Industrial cybersecurity company Dragos released a case study detailing how the Littleton Electric Light and Water Departments (LELWD) detected a sophisticated cyber adversary within their network and had to respond swiftly. The case study offers insights into how LELWD identified and eliminated a persistent threat, providing a detailed look at their real-world response to the VOLTZITE cyberattack. It highlights the OT (operational technology) security challenges faced by small utilities and demonstrates how LELWD addressed visibility gaps, vulnerability management issues, and IT-OT security risks.
Furthermore, it emphasizes that cybersecurity extends beyond mere products, showcasing how LELWD transformed a crisis into an opportunity for long-term resilience through expert guidance and advanced technology. Finally, it outlines essential lessons for critical infrastructure operators, offering actionable steps to enhance the protection of their OT environments.
The fact that the Chinese Volt Typhoon hackers remained undetected for over 300 days inside a small public utility’s network is concerning due to their extended time within the electric grid, as well as reinforcing the broader risks posed to larger, more complex critical infrastructure networks.
Utilizing Dragos’s advanced cybersecurity platform and the expertise of their OT Watch team, they identified and eliminated the threat, securing the network against future attacks and enhancing the resilience of their OT security infrastructure.
Just last month, Dragos revealed that the VOLTZITE threat group persisted in its operations throughout 2024, targeting small office/home office (SOHO) routers and engaging with geographic information systems (GIS). VOLTZITE continues to focus on exfiltrating OT-related data from its victims’ networks. In many cases, Dragos observed VOLTZITE exfiltrating GIS data that contains critical information about the spatial layout of energy systems. VOLTZITE usually exploits vulnerabilities in internet-facing VPN appliances or firewalls for initial access.
LELWD embarked on its cybersecurity journey with Dragos through a government-funded initiative by the American Public Power Association (APPA). APPA utilizes these funds to bolster OT cybersecurity at public power utilities. By forming cooperative agreements, APPA members gain access to a variety of programs and resources, including the deployment of advanced monitoring technologies like the Dragos Platform.
To date, APPA has distributed over US$14 million to 32 utilities, supporting 78 cybersecurity projects. This highlights the critical need for selecting not just a security vendor but a genuine partner in OT cybersecurity. For utilities such as LELWD, the choice extends beyond product features; it involves finding a reliable expert who can offer continuous support, guidance, and innovative solutions tailored to the specific challenges of OT environments.
LELWD’s partnership with Dragos faced a significant challenge when the sophisticated threat group VOLTZITE was found to have persistent access to its network. This group, linked to widespread compromises in critical infrastructure since early 2023, prompted LELWD to expedite its cybersecurity efforts with Dragos.
Already implementing the Dragos Platform for visibility and security, LELWD quickly engaged OT Watch’s threat hunting services. OT Watch identified VOL TZITE’s actions, enabling LELWD to eradicate the threat and secure its network. Fortunately, no customer-sensitive data was compromised, highlighting the vital role of specialized OT security solutions in combating emerging cyber threats.
“The improved visibility we gained through the Dragos Platform has been a game-changer for our day-to-day operations,” Josh DeTerra, supervising engineer at the LELWD, said in the case study. “Just being able to see all the IP addresses that we know should or shouldn’t be talking to each other, it’s huge. This level of insight allows us to quickly identify and investigate any unusual network communications, potentially catching security breaches or operational issues before they escalate. It’s not just about cybersecurity; it’s about operational efficiency. We can now optimize our network configurations, troubleshoot issues faster, and ensure that our critical systems are communicating as intended.”
He added that this visibility has empowered “our team to make data-driven decisions, improve our incident response times, and maintain reliable and secure infrastructure for our community.”
“The Dragos team’s exceptional response combined calm expertise with strategic insight, contextualizing our situation within the broader threat landscape,” according to David Ketchen, assistant general manager. “Their confident approach reassured us we were in capable hands, providing both technical solutions and the reassurance needed during a critical time.”
The implementation of the Dragos Platform yielded significant results for LELWD. It led to enhanced OT network visibility, as the platform provided comprehensive insights into LELWD’s OT environment, allowing for better asset management and risk assessment. It delivered improved threat detection, as Dragos’s OT Watch team was instrumental in identifying and responding to the VOLTZITE threat activity. It provided streamlined vulnerability management, as the platform helped prioritize vulnerabilities, making it easier for the small team to manage risks effectively.
The solution also featured expertise on demand, offering access to Dragos’s OT security experts, which provided LELWD with critical support during incidents and for ongoing security improvements. It also offered efficient incident response. During the VOLTZITE incident, Dragos’s rapid response and expertise were crucial in containing and mitigating the threat.
