In a joint release last week, the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies issued a chilling Advisory about the ongoing attacks by Volt Typhoon on U.S. critical infrastructure. Volt Typhoon is a People’s Republic of China (PRC) sponsored group that uses slow and persistent techniques to gain entry into U.S.-based critical infrastructure. CISA urges “critical infrastructure organizations and technology manufacturers to read the joint advisory and guidance to defend against this threat.

Soon after the Joint Alert, Dragos released its Report “VOLTZITE Espionage Operations Targeting U.S. Critical Systems,” which provides concerning information about the overlap between Volt Typhoon and VOLTZITE and how it is targeting and successfully gaining access to U.S. critical infrastructure.

According to Dragos, “VOLTZITE has been observed performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and the defense industrial base. Additionally, Dragos has discovered VOLTZITE targeting electric transmission and distribution organizations in African nations.” Dragos also notes that the threat actors are difficult to detect, and therefore, the “slow and steady reconnaissance, enables VOLTZITE to avoid detection for lengthy periods of time.”

Dragos has tracked VOLTZITE in 2023 as follows:

• Early 2023 – US Territory of Guam compromise.
• June 2023 – VOLTZITE infiltrates United States emergency management organization.
• August 2023 – Dragos discovers VOLTZITE targeting African electric transmission and distribution providers.
• November 2023 – Dragos collaborated with E-ISAC on analysis of VOLTZITE activity against multiple U.S. based electric sector organizations.
• December 2023 – Dragos discovered evidence that VOLTZITE has overlaps with UTA0178, a threat activity cluster tracked by Volexity, exploiting Ivanti ICS VPN zero-day vulnerabilities.
• January 2024 – Extensive reconnaissance of a U.S. telecommunication’s providers external network gateways.
• January 2024 – Evidence of compromise against a large U.S. city’s emergency services GIS network.

Not only is the PRC conducting slow and steady reconnaissance of critical infrastructure in the U.S., but it is also conducting daily reconnaissance of TikTok users. The PRC is a threat to national security on both fronts. Dragos provides ways critical infrastructure operators can mitigate the threat posed by VOLTZITE, which is an important read.