{
	"id": "95fd3b07-02c1-42a2-b0f5-a61b7f73b40c",
	"created_at": "2026-04-06T00:06:56.651968Z",
	"updated_at": "2026-04-10T03:32:49.828752Z",
	"deleted_at": null,
	"sha1_hash": "93e98d7fbeac15d5a5e5a00a629a8dfe0dd8f4af",
	"title": "Active malware operation let attackers sabotage US energy industry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32671,
	"plain_text": "Active malware operation let attackers sabotage US energy\r\nindustry\r\nBy Dan Goodin\r\nPublished: 2014-06-30 · Archived: 2026-04-05 20:54:14 UTC\r\nThe Havex RAT gathers information about the infected computers and the networks they are connected to and\r\nsends it to servers under the control of the attackers. Among other things, it extracts data from a victim’s Outlook\r\naddress book and virtual private networking (VPN) programs. A program that appears to be have been developed\r\nin-house, Havex is also known as Backdoor.Oldrea and the Energetic Bear RAT. Dragonfly members also infected\r\nsome computers with Trojan.Karagany, a RAT available in underground markets that has most likely been\r\nmodified. It’s capable of collecting passwords, taking screenshots, and cataloging documents stored on infected\r\ncomputers.\r\nDragonfly operators hacked websites of at least three different companies providing ICS software. The first\r\nprovided a product used to provide VPN access to programmable logic controller devices (PLC). The unnamed\r\nprovider discovered the attack shortly after it was mounted, but by then there had already been 250 downloads of\r\nthe trojanized software. The second provider was a European manufacturer of specialist PLC devices. Symantec\r\nestimated that a compromised package containing a computer driver was available for download for at least six\r\nweeks last June and July. The last firm was also based in Europe and develops systems to manage wind turbines,\r\nbiogas plants, and other energy infrastructure. The compromised software was available for about 10 days in\r\nApril, Symantec said.\r\nIn addition to trojanizing legitimate software used by its victims, Dragonfly has relied on traditional methods of\r\ninfecting its targets. Those include spam campaigns that trick recipients into installing malicious applications and\r\nso-called watering hole attacks, which plant exploits on websites known to be frequented by targets. The\r\ndiscovery that the group has more recently begun infecting suppliers underscores the evolution that’s typical in\r\nmany malware operations.\r\n“The Dragonfly group is technically adept and able to think strategically,” the Symantec report stated. “Given the\r\nsize of some of its targets, the group found a ‘soft underbelly’ by compromising their suppliers, which are\r\ninvariably smaller, less protected companies.”\r\nSource: https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/\r\nhttps://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/"
	],
	"report_names": [
		"active-malware-operation-let-attackers-sabotage-us-energy-industry"
	],
	"threat_actors": [
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434016,
	"ts_updated_at": 1775791969,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/93e98d7fbeac15d5a5e5a00a629a8dfe0dd8f4af.pdf",
		"text": "https://archive.orkl.eu/93e98d7fbeac15d5a5e5a00a629a8dfe0dd8f4af.txt",
		"img": "https://archive.orkl.eu/93e98d7fbeac15d5a5e5a00a629a8dfe0dd8f4af.jpg"
	}
}