National Guardsmen receive brief from Volt Typhoon utility victim at cyber exercise
For the first time at a New England-based cyber exercise, National Guardsmen recently received a threat briefing from a company that was compromised by a high-profile Chinese cyber actor.
Cyber Yankee, now in its 11th year, is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side-by-side with the private sector, utilities and other entities to protect critical infrastructure — which includes operational technology and industrial control systems — in a simulated attack.
A small utility in Littleton, Massachusetts, nearly 40 miles from Boston and roughly 20 miles from New Hampshire, was notified in 2023 by the FBI that it had been compromised by the Chinese entity dubbed Volt Typhoon.
Volt Typhoon is one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. For its part, Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.
What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.
Other high-profile threats include Salt Typhoon, which targeted and breached telecom companies.
Littleton Electric, Light, and Water Departments provided a briefing to the participants of Cyber Yankee this year during a “lunch and learn” event in what proved to be an eye-opening and educational experience for attendees.
“Volt Typhoon penetrated their network, had access to IT systems and potentially OT systems. That’s the type of thing that our exercise scenario is built around,” Lt. Col. Matthew Dupuis, exercise director for Cyber Yankee with the New Hampshire Army National Guard, said in an interview.
Officials said after that briefing, there was a noticeable shift to more of the military members focusing on the OT track of the exercise.
The briefing was new to Cyber Yankee this year and it was so useful, planners hope to have more companies with similar experiences do the same thing next year.
“It was great being able to hear that from real, live people,” Dupuis said.
The Guard is a critical resource for states and localities as the first responders to cyber incidents that affect critical infrastructure, which are becoming more rampant from attacks on pipelines and water systems. When threat actors — from hacktivists to ransomware deployers to nation-states — compromise private critical infrastructure companies, the Guard often acts as a surge force when called up by the governor to aid in the remediation of threats on private networks.
Exercises like Cyber Yankee allow trust to be built between the Guard and private companies, who ultimately own the networks and have to invite Guardsmen to come in and help.
The operational technology for a water treatment plant is different than an electric power generator or a grid operator or natural gas pipeline, and thus it’s important for each sector and the government to come together through different tracks to rehearse and learn.
Cyber Yankee rotates every year, taking place in a different New England state. This year, it was held in New Hampshire May 5-16. By the end of the exercise, it saw almost 400 participants, which included 240 military, 20 government, 35 private industry — such as water, power and utilities — and 40 international partners from Albania, the Bahamas, El Salvador, Israel, Kenya, Paraguay and Uruguay.
While last year was the first iteration to introduce foreign partners, only a few actually played in the exercises as most observed. This year, the majority were slated to be active participants alongside their U.S. counterparts.
The scenario that plays out is unattributable cyberattacks against critical infrastructure in the New England region. Guard cyber forces are activated by governors to support the critical infrastructure companies with incident response.
“Everyone knows who our pacing threat is. China is our pacing threat, if you look at our strategic guidance from the president. China is an active threat, as we’ve learned from Volt Typhoon. We’ve seen Volt Typhoon [in] the news and the other ‘typhoons’, [including] Salt Typhoon,” Col. Cameron Sprague, deputy director for Cyber Yankee with the Connecticut Army National Guard, said. “This year’s scenario is focused on that peer, near-peer nation-state threats against United States critical infrastructure specific to the New England region.”
The exercise uses real-world scenarios and open source tactics, techniques, procedures and exploits to simulate the most realistic environment for participants as possible. It uses open source products purposefully to keep the event unclassified.
“We base the scenario on real world from an open source standpoint, so we can keep it completely unclassified because of the foreign, coalition partners that are here, as well as the civilians from [critical] infrastructure. That way, it allows us to have a good interaction without having to be concerned with security clearances. There’s enough open source material that’s very realistic for the scenario that allows us to do that training,” Col. Barry Groton, Unified Coordination Group lead for Cyber Yankee with the New Hampshire Army National Guard and one of the exercise’s founders, said. “We could do this at the [top secret] level, but it wouldn’t be the same. A lot of these utility folks, they do have some that have clearances, but it would just be really difficult … what happens at a utility that’s not classified.”
The companies find the exercise useful because it’s something that they can’t just go out and buy, officials said. They receive top-notch training that they can’t get anywhere else by partnering with the Guard as well as other companies in their sector.
For the Guard, it also aids in their homeland defense mission as a critical resource to the federal government.
The “National Guard [is] looking at the potential homeland defense mission in support of defense critical infrastructure, which the working definition of that is, critical infrastructure that supports military installations and military ability to project power and to have habitual relationships — and specificity with those particular nuances of the different utilities because it’s not generic,” Groton said.
From an active-duty military perspective, there has been growing interest in recent years. While last year was the first year the Space Force observed Cyber Yankee with a small contingent, this year additional guardians came.
Their interest is the operational technology aspect, as the Space Force’s cyber element focuses a lot on those types of systems.
