Massachusetts Utility Targeted by Advanced Persistent Threat Linked to China

Revealed in reports from Dragos and Dark Reading, the Littleton Electric Light and Water Departments (LELWD) in Massachusetts became the target of a prolonged cyberattack by VOLTZITE, a subgroup of the Chinese state-backed threat actor Volt Typhoon, in November 2023. The attack was detected after the FBI notified LELWD of a suspected network compromise, prompting responses from federal agencies and cybersecurity firm Dragos. Investigators found that VOLTZITE had maintained persistent access to the network for over 300 days. Dragos' analysis confirmed that the threat actors engaged in lateral movement through server message block (SMB) traversal and remote desktop protocol (RDP) techniques. The primary objective was the exfiltration of operational technology (OT) data, including information on energy grid operations and infrastructure layout. According to Dragos, this type of intelligence can aid adversaries in planning future attacks targeting critical systems.

The response team successfully removed the adversary and secured the infrastructure against further intrusion. "Further investigation determined that the compromised information did not include any customer-sensitive data, and the utility was able to change their network architecture to remove any advantages for the adversary," Dragos reports in their impact assessment. To prevent future attacks, LELWD implemented additional security measures, including enhanced network segmentation, asset visibility, vulnerability management, and continuous threat detection. Dragos warns that VOLTZITE and similar actors will likely continue operations against Western-aligned entities into 2025.