When the FBI called the assistant general manager of Littleton Electric Light and Water Departments (LELWD) on a Friday afternoon in November 2023, the message was stark: “Your network has been compromised.”
Investigators traced the intrusion back to February 2023 — meaning VOLTZITE, a subgroup of the Chinese state-sponsored threat actor Volt Typhoon, had been sitting inside the Massachusetts utility’s network for over 300 days before anyone noticed. 1
This was the first confirmed compromise of a US electric grid by Volt Typhoon, and it should fundamentally change how enterprise security leaders think about persistent threats.
How They Got In — And Stayed Hidden
The entry point was a preventable one. Volt Typhoon actors obtained initial access by exploiting CVE-2022-42475, a known vulnerability in a FortiGate 300D perimeter firewall that had not been patched. From there, they went entirely silent — by design. 2
Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands-on keyboard activities, and stolen credentials, avoiding all third-party executables that EDR tools would flag.
This tactic limits the amount of activity captured in default logging configurations, making detection through conventional tooling nearly impossible. LELWD had two servers — a file server and a GIS server — communicating to external IP addresses, moving files, and scanning ports, yet the activity went undetected because it mimicked legitimate administrator behavior. 3
What They Were Actually Stealing
This breach was not about ransomware or data monetization. Dragos confirmed the attackers aimed to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations — information that is “pivotal for helping the adversary know exactly where to attack when, or if, they decide to utilize a Stage 2 capability in the future.” 4
In a February 2025 report, Dragos said Volt Typhoon is “arguably the most crucial threat group to track in critical infrastructure” and steals geographic information system data, network diagrams, operating instructions, and more from victim organizations.
Stage 2 of the ICS Cyber Kill Chain means the actor has moved from reconnaissance to developing and testing specific, targeted attacks on industrial control systems. Volt Typhoon is confirmed to have reached that threshold.
Throughout 2025, Volt Typhoon’s operations reflect a shift toward not only collecting and exfiltrating data from IT networks but also directly interacting with OT network-connected devices and stealing sensor and operational data — a material escalation from mapping to touching.
The Dwell Time Problem: Your Metrics Are Missing
The 300-day figure is not an anomaly. It reflects a structural blind spot. According to Mandiant’s M-Trends 2024, the global median dwell time was 10 days in 2023 — the lowest in a decade, driven largely by the rise in self-announcing ransomware incidents. Nation-state espionage actors operate on a completely different clock.
IBM’s 2024 Cost of a Data Breach Report puts the average time to identify and contain a breach at 277 days, with an average breach cost of $4.88 million globally. 5
CISA has previously stated that some Chinese state-sponsored compromises lasted as long as five years before being detected.
The statistical models most enterprise SOCs use — calibrated against noisy, fast-moving ransomware — offer false comfort when the adversary is a patient, state-funded actor with no incentive to surface.
Conclusion: The Clock Started Before You Knew It
Three hundred days. That is not a gap in technology — it is a gap in assumption. LELWD had perimeter controls, a firewall, and standard security hygiene. What it did not have was the visibility, the behavioral baselines, or the OT-specific intelligence to detect an adversary that had made invisibility its primary weapon.
The broader numbers reinforce the severity. IBM’s 2024 Cost of a Data Breach Report places the average time to identify and contain a breach at 277 days, at an average cost of $4.88 million — and that average is pulled down by fast-moving ransomware incidents. For a patient, state-funded actor like Volt Typhoon, those figures skew far worse. 5
CISA has acknowledged that some Chinese state-sponsored intrusions went undetected for as long as five years, and that many victims have yet to discover they are compromised at all.
Testimony before the US-China Economic and Security Review Commission has confirmed that Chinese state-sponsored actors are systematically pre-positioning within US critical infrastructure as part of a long-term strategy tied to geopolitical conflict scenarios — not opportunistic hacking.
The intrusions are dormant assets, activated by a political trigger, not a technical one. That distinction changes everything about how enterprise security leaders must plan.
Frequently Asked Questions
Q1: Is Volt Typhoon only targeting energy utilities?
No. CISA advisories document targeting across communications, government, transportation, and maritime sectors. Any organization in the supply chain of critical infrastructure is a viable target.
Q2: Why can’t EDR tools catch Volt Typhoon?
Because the group uses native OS tools — PowerShell, WMI, RDP — not third-party malware. Detection requires behavioral analytics and OT-specific monitoring, not signature-based EDR.
Q3: What data is most at risk beyond customer records?
OT operating procedures, GIS infrastructure maps, network diagrams, and equipment configuration files. These enable precision attacks on physical systems and are rarely classified under standard data governance policies.
Q4: How does cyber intelligence specifically help against this threat?
Proactive threat intelligence tracks adversary TTPs, infrastructure attribution, and behavioral indicators before internal detection fires — as demonstrated by the fact that LELWD’s breach was surfaced by FBI intelligence, not internal tooling.
Q5: What is the first step toward closing the OT visibility gap?
Asset inventory and passive OT network monitoring. You cannot detect threats to assets you cannot see. Establishing behavioral baselines for OT device communications is the foundational control that everything else is built on.
References
- Kovacs, E. (2025) ‘China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days’, SecurityWeek, 12 March. Available at: https://www.securityweek.com/chinas-volt-typhoon-hackers-dwelled-in-us-electric-grid-for-300-days/ [Accessed 22 May 2026]
- United States Cybersecurity and Infrastructure Security Agency (CISA) (2024) PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure, Advisory AA24-038A, 7 February. Available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a [Accessed 22 May 2026]
- MITRE ATT&CK (2024) Volt Typhoon (Group G1017). MITRE Corporation. Available at: https://attack.mitre.org/groups/G1017/ [Accessed 22 May 2026]
- Kovacs, E. (2025) ‘China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days’, SecurityWeek, 12 March. Available at: https://www.securityweek.com/chinas-volt-typhoon-hackers-dwelled-in-us-electric-grid-for-300-days/ [Accessed 22 May 2026]
- IBM Security (2024) Cost of a Data Breach Report 2024: Financial Industry Insights. IBM Corporation. Available at: https://www.ibm.com/think/insights/cost-of-a-data-breach-2024-financial-industry [Accessed 22 May 2026]
