Cyber threats against U.S. infrastructure are a growing concern, especially when they target power and water utilities. A recent breach at the Littleton Electric Light and Water Department (LELWD) in Massachusetts showed just how real the threat is.

The attackers, linked to the Chinese-backed group Volt Typhoon (also called Voltzite by Dragos), remained inside the utility’s network for over 300 days before being discovered in November 2023.

Volt Typhoon wasn’t trying to cause immediate damage.

Instead, the group was quietly collecting information about the power grid’s operations and layout, possibly to use in future attacks.

LELWD was already in the process of deploying Dragos’s OT security solutions when the intrusion was found, allowing for a much quicker response. This case highlights the risks facing small utilities and how specialized cybersecurity tools can help detect and stop threats before they cause harm.

The Threat: Volt Typhoon’s Long Stay in the Network

Volt Typhoon has been known to target critical infrastructure, and this case was no different.

The group specializes in moving quietly, collecting sensitive data without being detected for months. Unlike ransomware attacks that cause immediate disruptions, Volt Typhoon appears to be gathering intelligence for possible future operations.

At LELWD, the hackers were inside the network from February 2023 until they were caught in November. While no direct attack was carried out, the stolen information could help the group plan a more targeted strike down the road. Volt Typhoon has never been seen actively disrupting industrial systems, but the data it collects could be used to do so later.

The Response: LELWD and Dragos

LELWD had already started working with Dragos before the breach was discovered, but the attack forced them to speed up the rollout of new security measures. Dragos’s OT security team jumped in right away to help track and remove the attackers.

Steps Taken to Secure the Network:

1. Detecting the Threat: The Dragos Platform found signs of the intrusion, including techniques like server message block (SMB) traversal and Remote Desktop Protocol (RDP) lateral movement, both of which hackers use to move between systems.
2. Stopping the Attackers: Dragos’s OT Watch team provided intelligence on what Volt Typhoon was doing and helped LELWD block them from continuing their activity.
3. Fixing Weak Spots: LELWD adjusted its network setup to close off the paths the attackers had used to get in and move around.
4. Improving Monitoring: The Dragos Platform gave LELWD better visibility into its OT systems so they could catch unusual activity sooner.

These actions removed the immediate threat and gave LELWD better protection going forward.

Lack of Visibility Into OT Networks

Before the attack was found, LELWD had limited insight into its OT environment. Tracking network activity and identifying unusual behavior was difficult without automated monitoring tools.

Limited Resources for Cybersecurity

As a small public power utility, LELWD did not have the same level of cybersecurity staffing and tools as larger organizations. Managing vulnerabilities and responding to threats required outside expertise.

Mixing of IT and OT Traffic

LELWD had IT and OT systems running on the same network, which made it easier for attackers to move between systems. After the breach, network segmentation was improved to limit potential attack paths.

Too Many Security Alerts to Manage

LELWD had to sort through a high volume of security alerts, making it hard to determine which ones were critical. Improved monitoring helped filter out false alarms and focus on real threats.

What Changed After the Attack

After the attack was discovered, LELWD made several key changes:

• Improved Network Monitoring: Better visibility into OT systems helped detect unusual activity earlier.

• Stronger Threat Detection: Malicious activity could be identified faster.

• More Efficient Security Management: Prioritizing the most serious vulnerabilities made responses more effective.

• Faster Incident Response: The ability to act quickly reduced potential damage.

The Wrap

The Volt Typhoon attack on LELWD shows that even small utilities are targets for cyber threats. While no immediate damage was done, the stolen data could be used in the future.

This attack highlights the need for real-time monitoring, separating IT and OT systems, and having a clear response plan. Cyber threats against power grids and other critical infrastructure will continue.

By learning from this case, other utilities can take steps now to protect their systems.

Go Deeper —> Hunting Active threats in Littleton’s grid with Dragos Platform and OT Watch – DRAGOS

China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days – Security Week