For years, the basic precept in cybersecurity was that threat actors primarily targeted information technology (IT) systems. The idea was that thanks to air gapping and complexity, operational technology (OT) was generally safe. It takes specific knowledge to understand how to hit a programmable logic controller (PLC) or water/wastewater plant. However, in their recent year in review report, Dragos identified a new threat group, VOLTZITE, that has been targeting industrial organizations since 2021.
IT/OT convergence and the standardization of tech stacks is making it easier for attackers to target OT. Threat actors who are in it for a quick (and sizable) buck are also realizing that the OT side is where companies make their money, which means they are much more likely to pay a ransomware demand quickly. Even if a threat actor doesn’t truly understand an OT system, they still know enough to go after it because it can be lucrative.
Critical infrastructure is also at risk from these types of attacks, as it’s often run on legacy OT. A cyberattack on critical infrastructure can lead to service disruptions, data theft, financial losses and even risks to human health and safety.
Malware Name
VOLTZITE
Malware Type
VOLTZITE is a relatively new malware that heavily utilizes living off the land techniques to inhibit the potential identification of malicious activity. It frequently uses Choopa ASN-allocated IP addresses along with compromised SOHO networking equipment. The malware has achieved initial access to victims through exploiting external perimeter network devices, such as Fortinet FortiGuard or PRTG Network Monitor.
What Is VOLTZITE?
VOLTZITE initially was reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft in May 2023 as performing reconnaissance and enumeration of multiple U.S.-based electric companies. Since then, it has been observed targeting cybersecurity research, technology, defense industrial bases, banking, satellite services, telecommunications and educational organizations. The malware has traditionally targeted U.S.-based facilities, though it has also hit organizations in Africa and Southeast Asia. This group heavily uses living off the land (LOTL) techniques, which can make detection and response efforts more difficult. This strategy, paired with slow and steady reconnaissance, enables VOLTZITE to avoid detection from security teams.
Impact and Implications
Dragos assessed with moderate confidence that VOLTZITE compromised network and video surveillance devices associated with a United States emergency management and traffic monitoring entity in 2023. The adversary exploited public internet-facing Sierra Wireless Airlink devices serving as access points for Iteris Vantage Velocity traffic monitoring devices. VOLTZITE’s 2023 behavior suggested operational objectives of espionage and information gathering. Data stolen from OT networks may result in unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks.
Expert Analysis on VOLTZITE
The mounting tension between China and Taiwan has contributed to increased targeted cyber espionage attacks against multiple industrial organizations in the Asia-Pacific region and the United States. One threat group in particular, VOLTZITE, has targeted numerous critical infrastructure entities in Guam, the United States, and other countries since at least 2021. VOLTZITE overlaps with Volt Typhoon, a group that the U.S. Government has publicly linked to the People’s Republic of China. VOLTZITE heavily uses living off the land (LOTL) techniques and, in some cases, has been observed conducting “hands-on keyboard” post-compromise actions within a victim’s networks.
Source: Dragos Year in Review Report, 2024
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.
