This is the FBI, open up. China's Volt Typhoon is on your network

This is the FBI, open up. China's Volt Typhoon is on your network

On a typical Friday evening, Nick Lawler, general manager of the Littleton Electric Light and Water Departments (LELWD), was enjoying some family time at home when he received an unexpected phone call from the FBI.

The agent on the other end informed him that LELWD's network had been compromised by a group known as Volt Typhoon. Lawler was initially skeptical, having dealt with various scams before. However, as the conversation progressed, it became clear that this was no ordinary cyberattack.

"We don't have any access to large critical infrastructure. We don't own transmission. We're a distribution company. Yes, we're part of the overall grid, but the impact of taking out Littleton is small. You would never think that would be a target of any type of attack," Lawler stated.

The FBI agent asked Lawler to provide his personal email address so they could send him a link to diagnose the severity of the issue. However, Lawler refused, recognizing the tactics as a phishing scam. He told the agent: "Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?"

After hanging up with the agent, Lawler called the FBI Boston office directly and asked them to show up at his utility the next Monday at 10 am. Despite the initial unease, Lawler's primary concern was not the vulnerability of LELWD's network but rather his personal safety.

Over the weekend, Lawler largely forgot about the incident until Homeland Security officials arrived at his office on Monday morning, handing him an unclassified document about Volt Typhoon. The document revealed that the Chinese government-backed hacking crew had infected hundreds of outdated routers to build a botnet and breach US critical infrastructure facilities.

Lawler was shocked to learn that Volt Typhoon had been prepositioning itself, readying destructive cyberattacks against those targets. He recalled thinking: "You just gave me this pamphlet about how the Chinese government is planning these attacks, and living off the land... How can I enjoy Thanksgiving?"

LELWD had been working with operational technology (OT) cybersecurity company Dragos as part of an American Public Power Association government-funded program. Dragos had installed sensors on LELWD's OT network in August 2023, which spotted unusual network traffic and communications with China that shouldn't be occurring.

The Chinese snoops gained initial access via a buggy FortiGate 300D firewall, according to Lawler. However, the vulnerability was patched by Fortinet in December 2022, and LELWD's managed services provider had since updated its firmware.

By December, the federal government had installed its own sensors on LELWD's networks and requested that the utility leave the security hold open so they could monitor the spies' activity. Lawler expressed his concerns about knowingly leaving a vulnerability open but felt compelled to cooperate with the government in support of other utilities.

A week before Christmas, the feds and the Chinese spies were off LELWD's networks, and the firewall vulnerability was patched. The utility rebuilt its networks to prevent future attacks and conducted a three-week penetration test to ensure their network defenses were working properly.

Despite the efforts of LELWD and the federal government, Lawler still doesn't have a clear answer as to why Volt Typhoon targeted his power utility beyond reconnaissance and espionage purposes. He noted that while their substation or engineering wasn't compromised, they had been accessed, and vulnerable firewalls were targeted.

"I wouldn't say anything related to our substation or our engineering was compromised... They did access our servers. They knew where those vulnerable firewalls were, and they tried to get behind them. I still don't know why Littleton other than we had a hole and they found it," Lawler said.