{ "id": "eeaf83cd-5fab-48fa-bf74-21cfc6ceea00", "created_at": "2026-04-06T00:12:37.437225Z", "updated_at": "2026-04-10T13:11:46.595064Z", "deleted_at": null, "sha1_hash": "9ca87f66d0ac4d13fc1697f91f74fc885ff4f7c7", "title": "Detecting Russian Threats to Critical Energy Infrastructure - Truesec", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 300559, "plain_text": "Detecting Russian Threats to Critical Energy Infrastructure -\r\nTruesec\r\nBy Hjalmar Desmond\r\nPublished: 2026-02-09 · Archived: 2026-04-05 18:06:17 UTC\r\nOn December 29, 2025, a threat actor conducted a destructive cyberattack on the Polish electrical grid. The attack\r\nconsisted of at least three separate events, including an attack targeting grid connection points (GCP) in the\r\nelectric grid, and an attack targeting a combined heat- and powerplant (CHP) used to produce thermal energy.\r\nThis attack represents an escalation of the threat to critical infrastructure in the Nordics and Truesec assesses that\r\nnow that Russia has crossed the threshold of conducting destructive cyberattacks on critical infrastructure, it can\r\nhappen again and also in the Nordics.\r\nIt is consequently critical to find and eradicate other potential intrusions by this threat actor in environments\r\nbelonging to critical infrastructure in the Nordics and the rest of Europe.\r\nThis blog is a summary of what we know about this threat actor, the tools and tactics used by them, and detection\r\nrules we have developed to assist in threat hunting and evicting them. Our aim is to assist defenders who want to\r\nprotect critical infrastructure from this threat.\r\nWe are deeply indebted to the Polish CERT for their excellent report on the cyberattack on December 29. Much of\r\nwhat we know comes from this report.\r\nWho is the Threat Actor \r\nThe report released by the Polish CERT attributes the attack to the Russian threat actor known as “Ghost Blizzard”\r\nor “DragonFly”. This attack represents the first known destructive cyberattack attributed to this group, and the\r\nfirst destructive cyberattack on critical energy infrastructure in a NATO country by a Russian cyber warfare unit.  \r\nThe threat actor DragonFly is a cyber espionage and cyber warfare unit that is assessed to be part of Russia’s\r\nsecurity service FSB Center 16. This group has been active since at least 2010 and appears to focus a lot of their\r\nactivity on critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and\r\ncritical manufacturing sectors.\r\nUp until now DragonFly has never conducted any known destructive cyberattacks, even if they have\r\nrepeatedly attempted to gain access to such networks, prepositioned backdoors, and prepared for destructive\r\nattacks.\r\nThe reason for this behavior is likely tied to the nature of cyber warfare. To conduct a successful\r\ndestructive, cyberattack on a scale to impact an adversary at a critical point, usually requires extensive\r\npreparation. Artefacts from the Russian cyberattack on Ukraine on the eve of the Russian invasion of Ukraine in\r\nFebruary 2022, shows that the operation had been prepared for at least a year ahead of the attack.\r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 1 of 15\n\nRussia’s other main cyber warfare unit, the GRU threat actor known as Seashell Blizzard or “Sandworm” has\r\nconducted repeated cyberattacks in Ukraine in support of the Russian military operations, including repeated\r\ndestructive attacks on the Ukrainian energy grid. Truesec assesses that DragonFly has not participated in these\r\nattacks because their main mission has been to maintain the capacity to strike at critical infrastructure in NATO\r\ncountries, should the need arise.  \r\nThat DragonFly has now been activated and conducted a destructive cyberattack against Polish critical\r\ninfrastructure represents, in our assessment, a considerable escalation by Russia. Something that may have not\r\nreceived the attention it deserved, considering the effect this attack could potentially have had. Polish authorities\r\nclaim that in a worst-case scenario,  up to 500 000 people could have been left without electricity and heating. \r\nDetection and Threat Hunting\r\nBased on intelligence provided by the Polish CERT, Truesec conducted further analysis of the wiper malware used\r\nin the attack, as well as the associated malicious activities observed during the intrusion. The goal of this work\r\nwas to provide additional detection mechanisms and enable effective threat hunting activities related to this\r\ncampaign. \r\nWipers \r\nThe DynoWiper variant deployed against HMI systems was implemented in a specific\r\nmanner, leveraging the Mersenne Twister (MT19937) pseudorandom number generator to produce random data\r\nused for overwriting files. \r\nA heuristic approach to identifying binaries with potential wiper‑like behavior is to look for constants associated\r\nwith the Mersenne Twister algorithm in combination with Windows API calls commonly used for file enumeration\r\nand deletion. While this method is not specific to wiper malware, it can help surface suspicious binaries that merit\r\nfurther investigation. \r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 2 of 15\n\nIt should be noted that this approach may produce false positives, such as antivirus software or legitimate disk\r\nutility tools. Therefore, any binaries that match these heuristics should be analyzed in context to understand why\r\nsuch functionality exists on the system, especially if found on a system within an OT network.\r\nimport \"pe\"\r\nrule possible_wiper_using_mersenne\r\n{\r\nmeta:\r\ndescription = \"Windows PE \u003c 500 KB containing MT19937 constants and wiper-like imports\"\r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 3 of 15\n\ndate = \"2026-02-02\"\r\nauthor = \"Nicklas Keijser\"\r\nhash1 = \"60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b\"\r\nhash2 = \"835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5\"\r\nhash3 = \"65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c\"\r\nhash4 = \"d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160\"\r\nstrings:\r\n$const = { 65 89 07 6C }\r\n$twist = { DF B0 08 99 }\r\n$mask7f = { FF FF FF 7F }\r\ncondition:\r\npe.is_pe and\r\npe.imports( \"kernel32.dll\" , \"GetLogicalDrives\" ) and\r\npe.imports( \"kernel32.dll\" , \"FindFirstFileW\" ) and\r\npe.imports( \"kernel32.dll\" , \"DeleteFileW\" ) and\r\npe.imports( \"kernel32.dll\" , \"FindNextFileW\" ) and\r\npe.imports( \"kernel32.dll\" , \"SetFileAttributesW\" ) and\r\nfilesize \u003c 500KB and\r\n($const and $twist and $mask7f) and\r\n(\r\npe.number_of_signatures == 0 or\r\n(\r\npe.number_of_signatures \u003e 0 and\r\nnot for any i in (0 .. pe.number_of_signatures - 1) :\r\n(\r\npe.signatures [ i ] .issuer matches /Microsoft/i or\r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 4 of 15\n\npe.signatures [ i ] .subject matches /Microsoft/i\r\n)\r\n)\r\n)\r\n}\r\nThe RTU Wiper \r\nThe destructive activities observed on RTU devices were performed by overwriting the firmware with a\r\ndeliberately corrupted ELF binary. The file’s entry point consists entirely of 0xFF bytes, rendering the firmware\r\nnonfunctional and effectively disabling the device. \r\nThis behavior can be detected by identifying ELF binaries where the entry point contains only 0xFF bytes. While\r\nthis detection method is relatively simple and could be bypassed by a more sophisticated implementation, a match\r\non this condition strongly indicates malicious intent, as such content would not be expected in a legitimate\r\nfirmware image.