When federal investigators contacted the Littleton Electric Light and Water Departments in November 2023, the warning was straightforward: the utility's network had been compromised.

The significance of the incident extended beyond the intrusion itself. Investigators determined the compromise began in February 2023, indicating that VOLTZITE, the activity cluster associated with Volt Typhoon and linked to Chinese state-sponsored operations, maintained access within the utility environment for more than 300 days before detection.¹

The implications reach well beyond a single municipal utility. The case highlights a challenge confronting organizations across energy, water, telecommunications, transportation, manufacturing, government, and other critical infrastructure sectors.

Volt Typhoon does not fit the traditional ransomware model. It does not align with the rapid monetization patterns commonly associated with data theft campaigns. Its significance lies in persistence.

Persistence changes the defensive equation. The primary concern shifts from what an adversary can access today to what access may enable months or years later. Long-term presence provides opportunities for reconnaissance, credential collection, network mapping, operational intelligence gathering, and strategic positioning. By the time an intrusion is discovered, the adversary may possess a detailed understanding of the environment, its dependencies, and its operational constraints.

For defenders, the lesson is clear. Detection strategies designed to identify noisy attacks and immediate disruption are insufficient on their own. The greater challenge is identifying adversaries whose objective is to remain unseen while building long-term access and operational knowledge.


How the Intrusion Started

The reported entry point was preventable.

Volt Typhoon actors were able to get into their target via a known vulnerability, CVE-2022-42475, which was present in an unpatched FortiGate 300D perimeter firewall. 1

This is significant as it is another case of advanced actors gaining entry to a network via a simple vulnerability.

The CISA has stated that PRC-sponsored state actors gain and retain access to networks in critical infrastructure within the United States using valid admin credentials and existing public-facing devices in lieu of large malware attacks.2

After entry, the behavior could be quite normal-looking.

Volt Typhoon is known for using native operating system tools, stolen credentials, remote access services, web shells, hands-on keyboard activity, and legitimate administration utilities. MITRE ATT&CK lists the group as using techniques designed to avoid malware signatures and blend into normal administrative behavior.3

That is what makes the threat difficult. The attacker does not always need to introduce something visibly malicious.

Sometimes the attacker only needs to behave like an administrator.

Why Traditional Detection Misses This Pattern

Many enterprise detection programs are tuned for malware, exploit chains, ransomware staging, and known indicators of compromise.

Volt Typhoon-style operations are different.

The group reduces its footprint by avoiding third-party executables wherever possible. It uses legitimate tools already present in the environment. It relies on valid credentials. It moves slowly. It studies the network. It collects the operational details needed to support future activity.

At LELWD, reporting indicated that two servers, a file server and a GIS server, communicated with external IP addresses, moved files, and performed scanning activity.1

Those behaviors should have been meaningful. But in many environments, similar activity can be mistaken for administration, troubleshooting, or routine operational work.

That is the detection problem.

If the SOC only looks for malware, it may miss the operator.
If the SIEM only tracks known indicators, it may miss slow reconnaissance.
If OT network visibility is limited, defenders may not know what abnormal looks like.

Volt Typhoon exploits that uncertainty.

What the Adversary Wanted

This was not an incident built around immediate monetization.

Dragos reporting, as summarized by SecurityWeek, indicated that the attackers were interested in data related to OT operating procedures and spatial layout information tied to energy grid operations. 1

That type of information is strategically valuable.

Geographic information system data, network diagrams, device relationships, operating procedures, and infrastructure layouts help an adversary understand how a critical environment works. They can reveal which systems matter, which connections exist, where dependencies sit, and what would be most disruptive if targeted later.

This is why enterprise leaders should not classify the incident as “just reconnaissance.”

In critical infrastructure, reconnaissance is preparation.

CISA has warned that Volt Typhoon activity is consistent with pre-positioning inside U.S. critical infrastructure networks to enable potential disruption in the event of future geopolitical conflict. 2

That makes the risk fundamentally different from ordinary cybercrime.

