VOLTZITE is an active threat group tracked by Dragos Intelligence. This group shares overlaps with Volt Typhoon (Microsoft) and the adversary described by the U.S. Cybersecurity Infrastructure Security Agency (CISA) in a May 2023 advisory, and a more recent one from February 2024.
VOLTZITE has been observed performing reconnaissance and enumeration against multiple US-based electric companies since 2023. Since then, the threat group has targeted emergency management services, telecommunications, satellite services, and defense industrial bases. Additionally, Dragos has observed VOLTZITE targeting electric transmission and distribution in Africa.
In our public intelligence brief, VOLTZITE Espionage Operations Targeting U.S. Critical Systems, we share exclusive research and observations of VOLTZITE activity impacting industrial organizations, along with a timeline of events we’ve observed.
Key Findings
- VOLTZITE employs mostly living off the land (LOTL) techniques, exhibits a high level of operational security practices, and conducts slow, steady reconnaissance against a target.
- VOLTZITE deploys various web shells and FRP, a fast reverse proxy tool, for command and control (C2) communications. C2 traffic frequently talks back to compromised SOHO (Small Office and Home Office) networking equipment or adversary leased VPS (Virtual Private Server) infrastructure.
- VOLTZITE overlaps with multiple threat groups: Volt Typhoon (Microsoft), BRONZE SILHOUETTE (Secureworks), Vanguard Panda (Crowdstrike), and UNC3236 (Mandiant).
Using Behavioral Detections to Spot VOLTZITE Activity
The employment of living off the land (LOTL) techniques by VOLTZITE, along with slow and steady reconnaissance, enables the group to avoid detection. VOLTZITE activity is unlikely to be seen using traditional detection methods. This strategy allows VOLZITE to stretch out their dwell time within a network. Dragos recommends monitoring cross-zone communications between IT and OT networks and utilizing behavioral detections engineered to identify the latest VOLTZITE tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), all of which are available through the Dragos Platform.
Download our public intelligence brief for new vital insights on VOLTZITE, their impact on critical infrastructure now and, with growing certainty, in the future.
Get the Threat Intel Brief
Ready to put your insights into action?
Take the next steps and contact our team today.