Skip links

China’s Volt Typhoon spies broke into emergency network of ‘large’ US city

The Chinese government’s Volt Typhoon spy team has apparently already compromised a large US city’s emergency services network and has been spotted snooping around America’s telecommunications’ providers as well.

According to a report on Tuesday by industrial cybersecurity biz Dragos, the crew has been conducting reconnaissance and enumeration of “multiple” American electric companies since early 2023. And, more recently, the Beijing spies have apparently targeted emergency management services, including telecommunications and satellite services.

These are very strategic targets. It’s not a spray and pray

“The concern is the targets they pick across telecommunications, and electric power generation and distribution — these are very strategic targets. It’s not a spray and pray,” Dragos CEO Robert Lee said on a call with reporters.

“It is specifically looking at those sites that would be of strategic value to an adversary trying to hurt or cripple US infrastructure.”

Volt Typhoon surveilling energy and other critical infrastructure facilities isn’t new — the Feds have been hammering this point for a while now. But the Dragos report suggests the pace of penetration is picking up.

On the other hand, you may expect China by now to be all over US infrastructure just as much as Uncle Sam’s NSA and CIA is probably all over Chinese networks. We’re determined not to panic, in other words.

In addition to the digital break-ins in the US, the Chinese Volt snoops have been targeting electric transmission and distribution organizations in Africa, we’re told, a continent Beijing is rather keen on exploiting.

Dragos tracks Volt Typhoon as Voltize, and here’s what its incident responders and threat hunters have spotted over the past year [PDF]:

  • Early 2023: US territory of Guam compromise. 
  • June 2023: Voltize infiltrates United States emergency management organization.
  • August 2023: Dragos discovers Voltize targeting African electric transmission and distribution providers.
  • November 2023: Dragos collaborated with E-ISAC on analysis of Voltize activity against multiple US-based electric sector organizations.
  • December 2023: Dragos discovered evidence that VOLTZITE has overlaps with UTA0178, a threat activity cluster tracked by Volexity, exploiting Ivanti ICS VPN zero-day vulnerabilities.
  • January 2024: Extensive reconnaissance of a US telecommunication’s providers external network gateways. 
  • January 2024: Evidence of compromise against a large US city’s emergency services GIS network.

In one of the instances where Volt Typhoon compromised a US electric company, the spies had been on the organization’s IT network for “well over 300 days” before being spotted, according to Dragos’ Lee. 

The attackers were “explicitly trying to get into the operational technology network,” he said. “They were knocking on the door, they were doing everything that you’d expect to explicitly get into the power operations networks.” 

While they weren’t able to infiltrate the operational technology, or OT, network, Volt Typhoon did manage to steal geographic information systems‘ data, “things that would be useful in future disruptive attacks,” Lee noted.

Some of the devices and software the Chinese spies have compromised include Fortinet FortiGuard, PRTG Network Monitor appliances, ManageEngine ADSelfService Plus, FatePipe WARP, Ivanti Connect Secure VPN, and Cisco ASA, according to the Dragos report.

After gaining access to victims’ IT networks, usually by exploiting buggy routers or VPN gateways, they use “living off the land” techniques (ie, legit admin tools to blend in) and stolen credentials to move laterally through the network. ®