Volt Typhoon targeted emergency management services, per report
Volt Typhoon, the China-sponsored hacking group that has been the focus of grim warnings from U.S. security agencies, has been targeting satellite and emergency management services in addition to electric utilities, according to a new report.
The industrial cybersecurity firm Dragos’s Tuesday report outlines how the notorious hacking group is positioning themselves to have disruptive or destructive impacts on critical infrastructure in the U.S.
Last month, Dragos observed Volt Typhoon — which Dragos tracks as Voltzite — target a large U.S. city’s emergency management services geographic information system, which is used for emergency dispatch operations like law enforcement or ambulance services and is used to assist in disaster recovery efforts. And in June 2023, Volt Typhoon infiltrated a U.S. emergency management organization, Dragos found. The firm has seen Volt Typhoon target electric utilities, satellite and telecommunications services, and the defense industrial base.
The targeting of disaster recovery services underscores the recent warnings from security officials about Volt Typhoon’s strategic targeting against U.S. infrastructure, particularly in the event of a conflict with China over an invasion of Taiwan — although it is not clear if emergency services targeting is for information gathering or to pre-position for additional disruption.
Robert M. Lee, founder and CEO of Dragos, warned during a media briefing that Volt Typhoon is not an opportunistic group, but is instead targeting specific sites that assist U.S. adversaries “trying to hurt or cripple U.S. infrastructure.”
“It’s hitting the specific electric and satellite communication providers that would be important for disrupting major portions of the U.S. electric infrastructure,” Lee said.
The report comes shortly after the National Security Agency, FBI, and Cybersecurity and Infrastructure Security Agency, revealed that Volt Typhoon has been in some critical infrastructure networks for at least five years. That alert warned of Volt Typhoon operations that targeted the aviation, railways, mass transit, highway, maritime, pipeline, and water and sewage sectors.
Volt Typhoon first came into public knowledge last May following a Microsoft report that detailed how the hackers were targeting the U.S. territory of Guam, a hub for U.S. forces in the Pacific with key U.S. military bases.
The FBI and Department of Justice disrupted a botnet that was a part of the hacking campaign in late January that used insecure small office home office (SOHO) routers in an effort to conceal internet traffic linked to Beijing hacking activities.
Indeed, Dragos noted that the group “exhibits a high level of operational security practices” and leverages “living off the land” techniques — a term for using the tools already present on the machine — to evade detection.
One electric company was compromised for “well over 300 days” while Volt Typhoon attempted to get into sensitive OT networks, Lee said. The hackers were stealing OT-specific data like SCADA-related information and GIS information, which would be useful for future disruptive attacks, Lee said.
But, that mid-sized electric company — which was not named — successfully fended off the hackers until Dragos was able to kick them out of their networks.
“This was not one of the biggest electric companies in the country. It was a mid-sized electric utility and their efforts and their resourcing allowed them to stand up against a very strategic, very sophisticated cyber adversary that was trying to get into the OT network,” Lee said.
In November, Dragos and the Electricity Information Sharing and Analysis Center worked on multiple U.S.-based electric sector organizations that were impacted by the Volt Typhoon campaign.
Dragos also found that Voltzite has some overlap with “UTA0178,” a cluster of activity tracked by Volexity that was seen exploiting Ivanti VPN zero-day vulnerabilities in December. CISA sent out a rare emergency directive on Feb. 1 that ordered federal agencies to disconnect any Ivanti devices from networks.
Volt Typhoon was seen targeting African electric transmission and distribution providers in August 2023.
Dragos also assessed with low confidence that Volt Typhoon may have been active as early as 2021, and noted that there are also potential overlaps with Kostovite, another OT-specific threat group that has also targeted Ivanti VPN software.
