VOLTZITE Evolves: Threat Group Targets Critical Systems

VOLTZITE, a threat group known for persistent targeting of global critical infrastructure sectors, continues to refine its methods. Identified by Dragos, this group has quickly garnered attention for its sophisticated attacks on the electric sector and other critical infrastructure across the United States and Africa. VOLTZITE’s strategy is not one of brute force but of stealth and persistence, utilizing “living off the land” techniques to infiltrate networks undetected, blending their malicious activities with legitimate processes.

VOLTZITE’s actions share alarming similarities with adversaries identified by CISA and other cybersecurity entities like Microsoft’s Volt Typhoon and Secureworks’ BRONZE SILHOUETTE. These overlaps point to a complex web of cyber espionage activities focused on long-term intelligence gathering and data exfiltration. The group’s methodical approach to reconnaissance and use of compromised routers for command and control traffic.

In early 2023, VOLTZITE exfiltrated sensitive operational data from a US water and electric utility. Compromised information included operational procedures, OT asset configurations, GIS and SCADA system details, and customer data. The utility’s subsequent security enhancements in late 2023 did not prevent VOLTZITE from regaining access, demonstrating a persistent intent to retain long-term footholds within victim networks.

VOLTZITE’s arsenal is built on minimalism and efficiency, favoring tools that leave little footprint. From exploiting network appliances and VPN gateways to employing native Windows tools for lateral movement, VOLTZITE’s operations are a testament to their skill in navigating and exploiting network vulnerabilities. Their use of the FRP reverse proxy tool and Awen web shells for command and control further demonstrates their adaptability and resourcefulness.

While the VOLTZITE threat group has yet to demonstrate capabilities aimed directly at disrupting industrial control systems, its persistent interest in critical infrastructure sectors poses a latent threat. Their slow, calculated reconnaissance and ability to move laterally between IT and OT networks could, in time, enable them to develop tools capable of causing significant disruptions.

In response to the growing threat posed by VOLTZITE, Dragos emphasizes the importance of rigorous network segmentation, monitoring cross-zone communications, and employing behavioral detections tailored to identify and mitigate VOLTZITE’s specific tactics, techniques, and procedures. Adherence to the 5 Critical Controls for World-Class OT Cybersecurity, as outlined by the SANS Institute, provides a foundational framework for robust cyber defense.