A ransomware actor wants payment.
A state-linked actor may want options.

The 300-Day Dwell Time Problem

The 300-day dwell time at LELWD should force security leaders to revisit their own metrics.

Many organizations measure security performance against average detection timelines, alert volumes, mean time to respond, or ransomware containment speed. Those metrics matter, but they can create false confidence when the adversary is patient.

IBM’s 2024 Cost of a Data Breach Report placed the global average breach cost at $4.88 million.4

IBM’s 2024 reporting also showed how complex multi-environment breaches can take far longer to identify and contain than simpler incidents, with some environments requiring hundreds of days across the full breach lifecycle.5

For espionage-driven threats, the timeline can stretch even further.

CISA’s Volt Typhoon advisory states that some compromises had lasted for extended periods, with actors maintaining access and positioning themselves inside critical infrastructure environments.2

That is the lesson: enterprise SOC metrics shaped by fast-moving ransomware may not reveal whether the organization can detect quiet, long-term operational access.

What This Means for Enterprise Security Leaders

Volt Typhoon should not be treated as a narrow utility-sector issue.

The same operating model can apply to any enterprise with critical operations, sensitive infrastructure, manufacturing environments, logistics dependencies, regional facilities, cloud-connected OT, or third-party access into industrial systems.

Security leaders should focus on five priorities.

Priority

Why It Matters

Patch exposed perimeter appliances

Known vulnerabilities remain a common entry path

Monitor living-off-the-land activity

Native tools can become attacker infrastructure

Build OT asset visibility

Teams cannot defend systems they cannot see

Baseline normal OT communications

Detection depends on knowing what is abnormal

Integrate threat intelligence with response

External intelligence may surface activity before internal tooling does

The LELWD case also highlights the importance of collaboration. The intrusion was not surfaced through ordinary internal visibility alone. It involved federal notification and specialist OT security support.1

That matters because no enterprise should assume internal tooling will always detect an adversary designed to avoid it.

The Enterprise Visibility Gap

The biggest risk is not only that Volt Typhoon got in.

It is that the activity remained hidden for months.

That tells security leaders where to look next: not only at tools, but at assumptions.

  • Do teams assume firewall patching is complete?

  • Do they assume OT traffic is understood?

  • Do they assume administrator behavior is always legitimate?

  • Do they assume third-party access is known?

  • Do they assume the absence of malware means the absence of intrusion?

Those assumptions are dangerous.

Volt Typhoon-style operations succeed by living inside trusted behavior. They turn native tools into stealth. They turn credentials into movement. They turn weak visibility into dwell time.

Conclusion: The Clock May Already Be Running

Three hundred days is not only a timeline.

It is a warning.

The LELWD incident shows that advanced adversaries do not need to move quickly to create a serious risk. They can wait. They can study. They can map. They can collect operational data. They can prepare options for a future trigger that may have nothing to do with the victim organization’s own business decisions.

That is why enterprise security leaders need to think beyond conventional breach response.

The question is not only, “Can we stop the first exploit?”
It is also, “Can we detect a quiet operator who already got in?”
And, “Can we prove they are not still there?”

Volt Typhoon has made one point clear: the most dangerous intrusion may be the one that does not announce itself.

Be Ready for What’s Next

Subscribe to Cyber Tech Intelligence for insightful analysis of the adoption of artificial intelligence and digital transformation powered by data. 

References

  1. SecurityWeek (2024) China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days. SecurityWeek, 2024.

  2. Cybersecurity and Infrastructure Security Agency (CISA) (2024) PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. CISA, 2024.

  3. MITRE ATT&CK (2024) Volt Typhoon (G1017). MITRE Corporation, 2024.

  4. IBM (2024) Cost of a Data Breach Report 2024 Announcement. IBM Corporation, 2024.

  5. IBM (2024) Cost of a Data Breach Report 2024. IBM Corporation, 2024.