For nearly three years, U.S. military and law enforcement agencies have actively pursued hackers responsible for penetrating vital water and power companies nationwide. Recent findings indicate that a significant number of these cyberattacks targeting U.S. critical infrastructure may ultimately evade detection.
In its latest annual report, Operational technology firm Dragos revealed ongoing assaults by the Volt Typhoon group, which has been linked to a series of compromises affecting U.S. utilities, particularly by Chinese hackers. Despite scrutiny and intensified countermeasures, the group is expected to maintain its attacks through at least 2025, as it continues to exploit vulnerabilities within U.S. infrastructure.
Rob Lee, the CEO of Dragos, emphasized the group’s relentless activity in a statement to reporters last week. He noted that they are effectively mapping and embedding themselves into U.S. infrastructure as well as that of allied nations.
When questioned about the possibility of completely eradicating Volt Typhoon from all affected U.S. utilities, Lee expressed skepticism. He indicated that certain locations compromised by this group, including those in NATO countries, may never be fully identified or remedied.
According to U.S. authorities, the group’s strategic objective is to pre-position hackers within operational technology networks, thereby enabling potentially devastating cyberattacks aimed at disrupting U.S. military mobilization. Lee reaffirmed that the group prioritizes key targets and seeks to secure long-term access to these systems.
While impending regulations from the U.S. government may assist utilities in identifying Volt Typhoon-induced compromises, Lee acknowledged that many public utilities, particularly in the water sector, are unlikely to achieve the necessary sophistication to detect and eliminate these threats. He suggested that some critical infrastructure might remain compromised indefinitely, given current trends.
China has categorically denied any involvement in the Volt Typhoon activities; however, evidence has surfaced indicating that hackers linked to the group have infiltrated U.S. critical infrastructure in locations such as Guam, aiming to inhibit potential military mobilization.
The full extent of Volt Typhoon’s impact remains unclear, with U.S. officials admitting that any figures reported regarding the number of victims are likely substantial underestimations.
In its report, Dragos also highlighted an auxiliary group known as SYLVANITE, which it claims has facilitated initial access to various utilities before handing control over to Volt Typhoon for expanded operations. This group has reportedly targeted operational technology systems across several regions, including North America and Europe, and has gained entry into sectors such as oil and gas, water, and manufacturing.
Importantly, Dragos has linked recent high-profile exploitation campaigns to both Volt Typhoon and SYLVANITE, pointing to vulnerabilities in widely-used tools like those from Ivanti and Trimble Cityworks GIS software. These breaches may equip adversaries to execute precise, disruptive attacks on critical services, raising alarm over the increasing sophistication and persistence of such cyber threats.
Future operations by Volt Typhoon, as outlined by Dragos, appear to indicate a shift toward directly interacting with operational technology network devices, suggesting a growing capability to steal operational data and execute devastating cyber scenarios.
Recorded Future
Intelligence Cloud.