Connect with us

Hi, what are you looking for?



China’s Volt Typhoon Hackers Are Exfiltrating Sensitive OT Data

Volt Typhoon and two other threat groups that emerged in 2023 can pose a serious threat to ICS/OT, according to industrial cybersecurity firm Dragos.

The sophisticated hacker group known as Volt Typhoon could pose a serious threat to organizations that use industrial control systems (ICS) or other operational technology (OT), according to industrial cybersecurity firm Dragos.

Dragos’ new 2023 ICS/OT Cybersecurity Year in Review report reveals that the company is aware of 21 threat groups whose activities impact or could impact OT, including three that emerged in 2023 and seven others that are still known to be active. 

One of the three groups that emerged in 2023 is tracked by Dragos as Voltzite, but it’s better known as Volt Typhoon, a threat actor linked to the Chinese government. 

Volt Typhoon has been known to target organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, IT, and education sectors, including in the United States, Australia and the United Kingdom. The hackers are known for their use of a router botnet for communications, which the US government targeted recently in a takedown attempt.

While Volt Typhoon’s main goal appears to be cyberespionage and information gathering, there has been increasing concern that the hackers may use their access and capabilities to cause disruption in the OT environments of critical infrastructure organizations. 

In its new report, Dragos reported seeing Voltzite initiate scanning activities against electric sector organizations in North America between November and December 2023. The company is also aware of possible attacks aimed at electric transmission and distribution providers in Africa.

Dragos is aware of Voltzite attacks aimed at various sectors in the US, including emergency services, electric, and telecoms. 

“Dragos assesses with moderate confidence that Voltzite has compromised network and video surveillance devices associated with a United States emergency management and traffic monitoring entity in 2023. The adversary exploited public internet-facing Sierra Wireless Airlink devices serving as access points for Iteris Vantage Velocity traffic monitoring devices,” Dragos said.

Advertisement. Scroll to continue reading.

The most recent attack seen by the security firm targeted a large city’s emergency services GIS network in January. 

In some attacks, the group has been observed exfiltrating sensitive operational data related to OT networks and processes. 

“Data stolen from operational technology (OT) networks may result in unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks,” Dragos warned.

Another new group spotted by Dragos in 2023 and which could pose a threat to OT organizations is Gananite, which focuses on espionage and initial access operations in CIS and Central Asian countries. Some of the tools used by this group were previously tied to the Russia-linked Turla group.

Gananite has been seen targeting government and industrial organizations in the CIS region. Some of the specific targets named by Dragos include ICS operations management staff at an important European oil and gas company, a European government entity overseeing public water utilities, an automotive machinery firm, and rail organizations in Azerbaijan and Turkey. 

The third new group of 2023 is Laurionite, which focuses on targeting Oracle iSupplier instances. The hackers targeted internet-exposed systems in the air transportation, professional services, government, and manufacturing sectors.

Dragos said none of the new groups has used ICS-specific capabilities and there is no indication that they have moved into OT networks, but the industrial cybersecurity firm cautioned that they could start targeting such systems in the future. 

Dragos’ report also includes a separate chapter on ransomware attacks, which increased 50% over the past year. According to Dragos, the activities of 50 ransomware groups impacted industrial organizations in 2023. 

The report also details vulnerabilities uncovered last year. Dragos is aware of just over 2,000 CVEs impacting OT environments, and an analysis of these flaws shows how many were disclosed through inaccurate advisories, how many of them require urgent patching, and their potential impact.

Related: Mandiant Intelligence Chief Raises Alarm Over China’s ‘Volt Typhoon’ Hackers in US Critical Infrastructure

Related: Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.