\r\nimport \"elf\"\r\nrule ELF_entrypoint_at_least_64_FF {\r\n meta:\r\n description = \"ELF file with just FF at entry point\"\r\n date = \"2026-02-02\"\r\n author = \"Nicklas Keijser\"\r\n condition:\r\n uint32(0) == 0x464c457f and\r\n for all i in (0..63) :\r\n (uint8(elf.entry_point + i) == 0xFF)\r\n}\r\nThis rule just looks for FF at the entry point of the ELF file; this is rather trivial to bypass but if there is a match\r\non this behavior, it is certain that the intention is malicious.\r\nThreat Hunting \r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 5 of 15\n\nPrior to deploying the wiper malware, the threat actor performed multiple staging and preparation activities,\r\nprimarily involving the movement and copying of files over SMB. These actions can be identified through\r\nstructured threat hunting queries and, when detected, should be analysed in context to determine their purpose and\r\norigin. \r\nEnable Automatic Administrative Shares \r\nThe attacker enabled automatic administrative shares to facilitate file movement and remote access. \r\nCommand:  \r\n“powershell.exe New-ItemProperty -Path\r\n‘HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters’ -Name ‘AutoShareWks’ -Value 1 -\r\nPropertyType DWord -Force”\r\n“powershell.exe New-ItemProperty -Path\r\n‘HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters’ -Name ‘AutoShareServer’ -Value 1 -\r\nPropertyType DWord -Force”\r\nThreat Hunting Query (User Input):\r\nDeviceProcessEvents\r\n| where FileName in~ (\"powershell.exe\",\"pwsh.exe\")\r\n| where ProcessCommandLine has_all (@\"LanmanServer\\Parameters\",\"New-ItemProperty\") and ProcessCommandLine has_an\r\nThreat Hunting Query (System Output): \r\nDeviceRegistryEvents\r\n| where ActionType == \"RegistryValueSet\"\r\n| where RegistryKey endswith @\"\\LanmanServer\\Parameters\"\r\n| where RegistryValueName has_any (\"AutoShareWks\",\"AutoShareServer\")\r\n| where RegistryValueData == 1\r\nRestart of the SMB Service:\r\nTo activate the changes made to the LanmanServer configuration, the SMB service was restarted. \r\nCommand: \r\n\"powershell.exe Get-ServiceLanmanServer|Restart-Service-Verbose -Force\"\r\nThreat Hunting Query:\r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 6 of 15\n\nDeviceProcessEvents\r\n| where FileName in~ (\"Powershell.exe\",\"pwsh.exe\")\r\n| where ProcessCommandLine has_all (\"LanManServer\",\"Restart-Service\")\r\nAllow Inbound SMB Traffic on the Firewall \r\nThe attacker added a firewall rule allowing inbound TCP traffic on port 445 (SMB), using a misleading rule name\r\nto reduce suspicion.\r\nCommand: \r\n“powershell.exe New-NetFirewallRule -Name ‘Microsoft Update’ -DisplayName ‘Microsoft Update’ -Protocol\r\nTCP -LocalPort 445 -Action Allow” \r\nThreat Hunting Query: \r\nDeviceProcessEvents\r\n| join kind=leftouter (DeviceInfo| where DeviceType == \"Server\" | where OSPlatform contains \"Windows\"| distinct\r\n| where FileName in~ (\"powershell.exe\",\"pwsh.exe\")\r\n| where ProcessCommandLine has_all (\"New-NetFirewallRule\",\"Microsoft Update\",\"-LocalPort 445\",\"-Action Allow\")\r\n| where OSPlatform contains \"windows\"\r\nExfiltration Data via HTTP\r\nData exfiltration was performed using PowerShell’s Invoke-RestMethod cmdlet to upload files to a remote\r\nendpoint using HTTP POST requests.\r\nCommand:\r\nInvoke-RestMethod -Uri -Method Post -InFile\r\nThreat Hunting Query: \r\nDeviceNetworkEvents\r\n| whereInitiatingProcessCommandLinehas_all(\"Invoke-RestMethod\",\"Post\",\"InFile\")\r\nConclusion and Recommendations \r\nThe detection mechanisms presented in this report are primarily behavior‑based, focusing\r\non identifying suspicious patterns and activities rather than relying on static indicators alone. This approach is\r\nwell‑suited for detecting destructive malware and preparatory activities where tooling, payloads, or infrastructure\r\nmay change across