VOLTZITE
Uses LOTL techniques for reconnaissance, enumeration, lateral movement, and long-term persistent access.
THREAT DESCRIPTION
VOLTZITE traditionally targets US-based facilities, but also known to target organizations in Africa and Southeast Asia, using LOTL techniques that make detection and response difficult.
VOLTZITE, a Dragos-tracked threat group that has operational overlaps with Volt Typhoon (Microsoft), was performing reconnaissance and enumeration of multiple US-based electric companies, and since then has been observed targeting electric power transmission and distribution, emergency services, telecommunications, defense industrial bases, and satellite services. VOLTZITE’s actions towards US electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerability within the country’s critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks. While VOLTZITE has traditionally targeted US facilities, we also are aware of the group targeting organizations in Africa and Southeast Asia. This group heavily uses living off the land (LOTL) techniques, which can make detection and response efforts more difficult. This strategy, paired with slow and steady reconnaissance, enables VOLTZITE to avoid detection from security teams.
VOLTZITE’s 2023 behavior suggested operational objectives of espionage and information gathering. Data stolen from operational technology (OT) networks may result in unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks.
VOLTZITE, a Dragos-tracked threat group that has operational overlaps with Volt Typhoon (Microsoft), was performing reconnaissance and enumeration of multiple US-based electric companies, and since then has been observed targeting electric power transmission and distribution, emergency services, telecommunications, defense industrial bases, and satellite services. VOLTZITE’s actions towards US electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerability within the country’s critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks. While VOLTZITE has traditionally targeted US facilities, we also are aware of the group targeting organizations in Africa and Southeast Asia. This group heavily uses living off the land (LOTL) techniques, which can make detection and response efforts more difficult. This strategy, paired with slow and steady reconnaissance, enables VOLTZITE to avoid detection from security teams.
VOLTZITE’s 2023 behavior suggested operational objectives of espionage and information gathering. Data stolen from operational technology (OT) networks may result in unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks.
Date: Since 2023
ADVERSARY
- Overlap with Volt Typhoon and BRONZE SILHOUETT
CAPABILITIES
- Heavy use of living off the land techniques
- Slow steady reconnaissance to evade detection
- Use of Fast Reverse Proxy, multiple web shells
VICTIM
- Targets the electric sector across the United States, Guam
INFRASTRUCTURE
- Uses internet-facing SOHO networking equipment for communications
ICS IMPACT
- Loss of Confidentiality, Theft of Operational Information
- Espionage and persistent access
