VOLTZITE

Uses LOTL techniques for reconnaissance, enumeration, lateral movement, and long-term persistent access.

Threat group: Voltzite
THREAT DESCRIPTION
VOLTZITE traditionally targets US-based facilities, but also known to target organizations in Africa and Southeast Asia, using LOTL techniques that make detection and response difficult.

VOLTZITE, a Dragos-tracked threat group that has operational overlaps with Volt Typhoon (Microsoft), was performing reconnaissance and enumeration of multiple US-based electric companies, and since then has been observed targeting electric power transmission and distribution, emergency services, telecommunications, defense industrial bases, and satellite services. VOLTZITE’s actions towards US electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerability within the country’s critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks. While VOLTZITE has traditionally targeted US facilities, we also are aware of the group targeting organizations in Africa and Southeast Asia. This group heavily uses living off the land (LOTL) techniques, which can make detection and response efforts more difficult. This strategy, paired with slow and steady reconnaissance, enables VOLTZITE to avoid detection from security teams.

VOLTZITE’s 2023 behavior suggested operational objectives of espionage and information gathering. Data stolen from operational technology (OT) networks may result in unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks.

Date: Since 2023

ADVERSARY

  • Overlap with Volt Typhoon and BRONZE SILHOUETT

CAPABILITIES

  • Heavy use of living off the land techniques
  • Slow steady reconnaissance to evade detection
  • Use of Fast Reverse Proxy, multiple web shells

VICTIM

  • Targets the electric sector across the United States, Guam

INFRASTRUCTURE

  • Uses internet-facing SOHO networking equipment for communications

ICS IMPACT

  • Loss of Confidentiality, Theft of Operational Information
  • Espionage and persistent access
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.