US Electric Grid Company Compromised by Volt Typhoon for Most of 2023

A new report from researchers with security firm Dragos sheds some further light on the depth of Chinese penetration into the US electric grid. When Dragos was contracted to implement operational technology (OT) security measures for a Massachusetts power provider in late 2023, it found that Volt Typhoon had been lurking in their systems since February of that year.

In total the Chinese hackers were in the system for a little over 300 days before being removed, undetected by a prior managed services provider. As with the other “Typhoon” group campaigns against critical infrastructure, the goal appears to have been quiet probing for the most vulnerable parts of the electric grid and setting up backdoors to be deployed in the event the US and China clash militarily over Taiwan.

State-sponsored hackers targeting known vulnerabilities to penetrate electric grid

Volt Typhoon first entered the public consciousness in 2023 following a detailed Microsoft report about their campaigns against critical infrastructure, and concerns about their penetration into the electric grid continued to mount into 2024. An FBI action in early 2024 took out the group’s main botnet, a massive collection of home and small office routers called the “KV Botnet,” but its work has since been taken up by China’s numerous other state-sponsored actors.

One of the group’s hallmarks, from compromising all of those small routers to breaking into the electric grid, is the use of known vulnerabilities and targeting of devices that are “end of life” and no longer receiving security support. In the case of the Massachusetts power provider, LELWD, the point of penetration was a known FortiGate 300D firewall vulnerability first exposed in 2022. That device had received a security patch that year, but LELWD’s prior cybersecurity partner had failed to apply it (and had still not applied it when Dragos took over some 300 days later).

The relatively late publication of the incident is due to federal involvement and security concerns, something that also limits the details that can be shared. However, a LELWD manager did share that the FBI told them it knew of about 200 other utility companies across the country that had also been compromised.

Volt Typhoon may still be lurking in other critical infrastructure company networks

While Volt Typhoon’s activities have been at a lower ebb since their 2024 disruption by the FBI, the incident demonstrates that the group could very well still have access to smaller utilities with weaker cybersecurity (something that CISA has previously alluded to). General concern about lack of availability of cyber resources to smaller regional providers just like LELWD was a focus of the Biden administration, and it remains to be seen if those programs will continue amidst the Trump-era budget cuts.

The group has shown interest in the electric grids and communications networks of other countries, particularly targets in Africa. The group has also been observed lurking in victim systems for as long as five years before being detected. While other “Typhoon” groups are now more active and grab more headlines, Volt Typhoon cannot completely be counted out as a threat at this point.

The incident also demonstrates that China’s state-sponsored hackers are not necessarily focused on zero-days and sophisticated approaches, instead devoting considerable resources to simply combing for overlooked devices and vulnerabilities. The smaller utilities also serve as a more general information-gathering and training point for faster and more effective movement when larger companies are breached.