Voltzite espionage hackers launch operations against US critical infrastructure, Dragos urges enhanced detection strategies

Industrial cybersecurity firm Dragos disclosed Tuesday that it has been tracking activity by the Voltzite threat group, which overlaps with Volt Typhoon, since early 2023. The group has been observed performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and the defense industrial base. 

In a datasheet titled ‘VOLTZITE Espionage Operations Targeting U.S. Critical Systems,” Dragos detailed that “Voltzite poses a credible threat to critical infrastructure operators in the United States and jurisdictions within the threat group’s strategic interest. VOLTZITE heavily focuses on detection evasion and long-term persistent access with the assessed intent of long-term espionage and data exfiltration.” 

Dragos recommends that industrial organizations familiarize themselves with all potential detection mechanisms for living off the land (LOTL) techniques, with a focus on anomaly and behavior-driven threat detection strategies. The move comes as the Voltzite group compromises external network perimeter applications and assets such as SOHO (Small Office/Home Office) routers and virtual private network gateways to gain access to the targeted organization’s networks. “Once within the victim’s network, they leverage LOTL techniques and stolen credentials to move through the network,” it added. 

Some of the identified exploited applications include Fortinet FortiGuard, PRTG Network Monitor appliances, ManageEngine ADSelfService Plus, FatePipe WARP, Ivanti Connect Secure VPN, and Cisco ASA.  

Additionally, Dragos has discovered Voltzite targeting electric transmission and distribution organizations in African nations. The hacker group employs LOTL techniques; they use native tools available in compromised assets. This strategy, paired with slow and steady reconnaissance, enables Voltzite to avoid detection for lengthy periods. 

Headquartered in Hanover, Maryland, Dragos revealed that the Voltzite group overlaps with multiple threat groups including Volt Typhoon (Microsoft), BRONZE SILHOUETTE (Secureworks), Vanguard Panda (Crowdstrike), and UNC3236 (Mandiant). “These groups have tracked activity clusters dating as far back as 2021. Dragos makes the assessment of overlap to these groups based on the premise of strong correlating evidence on the victimology, infrastructure, and capabilities vertices of the Diamond Model of Intrusion Analysis,” it added.

Referring to the Voltzite group in a media briefing call, Robert Lee, CEO and co-founder at Dragos said “Based on our observations at Dragos and what we’re seeing, it is a very well-resourced state actor. So just trusting in the US government’s attribution of it being China, I will clarify that there are a lot of states that get involved in industrial, and even when you get China, US, Iran, Russia, it could be an ‘A’ team, it could be a ‘B” team, it could be a ‘C’ team.” 

He added “Players just going, it’s a US-based team or a China-based team, doesn’t actually tell you a lot. Everybody’s got people that are not good at their job. When we look at Volt Typhoon, that is a player team.” 

Identifying the Voltzite group as a strategic adversary, well-resourced, very sophisticated with the ability to target infrastructure and achieve their objectives, Lee added that “we are now looking more industrial networks, so we’re seeing more, and as a result, we’re trying to learn quickly to counter those threats, but we’re not looking deeply enough.”

He estimated that “we are globally monitoring actively less than 5% of our global infrastructure in the OT networks. So with a 5% of the OT network infrastructure kind of view, we are seeing 21 threat groups that are targeting those industrial networks.”

Last week, the U.S. CISA (Cybersecurity and Infrastructure Security Agency) released a report detailing some of the techniques, tools, and infrastructure used by Voltzite over the previous year. The week prior, the FBI announced that it had terminated Voltzite’s control of some of its infrastructure, shutting down a botnet of compromised network devices. These unprecedented steps point to the seriousness of this threat – it demands action. 

So far, Dragos has only observed Voltzite operations achieving Stage 1 of the ICS (industrial control system) Cyber Kill Chain. They have not yet displayed actions or capabilities designed to disrupt, degrade, or destroy ICS/OT assets or operations. However, their persistent targeting of critical infrastructure entities and observed capabilities could result in aiding the development of an ICS-capable disruption tool.

It, however, warned that Voltzite has shown continued interest in the electric and telecommunications sectors in the U.S. This is evidenced by long-term slow and steady reconnaissance and enumeration of multiple electric entities. If Voltzite can establish an initial foothold on the network perimeter of a target, it may then be able to pivot further into a victim’s information technology (IT) network. Once access is established, Voltzite conducts espionage activities via LOTL techniques to attempt detection evasion. 

The company added that “if proper network segmentation between the IT and operational technology (OT) networks of a victim is not apparent, then Voltzite may laterally move into OT networks to perform enumeration and data exfiltration of critical OT operational data such as SCADA data, OT device configurations, historian data, Geographic Information Systems (GIS) data, amongst others.”

Dragos said that the Voltzite group has exhibited differing techniques for credential access and lateral movement once inside a network. “The first observed technique is the use of csvde.exe, which is a native Windows binary used for importing and exporting data from Active Directory Domain Services using the comma-separated values (csv) file format. Obfuscation techniques are also employed,” it added.

The second observed technique to steal credentials for lateral movement is using Volume Shadow Copies and the extraction of the NTDS[dot]dit Active Directory database from a domain controller, the company revealed. “Volume Shadow Copies are cloned images of the operating system that can be used as backups or restoration points for an administrator to roll back a Windows machine if any issues arise with the operating system later. The NTDS[dot]dit database, which is stored on domain controllers, is effectively the database underpinning all the information in Active Directory about user accounts, groups, computers, and most importantly, the hashes of user passwords.” 

Under normal circumstances, the NTDS[dot]dit file cannot be opened or copied as it is in use by Active Directory on the machine. 

“To circumvent this protection, adversaries commonly use the Volume Shadow Copy Service to create a cloned image of the operating system and save it to a disk,” according to Dragos intelligence. “Then the adversary can exfiltrate the copy of NTDS[dot]dit residing in the shadow copy with no issues, as that file version is not in use by any processes. Once the NTDS.dit database is back on an adversary’s machine, they can perform hash cracking or come back to the victim machine and use ‘pass the hash’ techniques to authenticate as a user.”

In December, Dragos linked Mandiant’s recent disclosure of a cyber-physical incident to the Russia-linked threat actor Sandworm. The incident targeted a critical infrastructure organization in Ukraine. Dragos associates this activity with the Electrum threat group, which has technical overlaps with the Sandworm APT (advanced persistent threat). Electrum has previously been responsible for multiple cyber attacks on Ukrainian electric utilities, including a 2016 power outage that affected 250,000 homes. The newly disclosed attack shares similarities with previous attacks.

To secure against attacks, Dragos recommends that industrial operators implement the five critical controls highlighted in the SANS white paper, ‘The Five Critical Controls for ICS/OT,’ which presents a framework for implementing an OT cybersecurity program to defend against adversary activity directed against OT networks, be it IP (Internet Protocol) theft, ransomware, or targeted cyber-physical effects.  

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.