm packaged up its threat intelligence findings from the incident response, sharing them with other potential Voltzite targets as well as the federal government.
Volt Typhoon Expands Activity Since being publicly outed in May 2023, Volt Typhoon is known to have compromised the US territory of Guam, telecom providers, military bases, and the United States emergency management organization, among others.
Dragos' own investigation uncovered evidence of Volt Typhoon expansion, and that Voltzite specifically had not only cast a wide net across US power companies and some targets in Africa, but that it overlaps with UTA0178, a threat activity cluster tracked by Volexity that was exploiting Ivanti VPN zero-day vulnerabilities at ICS targets back in December.
Further, last month Dragos discovered it conducting extensive reconnaissance of a US telecommunications provider's external network gateways and found evidence that Voltzite compromised a large US city's emergency services geospatial information systems network.
Voltzite's Stealthy Cyber-Intrusion Tactics The Dragos investigation showed that Voltzite uses various techniques for credential access and lateral movement once inside a network.
Its hallmark, like that of the broader Volt Typhoon threat, is using legitimate tools and living off the land to avoid signature detection.
Exe, a native Windows binary used for importing and exporting data from Active Directory Domain Services using the CSV file format.
In other cases, it uses Volume Shadow Copies, and the extraction of the NTDS.dit Active Directory database from a domain controller, which enumerates user accounts, groups, and computers, and most importantly, contains the hashes of user passwords.
While Voltzite is known for using minimal tooling, it has used the FRP reverse proxy tool and multiple Web shells to channel data to a command-and-control server, according to the Dragos report, which contains a list of the LotL binaries that Voltzite is using.
Utilities Should Act Now on Cyber Defense While its disruptive intentions are clear, so far Dragos has not seen Voltzite successfully display actions or capabilities that could disrupt, degrade, or destroy ICS/OT assets or operations.
That doesn't mean things won't change, however.
Aura Sabadus, an energy markets specialist at Independent Commodity Intelligence Services, notes that attacks against energy utilities more than doubled between 2020 and 2022, with hackers disabling transmission systems or power plants.
With new entrants like Volt Typhoon representing an existential threat to critical gas, electricity and water infrastructure, more investment will be necessary to ward off the worst-case scenario.
Craft an operations-informed incident response plan with focused system integrity and recovery capabilities during an attack - exercises designed to reinforce risk scenarios and use cases tailored to the ICS environment.
Identify and take inventory of all remote access points and allowed destination environments, on-demand access, and multifactor authentication, where possible, jump host environments.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 15 Feb 2024 22:50:24 +0000