intrusions. \r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 7 of 15\n\nIt is important to emphasize that any alert or hit generated by these YARA rules or threat hunting queries must be\r\ninvestigated in context. While the behaviors described are highly indicative of malicious intent\r\nwhen observed together or in sensitive environments, certain legitimate tools, such as antivirus software, backup\r\nsolutions, or disk utilities, may exhibit overlapping characteristics. Understanding the role of the affected system,\r\nthe originating process, and the surrounding activity is therefore essential. \r\nBased on validation and testing performed by Truesec, the expected rate of false positives for these detections\r\nis very low, estimated at less than 1 in 100,000 executions. This makes the provided rules and queries well‑suited\r\nfor proactive threat hunting, particularly in OT and critical infrastructure environments, where such behaviors are\r\nuncommon and should be treated with heightened scrutiny. \r\nRecommendations \r\nTruesec recommends the following actions: \r\nDeploy the provided YARA rules and hunting queries in monitoring and threat hunting workflows,\r\nwith prioritization on OT‑adjacent systems, HMI platforms, and infrastructure servers \r\nInvestigate all hits thoroughly, correlating results with system role, change history, user activity, and other\r\ntelemetry before drawing conclusions \r\nBaseline normal behavior for PowerShell, SMB, and firmware update activities within the environment to\r\nfurther reduce the risk of misinterpretation \r\nTreat detections related to wiper‑like behavior as high severity, as these activities are rarely benign and\r\noften indicate imminent or ongoing destructive actions \r\nContinuously refine and adapt detections as new intelligence becomes available, particularly in relation to\r\nevolving wiper techniques and pre‑positioning activities \r\nBy applying these detections in combination with contextual analysis and operational\r\nawareness, organizations can significantly improve their ability to identify and disrupt destructive attacks\r\nat an early stage. \r\nIf you have any further questions regarding detection, threat hunting queries or threat to\r\ncritical infrastructure please contact Truesec for further discussions.  \r\nAnnex: TTPs Used by Threat Actor \r\nBelow is an amalgamation of what we know of TTP used by the “DragonFly” threat actor. A main source of\r\ninformation is again the report by the Polish CERT, supported by other sources.  \r\nRECONNAISSENCE        \r\nGather Victim Org\r\nInformation: Business\r\nT1591.002  Collected open source information\r\nto identify relationships between\r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 8 of 15\n\nRelationships organizations for targeting purposes. \r\nActive Scanning: Vulnerability\r\nScanning \r\nT1595.002 \r\nScanned targeted systems for vulnerable\r\nCitrix and Microsoft Exchange services. \r\nPhishing for\r\nInformation: Spearphishing\r\nAttachment \r\nT1598.002 \r\nUsed spearphishing with Microsoft\r\nOffice attachments to enable harvesting\r\nof user credentials. \r\nPhishing for\r\nInformation: Spearphishing Link \r\nT1598.003 \r\nUsed spearphishing with PDF\r\nattachments containing malicious links\r\nthat redirected to credential harvesting\r\nwebsites. \r\nRESOURCE DEVELOPMENT       \r\nAcquire Infrastructure: Domains  T1583.001 \r\nRegistered domains for targeting\r\nintended victims. \r\nAcquire Infrastructure: Virtual\r\nPrivate Server \r\nT1583.003 \r\nAcquired VPS infrastructure for use in\r\nmalicious campaigns. \r\nCompromise\r\nInfrastructure: Server \r\nT1584.004 \r\nCompromised legitimate websites to host\r\nC2 and malware modules. \r\nObtain Capabilities: Tool  T1588.002 \r\nObtained and used tools such\r\nas Mimikatz, CrackMapExec,\r\nand