{ "id": "965aee2a-8682-402f-82c6-7cf6eb42d90b", "created_at": "2026-04-06T00:18:19.257132Z", "updated_at": "2026-04-10T03:34:42.414327Z", "deleted_at": null, "sha1_hash": "39b69c6a5dd950dd5e1f1dbcbde952b7b45b2c24", "title": "The State of Threats to Electric Entities in North America", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 30941, "plain_text": "The State of Threats to Electric Entities in North America\r\nBy Dragos, Inc.\r\nPublished: 2020-01-10 · Archived: 2026-04-02 11:35:14 UTC\r\nAttacks on electric systems – like attacks on other critical infrastructure sectors – can further an adversary’s\r\ncriminal, political, or economic goals. As adversaries and their sponsors invest more effort and money into\r\ndeveloping effects-based operational outcomes, the risk of a disruptive or destructive attack on the electric sector\r\n– including in North America – significantly increases.\r\nToday Dragos released a new report: The North American Electric Cyber Threat Perspective. The information in\r\nthis report is based on Dragos’s ICS-specific threat intelligence, global Platform telemetry, and service\r\nengagements and provides an overview of threats to electric and other critical infrastructure sectors in North\r\nAmerica. Threats to this sector are growing – this year Dragos identified two groups – MAGNALLIUM and\r\nXENOTIME – that expanded their targeting from oil and gas to include electric in North America. This\r\nunderscores the trend in threats expanding from single-vertical ICS operations to multi-vertical ICS operations we\r\nobserve from adversaries targeting industrial entities.\r\nAdditionally, supply chain and third-party compromise remain real and present risk and significant threat to this\r\nsector, in addition to adversaries exploiting remote connectivity services used by organizations like vendors or\r\ncontractors. PARISITE for instance – a new activity group Dragos identified in 2019 – largely focuses on\r\nexploiting vulnerabilities in virtual private network (VPN) appliances to gain initial access to target ICS networks.\r\nThe complete “energy infrastructure sector” (e.g., electric, oil and gas, etc.) of all countries are at risk as\r\ncompanies and utilities face multiple well-resourced ICS-focused adversaries. Cyber attacks are an increasing\r\nmeans to project both symmetric and asymmetric power using cyber attacks in the energy domain.\r\nThe report provides a comprehensive look at threats to the North American electric sector and offers numerous\r\ndefensive recommendations for asset owners and operators to implement and combat observed threats.\r\nSource: https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/\r\nhttps://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/" ], "report_names": [ "the-state-of-threats-to-electric-entities-in-north-america" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434699, "ts_updated_at": 1775792082, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39b69c6a5dd950dd5e1f1dbcbde952b7b45b2c24.pdf", "text": "https://archive.orkl.eu/39b69c6a5dd950dd5e1f1dbcbde952b7b45b2c24.txt", "img": "https://archive.orkl.eu/39b69c6a5dd950dd5e1f1dbcbde952b7b45b2c24.jpg" } }