This is the FBI, open up. China's Volt Typhoon is on your network
(2025/03/12)
- Reference: 1741784413
- News link: https://www.theregister.co.uk/2025/03/12/volt_tyhoon_experience_interview_with_gm/
- Source link:
Nick Lawler, general manager of the Littleton Electric Light and Water Departments (LELWD), was at home one Friday when he got a call from the FBI alerting him that the public power utility's network had been compromised. The digital intruders turned out to be Volt Typhoon.
Lawler didn't believe it at first. LELWD provides electricity and water to the towns of Littleton and Boxborough, Massachusetts, which have a combined population of about 15,000 people.
Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?
"We don't have any access to large critical infrastructure. We don't own transmission. We're a distribution company. Yes, we're part of the overall grid, but the impact of taking out Littleton is small. You would never think that would be a target of any type of attack," Lawler told The Register .
The FBI agent told him that LELWD was one of 200 utilities on a list of organizations that had been breached. He asked Lawler to give his personal email address and said he would send over a link to click on and further diagnose the severity of the issue.
"It sounded like one of those Microsoft scams," Lawler said. He told the agent: "Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?"
[1]
Then he hung up and called the FBI Boston office directly. The same agent answered his call, and this is when Lawler started to think it might be serious. But he still wasn't going to give out his personal information, so he told the FBI to show up at the utility the next Monday at 10 am.
[2]
[3]
"It was still surreal to me," he said. "You never think you are the victim of that type of attack."
Over the weekend, between family life and kids' sports games, Lawler mostly forgot about the incident – until Homeland Security officials showed up at the office Monday morning, and handed Lawler an unclassified document about Volt Typhoon.
[4]
This was in November 2023, the start of Thanksgiving week, and the now-infamous Chinese government-backed hacking crew wasn't yet on most people's radars except for those paying very close attention to [5]Five Eyes' intelligence agencies' warnings .
Volt Typhoon wouldn't become a dinner-table discussion until January 2024, after the [6]spies had infected hundreds of outdated routers to [7]build a botnet and break into US critical infrastructure facilities. The Beijing-backed crew, we would later learn, was prepositioning itself and [8]readying destructive cyberattacks against those targets.
Happy Thanksgiving, you've been hacked
After visiting Lawler at work, and telling him the federal government was here to help at no cost to the public utility, DHS wished him a happy Thanksgiving and told him not to worry.
"You just gave me this pamphlet about how the Chinese government is planning these attacks, and living off the land," Lawler remembers thinking. "How can I enjoy Thanksgiving?"
LELWD had been working with operational technology (OT) cybersecurity company Dragos as part of an American Public Power Association government-funded program to assist smaller public utilities, and Dragos had installed sensors on the OT network in August 2023. Through these sensors and the firm's OT threat hunting service, Dragos spotted some usual network traffic and communications with China that shouldn't be occurring.
[9]
The Chinese snoops gained initial access via a [10]buggy FortiGate 300D firewall , according to Lawler. Fortinet patched this flaw in December 2022, but as of August 2023 LELWD's managed services provider still hadn't updated the firmware. The water and electric utility has since fired that MSP.
[11]US says China's Volt Typhoon is readying destructive cyberattacks
[12]Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
[13]Malware variants that target operational tech systems are very rare – but 2 were found last year
[14]How NOT to f-up your security incident response
By December, the federal government had also installed its own sensors on LEWLD's networks and requested that the utility leave the security hold open so they could monitor the spies' activity.
"That made me more uneasy than anything up until that point, because if something else was to happen, then we had willingly, knowingly left the vulnerability open," Lawler said. "But we believed in the greater good. We knew other utilities had been impacted. Our president flies an American flag at his house and has since 9-11. We wanted to support the government trying to get the bad guys."
A week before Christmas, the feds and the Chinese spies were off LEWLD's networks, and the firewall vulnerability was patched. The utility completely rebuilt its networks to ensure they didn't just copy over a Volt Typhoon backdoor, and last August the government agencies performed a three-week penetration test to ensure the utilities' network defenses were working properly (they were).
Lawler still doesn't have a good answer as to why Volt Typhoon targeted his power utility other than for reconnaissance and espionage purposes.
"I wouldn't say anything related to our substation or our engineering was compromised," he said. "They did access our servers. They knew where those vulnerable firewalls were, and they tried to get behind them. I still don't know why Littleton other than we had a hole and they found it." ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2023/05/25/china_volt_typhoon_attacks/
[6] https://www.theregister.com/2024/01/30/fbi_china_volt/
[7] https://www.theregister.com/2024/01/31/volt_typhoon_botnet/
[8] https://www.theregister.com/2024/02/07/us_chinas_volt_typhoon_attacks/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
[11] https://www.theregister.com/2024/02/07/us_chinas_volt_typhoon_attacks/
[12] https://www.theregister.com/2024/08/27/chinas_volt_typhoon_versa/
[13] https://www.theregister.com/2025/02/25/new_ics_malware_dragos/
[14] https://www.theregister.com/2025/03/10/incident_response_advice/
[15] https://whitepapers.theregister.com/
Lawler didn't believe it at first. LELWD provides electricity and water to the towns of Littleton and Boxborough, Massachusetts, which have a combined population of about 15,000 people.
Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?
"We don't have any access to large critical infrastructure. We don't own transmission. We're a distribution company. Yes, we're part of the overall grid, but the impact of taking out Littleton is small. You would never think that would be a target of any type of attack," Lawler told The Register .
The FBI agent told him that LELWD was one of 200 utilities on a list of organizations that had been breached. He asked Lawler to give his personal email address and said he would send over a link to click on and further diagnose the severity of the issue.
"It sounded like one of those Microsoft scams," Lawler said. He told the agent: "Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?"
