Volt Typhoon hackers were in Massachusetts utility’s systems for 10 months

Chinese hackers connected to the Volt Typhoon campaign spent nearly one year inside the systems of a major utility company in Littleton, Massachusetts.

In a report published Wednesday, operational technology (OT) cybersecurity firm Dragos described their work helping Littleton Electric Light & Water Department grapple with what was determined to be part of a larger effort by China’s government to preposition their hackers within U.S. critical infrastructure — with the end goal believed to be destructive action taken in the event of a conflict. 

U.S. law enforcement alleges the group has infiltrated a range of critical infrastructure organizations in the U.S., as well as Guam.

According to Dragos, the Massachusetts utility discovered its systems were breached just before Thanksgiving in 2023. 

David Ketchen, the utility’s assistant general manager, received a phone call from the FBI on a Friday afternoon alerting him of a suspected compromise. FBI agents, alongside representatives from the Cybersecurity and Infrastructure Security Agency (CISA) arrived at the company’s offices the following Monday. 

The utility has served the towns of Littleton and Boxborough, about 30 miles northwest of Boston, with power and water services for more than a century but has struggled in recent years to contend with the increasing number of cyber threats.

They contacted Dragos after discovering the Volt Typhoon compromise.An investigation revealed that Volt Typhoon was in the utility’s systems dating back all the way to February 2023.

Dragos found evidence of lateral movement by the hackers and data exfiltration but an investigation revealed that the “compromised information did not include any customer-sensitive data, and the utility was able to change their network architecture to remove any advantages for the adversary.” 

“The significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim's environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations,” a Dragos expert said. 

That kind of information is pivotal for adversaries looking to know where to attack if their goal is destruction, they explained.

The utility worked to resolve the compromise and remove the threat actors, but Dragos admitted there is much that could not be shared due to continuing law enforcement operations. 

While China has denied any involvement in the Volt Typhoon compromises, CISA and the FBI have repeatedly warned that the hackers are “seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

As China has increased its aggressiveness toward Taiwan in recent years, evidence of Volt Typhoon hackers was found hidden in U.S. critical infrastructure in Guam and near other U.S. military bases with the intent of slowing any potential mobilization of forces. 

The total number of Volt Typhoon victims is unknown, and when pressed last year, U.S. officials argued any number given “is likely an underestimate.”

The Volt Typhoon campaign set off an effort by the White House and other arms of the U.S. government to not only root out the hackers but also harden critical infrastructure. 

A February 2024 advisory said several U.S. agencies have seen Volt Typhoon hackers “maintaining access and footholds within some victim IT environments for at least five years.” Last year, the Justice Department confirmed that it disrupted the “KV Botnet” malware run by Volt Typhoon. 

Nathaniel Jones, vice president of threat research at cybersecurity firm Darktrace, noted they have recently seen an uptick in attacks in the energy sector motivated by disruption, including an “OT specific attack” on a Canadian energy provider and several attacks using Fog ransomware leading to encryption. 

In a February 2025 report, Dragos said Volt Typhoon is “arguably the most crucial threat group to track in critical infrastructure”  and steals geographic information system data, network diagrams, operating instructions and more from victim organizations. 

Dragos experts said Volt Typhoon typically exploits vulnerabilities in internet-facing VPN appliances or firewalls for initial access and encouraged utilities to implement patch management as well as system integrity plans. 

“The best way to identify [Volt Typhoon] is by monitoring its behaviors; it purposely blends in with trusted networks and uses tools already available,” Dragos incident responders said. 

“Compare any unusual lateral movement with expected traffic within your network and validate suspicious user activity that originates from regular employee accounts.”