The first known intrusion into a U.S. electric utility’s computer network by the Voltzite hacker group was significantly mitigated by its proactive approach to cybersecurity, security firm Dragos said in a case study March 12. 

Voltzite is the name given by Dragos to a threat group identified in its most recent Year in Review report that demonstrates “extensive technical overlaps with” the China-connected Volt Typhoon group, which has been accused of embedding itself in U.S. critical infrastructure organizations’ information technology networks for at least five years.  

The group has displayed the ability to reach Stage 2 of SANS Institute’s ICS kill chain, meaning “a capability that can meaningfully attack” the target’s industrial control systems. (See Dragos: Attacks on ICS Increased in 2024.) 

Dragos’ case study describes Littleton Electric Light and Water’s (LELWD) discovery of the hacker group in its system in 2023 and its efforts to root them out. LELWD is a public utility providing electricity to Littleton and Boxborough, Mass. 

The utility initially learned its network had been breached when the FBI called the utility’s assistant general manager on a Friday afternoon to warn him of a possible compromise. The following Monday, FBI agents and representatives from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) arrived to investigate the breach. 

Fortunately for LELWD, the utility already was working to improve its cybersecurity stance. With the help of a grant from the American Public Power Association, LELWD had contracted with Dragos to “gain visibility of its [operational technology] assets, secure IT-OT network traffic, and monitor communications between OT devices and systems. The firm also was contracted to provide threat hunting services. 

With the warning of the compromise, LELWD accelerated its deployment of the Dragos products. The company’s platform identified specific behaviors confirming Voltzite’s presence, which allowed the utility to “eradicate the adversary and secure the network against additional threats.” 

Dragos said its partnership with LELWD “demonstrates the value of specialized OT security solutions for critical infrastructure providers of all sizes” and “has positioned LELWD to better protect its operations and serve its communities securely in an evolving threat landscape.” 

Dragos’ report comes at a time of rising concern about the federal government’s willingness and ability to support utilities during a cybersecurity crisis. CISA, which assisted LELWD with the Voltzite intrusion, has been without a director since former Director Jen Easterly resigned at the beginning of the second Trump administration, and DHS Secretary Kristi Noem criticized the agency at her confirmation hearing for its efforts to address foreign disinformation campaigns. (See CISA Leader Reiterates China Cyber Warnings.) 

Noem called for a “smaller [and] more nimble” CISA focused on threats to critical infrastructure. Since she took over, CISA has put some employees focused on dis- and misinformation on administrative leave. Media reports have suggested the staff reductions at the agency went further, with a former penetration tester at CISA alleging in a LinkedIn post that two “red teams” that tested government networks for cyber vulnerabilities had been laid off. 

However, CISA pushed back on these claims March 12 in its first press release since Jan. 21, saying the red teams have not been laid off, but that the agency “has taken action to terminate contracts where the agency has been able to find efficiencies and eliminate duplication of effort.” CISA said the action “did not impact the employment status of CISA personnel” and the red teams “continue their work without interruption.”