Nick Lawler, the general manager of the Littleton Electric Light and Water Departments (LELWD), received alarming news one November evening in 2023. The FBI contacted him, warning that his utility's network had been compromised by Volt Typhoon, a state-backed hacking group from China.
Initially, Lawler was skeptical of the FBI's claim. LELWD, which serves the towns of Littleton and Boxborough in Massachusetts, does not handle critical infrastructure on a large scale. "We don't have any access to large critical infrastructure. We don't own transmission. We're a distribution company. Yes, we're part of the overall grid, but the impact of taking out Littleton is small. You would never think that would be a target of any type of attack," Lawler explained.
The FBI agent told Lawler that his utility was among 200 organizations that had been breached and requested his personal email to provide further diagnosis of the situation. Lawler responded strongly, saying, "Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?"
He ended the call and promptly reached out to the FBI’s Boston office where he spoke to the same agent, which made him reconsider the gravity of the situation. "It was still surreal to me; you never think you are the victim of that type of attack," he noted.
"It was still surreal to me; you never think you are the victim of that type of attack,"
As the weekend passed, Lawler managed to focus on family activities, all the while the weight of the call lingered. However, Monday morning brought a new layer of seriousness when Homeland Security officials visited LELWD’s office. They handed Lawler an unclassified document detailing Volt Typhoon's operations, marking a turning point in his perception of the breach.
"You just gave me this pamphlet about how the Chinese government is planning these attacks, and living off the land," Lawler recalled. "How can I enjoy Thanksgiving?"
"You just gave me this pamphlet about how the Chinese government is planning these attacks, and living off the land,"
The hack had occurred shortly before Thanksgiving week, at a time when Volt Typhoon was not widely recognized outside of intelligence circles. That would change in January 2024 when it came to light that the group had infected numerous outdated routers, creating a botnet to infiltrate critical infrastructure in the U.S.
LELWD had been proactive in its cybersecurity, working with Dragos, a company specializing in operational technology (OT) cybersecurity. They had installed sensors on the OT network just months prior, and it was through these devices that unusual traffic was detected linking to China. Lawler explained, "Through these sensors and the firm's OT threat hunting service, Dragos spotted some unusual network traffic and communications with China that shouldn't be occurring."
Further investigations revealed that the initial breach stemmed from a vulnerability in a FortiGate 300D firewall, which had been patched months earlier. However, LELWD's managed service provider had not updated the firmware, leading to the infiltration. As a consequence, LELWD dismissed that provider and took matters into its own hands.
With threats evolving rapidly, Lawler’s experience underscores the challenges faced by smaller utilities in the fight against cyber threats. Many public utilities lack the resources needed to defend against sophisticated attacks, leaving them vulnerable to incidents like this.
While the incident initially came as a surprise to Lawler, it serves as a reminder of the increasing frequency and severity of cyberattacks targeting essential services. As the landscape of cybersecurity continues to grow more complex, organizations must remain vigilant and proactive in their defenses against potential breaches.
Looking Ahead
As of now, the implications of this breach extend beyond LELWD, as it represents a larger trend affecting public utilities nationwide. The ongoing threat posed by groups like Volt Typhoon necessitates collaboration among agencies and the public sector to safeguard critical infrastructure against future attacks.
