The Volt Typhoon group remained undetected within the systems of Littleton Electric Light & Water Department in Massachusetts for nearly a year. According to U.S. authorities, the breach was part of a broader cyber campaign attributed to China, designed to establish footholds within critical infrastructure in preparation for potential future conflicts, enabling adversaries to inflict strategic damage if necessary.
The FBI and CISA were the first to uncover the network compromise. On a Friday afternoon, an FBI agent contacted a Littleton Electric manager, warning of the breach. By Monday, cybersecurity specialists and federal agents had arrived at the company’s offices to assess the situation.
For over a century, Littleton Electric Light & Water Department (LELWD) has provided electricity and water services to the towns of Littleton and Boxborough. However, in recent years, the company has faced an escalating threat of cyberattacks. Following the discovery of the breach, Dragos, a cybersecurity firm specializing in industrial control systems (ICS) security, launched an investigation, revealing that Volt Typhoon had infiltrated the company’s networks as early as February 2023.
Exploitation of a FortiGate Firewall Vulnerability
Investigators determined that Volt Typhoon gained access through an unpatched vulnerability in a FortiGate 300D firewall. Although Fortinet had released a security patch in December 2022, LELWD’s managed IT service provider (MSP) failed to apply the update. As a result, the MSP responsible for the company’s network security was subsequently dismissed.
By December 2023, the federal government deployed monitoring sensors within LELWD’s network and requested that the vulnerability remain intentionally exposed to track the hackers’ movements. Despite concerns that another attack could occur, the company opted to cooperate with federal authorities in their efforts to observe and analyze the adversaries’ tactics.
Hacker Activity: Network Persistence and Intelligence Gathering
Volt Typhoon did not merely infiltrate the system; they actively moved laterally within the network, gathering intelligence while avoiding detection. Although the attack did not compromise customer personal data, hackers exfiltrated sensitive operational information.
In response, LELWD overhauled its network architecture, closing security gaps that could have been exploited for further intrusion.
Volt Typhoon’s objectives extended beyond merely maintaining a long-term presence within the system. Their primary goal was to collect intelligence on industrial automation processes, including operational procedures and the topography of power grids. Such information would be highly valuable in the event of an attack aimed not only at disrupting services but also at causing physical damage to infrastructure.
Why Was LELWD Targeted?
Even now, LELWD officials remain uncertain as to why Volt Typhoon specifically targeted their systems. It is possible that the attack was part of a larger reconnaissance effort.
“Our substations and engineering systems were not compromised, but the hackers knew exactly where our vulnerable firewalls were located and attempted to bypass them,” stated a company representative. For LELWD, the incident served as a critical lesson in cybersecurity resilience.
Ongoing Investigations and China’s Denials
Despite enhanced security measures, certain details of the breach remain classified due to an ongoing federal investigation. Meanwhile, China continues to deny any involvement in Volt Typhoon’s operations, though CISA and the FBI have repeatedly warned that Chinese state-sponsored hackers are embedding themselves within U.S. critical infrastructure networks, potentially laying the groundwork for future large-scale cyberattacks.
