Industrial cybersecurity leader Dragos recently published a case study detailing the first confirmed presence of Volt Typhoon in a U.S. electric grid. The intrusion occurred at the Littleton Electric Light and Water Department (LELWD) in Littleton, Massachusetts. The specific threat actor was VOLTZITE, which has long been linked to the notorious Chinese state-sponsored group. What follows is a synopsis of events covered in the case study. For detailed looks at similar situations, a collection of case studies can be found here.
Last year the utility was the victim of a sophisticated threat group that compromised their network to collect data on OT systems. LELWD would obtain assistance from Dragos, as well as the FBI to identify, examine, and counteract the breach.
VOLTZITE was found to have persistent access to LELWD’s network. This group has been responsible for the widespread compromise of industrial organizations across critical infrastructure sectors since the start of 2023. David Ketchen, Assistant General Manager of LELWD, received a phone call from the FBI on a Friday afternoon alerting the utility of a suspected compromise. The gravity of the situation became evident when FBI agents, accompanied by representatives from the Critical Infrastructure Security Agency (CISA), arrived at LELWD’s offices the following Monday.
Some of the challenges LELWD faced in responding to the breach centered on the use of legacy systems that required manually inventorying assets in order to identify potential security issues and detect unusual network behavior. The lack of automation meant more time was spent on obtaining network and asset visibility before being able to focus on the severity of the attack.
To LELWD’s credit, the utility had been taking steps to bolster its cybersecurity posture and was implementing the Dragos Platform to gain visibility of its OT assets, secure IT-OT network traffic, and monitor communications between OT devices and systems.
Additionally, the utility had initiated the engagement of OT Watch’s threat hunting services. Now prompted to deploy quickly and bypass the planned onboarding timeline, OT Watch identified VOLTZITE actions close to the utility’s operational technology. Specifically, the Dragos Platform confirmed server message block traversal maneuvers and remote desktop protocol lateral movement.
Armed with these findings, LELWD could move forward in removing the threat actor and secure the network against additional threats. Further investigation determined that the compromised information did not include any customer-sensitive data, and the utility was able to change their network architecture to remove any footholds VOLTZITE might have obtained.
LELWD’s journey demonstrates the value of specialized OT security solutions for critical infrastructure providers of all sizes. The combination of advanced technology, expert support, and a commitment to continuous improvement has positioned LELWD to better protect its operations and serve its communities securely in an evolving threat landscape.
Some industry experts have also shared their thoughts on the situation, including James McQuiggan, Security Awareness Advocate at KnowBe4. “Nation-state cyber actors continue to breach and gain access to critical U.S. infrastructure facilities and embed themselves, monitoring operations and preparing for future leverage or disruption.
“The Volt Typhoon operation and other similar operating groups are evidence that the U.S. could enter into a cyber Cold War, with the enemy on the other side of the world going undetected for months while they exploit IT-OT gaps in an organization’s cybersecurity technology or users. Organizations must move beyond passive monitoring to proactive threat hunting and network segmentation, and they must leverage the various intelligence sharing groups to work towards disrupting these persistent threats.
“Cybersecurity is a continuous risk reduction effort with updated defense-in-depth cybersecurity initiatives to force adversaries to adjust constantly. Additionally, critical infrastructure must improve its resiliency to guard the nation’s infrastructure.”
Additionally, Ensar Seker, Chief Security Officer at SOCRadar, offered the following comments. “This latest Volt Typhoon intrusion into the U.S. electric grid is a serious escalation in cyber-enabled espionage, highlighting the vulnerabilities of critical infrastructure (CI) in the face of persistent threats from nation-state actors. The fact that Chinese hackers remained undetected for over 300 days inside a small public utility’s network is concerning, not only because of the extended dwell time but also because it reinforces the broader risks posed to larger, more complex CI networks.
“This group is known for pre-positioning within U.S. CI — not necessarily for immediate sabotage, but for future disruption scenarios. By embedding themselves in water and power utilities, they gain persistent access to industrial control systems (ICS) and operational technology (OT), which could be leveraged in a geopolitical crisis.
“The 300-day undetected presence underscores the need for better visibility in ICS/OT networks. Traditional IT-centric security approaches often fail to detect threats in air-gapped or segmented OT environments until adversaries attempt lateral movement or trigger suspicious activities. LELWD is a small public utility, but this attack demonstrates that threat actors don’t always go for high-profile targets first. Small, underfunded utilities can serve as low-hanging fruit, allowing adversaries to test tactics, develop footholds, and pivot toward larger targets.
“With China’s continued focus on U.S. CI, the long-term concern is that such intrusions could eventually transition from intelligence gathering to active disruption—potentially affecting power grids, water systems, or transportation networks in times of geopolitical tension. Threat actors will increasingly compromise ICS security providers or managed service firms to gain access to multiple critical infrastructure targets at scale. This incident will likely lead to tighter U.S. government scrutiny over critical infrastructure cybersecurity, pushing for mandatory threat hunting and network monitoring in OT environments.
“Since traditional security tools struggle in air-gapped OT environments, the adoption of AI-driven anomaly detection will become a priority for utilities to identify stealthy intrusions earlier.”