[1]
Then he hung up and called the FBI Boston office directly. The same agent answered his call, and this is when Lawler started to think it might be serious. But he still wasn't going to give out his personal information, so he told the FBI to show up at the utility the next Monday at 10 am.
[2]
[3]
"It was still surreal to me," he said. "You never think you are the victim of that type of attack."
Over the weekend, between family life and kids' sports games, Lawler mostly forgot about the incident – until Homeland Security officials showed up at the office Monday morning, and handed Lawler an unclassified document about Volt Typhoon.
[4]
This was in November 2023, the start of Thanksgiving week, and the now-infamous Chinese government-backed hacking crew wasn't yet on most people's radars except for those paying very close attention to [5]Five Eyes' intelligence agencies' warnings .
Volt Typhoon wouldn't become a dinner-table discussion until January 2024, after the [6]spies had infected hundreds of outdated routers to [7]build a botnet and break into US critical infrastructure facilities. The Beijing-backed crew, we would later learn, was prepositioning itself and [8]readying destructive cyberattacks against those targets.
Happy Thanksgiving, you've been hacked
After visiting Lawler at work, and telling him the federal government was here to help at no cost to the public utility, DHS wished him a happy Thanksgiving and told him not to worry.
"You just gave me this pamphlet about how the Chinese government is planning these attacks, and living off the land," Lawler remembers thinking. "How can I enjoy Thanksgiving?"
LELWD had been working with operational technology (OT) cybersecurity company Dragos as part of an American Public Power Association government-funded program to assist smaller public utilities, and Dragos had installed sensors on the OT network in August 2023. Through these sensors and the firm's OT threat hunting service, Dragos spotted some usual network traffic and communications with China that shouldn't be occurring.
[9]
The Chinese snoops gained initial access via a [10]buggy FortiGate 300D firewall , according to Lawler. Fortinet patched this flaw in December 2022, but as of August 2023 LELWD's managed services provider still hadn't updated the firmware. The water and electric utility has since fired that MSP.
[11]US says China's Volt Typhoon is readying destructive cyberattacks
[12]Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
[13]Malware variants that target operational tech systems are very rare – but 2 were found last year
[14]How NOT to f-up your security incident response
By December, the federal government had also installed its own sensors on LEWLD's networks and requested that the utility leave the security hold open so they could monitor the spies' activity.
"That made me more uneasy than anything up until that point, because if something else was to happen, then we had willingly, knowingly left the vulnerability open," Lawler said. "But we believed in the greater good. We knew other utilities had been impacted. Our president flies an American flag at his house and has since 9-11. We wanted to support the government trying to get the bad guys."
A week before Christmas, the feds and the Chinese spies were off LEWLD's networks, and the firewall vulnerability was patched. The utility completely rebuilt its networks to ensure they didn't just copy over a Volt Typhoon backdoor, and last August the government agencies performed a three-week penetration test to ensure the utilities' network defenses were working properly (they were).
Lawler still doesn't have a good answer as to why Volt Typhoon targeted his power utility other than for reconnaissance and espionage purposes.
"I wouldn't say anything related to our substation or our engineering was compromised," he said. "They did access our servers. They knew where those vulnerable firewalls were, and they tried to get behind them. I still don't know why Littleton other than we had a hole and they found it." ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2023/05/25/china_volt_typhoon_attacks/
[6] https://www.theregister.com/2024/01/30/fbi_china_volt/
[7] https://www.theregister.com/2024/01/31/volt_typhoon_botnet/
[8] https://www.theregister.com/2024/02/07/us_chinas_volt_typhoon_attacks/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z9G9tFT_NBH7OIo9fHs5xwAAAcc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
[11] https://www.theregister.com/2024/02/07/us_chinas_volt_typhoon_attacks/
[12] https://www.theregister.com/2024/08/27/chinas_volt_typhoon_versa/
[13] https://www.theregister.com/2025/02/25/new_ics_malware_dragos/
[14] https://www.theregister.com/2025/03/10/incident_response_advice/
[15] https://whitepapers.theregister.com/
Re: Nice article!
Guy de Loimbard
Indeed, a good article.
Also, you couldn't make up some of the catastrophic choices being made in the US at the moment.
It's almost like opening the doors and leaving the lights on when you go on holiday.
At a time of heightened cyber activity, you don't slash and burn your capabilities.... surely?
Re: Nice article!
Anonymous Coward
Yes, no need to worry about the FBI spoiling your weekend with alerts about Chinese hackers, they will soon be all DOGEd.
Can't have our peons bothering our fellow dictators.
I am deeply impressed.
Anonymous Coward
First by Lawler's initial response - it really did sound like a scam, so good job not providing personal info or clicking a link sent via a text.
But even more impressed by the FBI's response - actually showing up in person (ok, they sent Homeland Security) instead of shrugging and saying "well, we tried to warn them".
Then following through, including running a penetration test to make sure all the vulnerabilities were closed.
Great job all around! (Except for Volt Typhoon, which should probably be renamed to Sewer Drinker or something similarly awful.)
Re: I am deeply impressed.
Guy de Loimbard
I second your view!
I think it should make a good poster boy/case study for how to deal with this sort of issue, from beginning to end.
Doctor Syntax
"We don't have any access to large critical infrastructure."
From their customers PoV they were probably exactly that themselves.
Going by the accompanying thumbnail, it looks like it's too late...
Michael Strorm
China has already managed to [1]do some very strange things to their infrastructure .
[1] https://regmedia.co.uk/2024/01/30/voltage.jpg
Nice article!
And the time it gets posted is well timed too! Just 11 hours after [1]the other article relevant to that...
[1] https://www.theregister.com/2025/03/12/cisa_staff_layoffs/