PsExec. \r\nStage Capabilities: Drive-by\r\nTarget \r\nT1608.004 \r\nCompromised websites to redirect traffic\r\nand to host exploit kits. \r\nINITIAL ACCESS       \r\nValid Accounts: Local Accounts  T1078.003 \r\nLogin to a Fortinet device within a\r\nmanufacturing sector enterprise  \r\nExternal Remote Services  T1133 \r\nUse of Fortinet edge devices and\r\nOutlook Web Access (OWA) to gain\r\ninfrastructure access  \r\nDrive-by Compromise  T1189 \r\nCompromised targets via strategic web\r\ncompromise (SWC) utilizing a custom\r\nexploit kit. \r\nExploit Public-Facing Application  T1190  Conducted SQL injection attacks,\r\nexploited vulnerabilities CVE-2019-\r\n19781 and CVE-2020-0688 for Citrix\r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 9 of 15\n\nand MS Exchange, and CVE-2018-\r\n13379 for Fortinet VPNs. \r\nSupply Chain\r\nCompromise: Compromise\r\nSoftware Supply Chain \r\nT1195.002 \r\nGhost Blizzard has\r\nplaced trojanized installers for control\r\nsystem software on legitimate vendor\r\napp stores. \r\nPhishing: Spearphishing\r\nAttachment \r\nT1566.001 \r\nGhost Blizzard has sent emails with\r\nmalicious attachments to gain initial\r\naccess. \r\nEXECUTION       \r\nExploitation for Client Execution  T1203 \r\nExploited CVE-2011-0611 in Adobe\r\nFlash Player to gain execution on a\r\ntargeted system. \r\nScheduled Task/Job: Scheduled\r\nTask \r\nT1053.005 \r\nDistribution of the wiper within the\r\ndomain using a Scheduled Task \r\nPERSISTENCE       \r\nScheduled Task/Job  T1053  \r\nCreation of scripts on FortiGate devices\r\nfor administrator credential theft and\r\nconfiguration modification  \r\nValid Accounts: Local Accounts  T1078.003 \r\nUse of local FortiGate VPN accounts to\r\nconnect to compromised entities \r\nAccount Manipulation: Additional\r\nLocal or Domain Groups \r\nT1098.007 \r\nAdded newly created accounts to\r\nthe administrators group\r\nto maintain elevated access. \r\nExternal Remote Services  T1133 \r\nUse of FortiGate VPN to connect to\r\ncompromised entities \r\nCreate Account: Local Account  T1136.001 \r\nCreated accounts on victims, including\r\nadministrator accounts, some of\r\nwhich appeared to be tailored to each\r\nindividual staging target. \r\nBoot or\r\nLogon Autostart Execution:\r\nRegistry Run Keys / Startup\r\nFolder \r\nT1547.001 \r\nAdded the registry value ntdll to the\r\nRegistry Run key\r\nto establish persistence. \r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 10 of 15\n\nPRIVILEGE ESCALATION       \r\nValid Accounts: Accounts  T1078.003 \r\nUse of an account with administrative\r\nprivileges on the edge device  \r\nAccess Token Manipulation  T1134  \r\nCredential theft from the LSASS Service\r\nPrivilege escalation via a Process Token \r\nDEFENSE EVASION       \r\nMasquerading: Masquerade\r\nAccount Name \r\nT1036.010 \r\nCreated accounts disguised as legitimate\r\nbackup and service accounts as well as\r\nan email administration account. \r\nIndicator Removal: Clear Windows\r\nEvent Logs \r\nT1070.001 \r\nCleared Windows event logs and other\r\nlogs produced by tools they used,\r\nincluding system, security, terminal\r\nservices, remote services, and audit logs.\r\nThe actors also deleted specific Registry\r\nkeys.[15] \r\nIndicator Removal: File Deletion  T1070.004 \r\nDeleted many of its files used during\r\noperations as part of cleanup, including\r\nremoving applications\r\nand deleting screenshots. \r\nModify Registry  T1112 \r\nModified the Registry to perform\r\nmultiple techniques through the use\r\nof Reg. \r\nTemplate Injection  T1221 \r\nInjected SMB URLs into malicious\r\nWord spearphishing attachments\r\nto initiate Forced Authentication. \r\nFile and Directory Permissions\r\nModification \r\nT1222  \r\nModification of file permissions by the\r\nwiper \r\nDomain or Tenant Policy\r\nModification: Group Policy\r\nModification \r\nT1484.001 \r\nDistribution of the wiper within the\r\ndomain via modification of the “Default\r\nDomain Policy” GPO  \r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 11 of 15\n\nServer Software Component: Web\r\nShell \r\nT1505.003 \r\nUse commonly created Web shells on\r\nvictims’ publicly accessible email and\r\nweb servers, which they used\r\nto maintain access to a victim network\r\nand download additional malicious files.