Offering commentary on the Dragos case study, Nathaniel Jones, vice president of threat research at Darktrace, wrote in an emailed statement that the impact to critical national infrastructure (CNI) is a continued and growing concern with the applications of AI-based capabilities for both offensive and defensive teams. “Malicious groups exploiting CNI networks may have differing aims based on their operating context. Some APT groups may not have immediate objectives once persistence is obtained within CNI networks. Potentially state-sponsored actors may take a lay-and-wait approach: opting to sit within networks with minimal activity beyond beaconing only increasing activity when outside strategic conditions change,” he added.
Jones also observed that certain threat actors will also leverage malware aimed at causing immediate disruption to suit their goals. “This threat is particularly relevant for organizations with Operational Technology (OT) and Industrial Control Systems (ICS) environments. Darktrace Threat Research analysts recently noted an uptick in attacks in the energy sector motivated by disruption. The means of disruption observed by Darktrace ranged from an OT specific attack on Canadian energy provider’s PLC motor in the SCADA environment at a field substation to multiple Fog ransomware attacks that successfully led to encryption.”
“As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network,” according to Jones. “By adopting good cyber hygiene, proactively securing your digital estate, and addressing any vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors.”
Donovan Tindill, director of OT cybersecurity at DeNexus, identified that focusing on the exfiltration of OT data, difficulty detecting, and best way to exfiltrating OT data has the potential to be used for understanding the configuration and operation of the target system, theft of intellectual property such as recipes, manufacturing procedures, techniques, etc., that can aid others in gaining a competitive advantage, and identify supply chain or third-party relationships, to cause an impact on a target through its relationships.
He added that it also helps gain greater knowledge of the system as a whole, such as the design, operation, and behavior of a small portion of the electrical grid, and its criticality to the larger network, ransom/extortion, and gaining knowledge to manipulate the OT system later towards a specific objective.
“As described in the Dragos case study, all companies are faced with the same challenges (e.g., limited network visibility, identifying vulnerabilities, lack of skills, shared networks) and this makes it very difficult to identify, detect, and respond to threat actors within the environment,” according to Tindill. “The fact the actor was in the environment for over 300 days is an indication of the organization’s detection capabilities.”
He added that the most important OT lockdown will be its isolation from the business network, Internet, and remote access. “The requirements for US Owner/Operators under NERC CIP for intermediary remote access, electronic security perimeters, and continuous monitoring are good practices that all OT industrials should apply to restrict access into their systems.”
“This group is known for pre-positioning within US CI—not necessarily for immediate sabotage, but for future disruption scenarios. By embedding themselves in water and power utilities, they gain persistent access to industrial control systems (ICS) and operational technology (OT), which could be leveraged in a geopolitical crisis,” Ensar Seker, chief security officer at SOCRadar, wrote in an emailed statement. “The 300-day undetected presence underscores the need for better visibility in ICS/OT networks. Traditional IT-centric security approaches often fail to detect threats in air-gapped or segmented OT environments until adversaries attempt lateral movement or trigger suspicious activities.”
Seker added that with China’s continued focus on the U.S. critical infrastructure, the long-term concern is that such intrusions could eventually transition from intelligence gathering to active disruption—potentially affecting power grids, water systems, or transportation networks in times of geopolitical tension.
“Threat actors will increasingly compromise ICS security providers or managed service firms to gain access to multiple critical infrastructure targets at scale,” according to Seker. “This incident will likely lead to tighter US government scrutiny over critical infrastructure cybersecurity, pushing for mandatory threat hunting and network monitoring in OT environments.”
Gunter Ollmann, CTO at Cobalt, wrote in an emailed statement that Volt Typhoon’s persistent capabilities often begin with the use of zero-days, and its sense to target industries who are often behind in their security procedures. “While the main cause for concern here is certainly the length of time that attackers will dwell within a network- whether to exfiltrate data and move laterally throughout networks, the key indicator of how to truly prevent these issues is once again down to having regular assessments of vulnerabilities within the tools you use. With offensive security measures, attackers trying to enter your network via vulnerabilities can be stopped in their tracks,” he added.
In conclusion, Dragos said that its collaboration with LELWD, supported by the APPA cooperative agreement programs, has greatly strengthened the utility’s cybersecurity capabilities. From facing a high-profile threat group to developing a proactive security posture, LELWD’s journey demonstrates the value of specialized OT security solutions for critical infrastructure providers of all sizes. The combination of advanced technology, expert support, and a commitment to continuous improvement has positioned LELWD to better protect its operations and serve its communities securely in an evolving threat landscape.