\r\n[15] \r\nImpair Defenses: Disable or\r\nModify System Firewall \r\nT1562.004 \r\nDisabled host-based firewalls. The group\r\nhas also globally opened port 3389. \r\nImpair Defenses: Disable or\r\nModify Network Device Firewall \r\nT1562.013 \r\nModification of FortiGate device\r\nconfiguration \r\nHide Artifacts: Hidden Users  T1564.002 \r\nModified the Registry to hide created\r\nuser accounts. \r\nCREDENTIAL ACCESS       \r\nOS Credential Dumping: Security\r\nAccount Manager \r\nT1003.002 \r\nDropped and executed SecretsDump to\r\ndump password hashes. \r\nOS Credential Dumping: NTDS  T1003.003 \r\nDropped and executed SecretsDump to\r\ndump password hashes. They also\r\nobtained ntds.dit from domain\r\ncontrollers. \r\nOS Credential Dumping: LSA\r\nSecrets \r\nT1003.004 \r\nDropped and executed SecretsDump to\r\ndump password hashes. \r\nBrute Force  T1110 \r\nAttempted to brute force credentials to\r\ngain access. \r\nPassword Cracking  T1110.002 \r\nDropped and executed tools used for\r\npassword cracking, including Hydra\r\nand CrackMapExec. \r\nForced Authentication  T1187 \r\nGathered hashed user credentials over\r\nSMB using spearphishing attachments\r\nwith external resource links and\r\nby modifying .LNK file icon resources to\r\ncollect credentials from virtualized\r\nsystems.[15][7] \r\nSteal or Forge Kerberos Tickets  T1558  Creation of the Diamond Ticket \r\nDISCOVERY       \r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 12 of 15\n\nSystem Network Configuration\r\nDiscovery \r\nT1016 \r\nUsed batch scripts to enumerate network\r\ninformation, including information about\r\ntrusts, zones, and the domain. Retrieval\r\nof the routing table and ARP cache\r\nSystem Network  \r\nRemote System Discovery  T1018 \r\nEnumeration of systems available on the\r\nnetwork \r\nSystem Owner/User Discovery  T1033 \r\nUsed the command query user on victim\r\nhosts. \r\nNetwork Service Discovery  T1046  \r\nEnumeration of services available on the\r\nnetwork \r\nConnections Discovery  T1049  Enumeration of network connections \r\nProcess Discovery   T1057  \r\nEnumeration of processes running on the\r\nsystem \r\nFile and Directory Discovery  T1083 \r\nUsed a batch script to gather folder and\r\nfile names from victim hosts. \r\nAccount Discovery: Domain\r\nAccount \r\nT1087.002 \r\nUsed batch scripts to enumerate users on\r\na victim domain controller. \r\nNetwork Share Discovery  T1135 \r\nIdentified and browsed file servers in the\r\nvictim network, sometimes , viewing\r\nfiles pertaining to ICS or Supervisory\r\nControl and Data Acquisition (SCADA)\r\nsystems.[15] \r\nLocal Storage Discovery    T1680 \r\nCreation by the wiper of a list of disks\r\nvisible to the system \r\nCOLLECTION       \r\nData from Local System  T1005 \r\nCollected data from local victim\r\nsystems. \r\nQuery Registry  T1012 \r\nQueried the Registry to identify victim\r\ninformation. \r\nData Staged: Local Data Staging  T1074.001 \r\nCreated a directory named “out” in the\r\nuser’s %AppData% folder and copied\r\nfiles to it. \r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 13 of 15\n\nScreen Capture  T1113 \r\nPerformed screen captures of\r\nvictims, including by using a tool,\r\nscr.exe (which matched the hash\r\nof ScreenUtil). \r\nEmail Collection: Remote Email\r\nCollection \r\nT1114.002 \r\nAccessed email accounts using Outlook\r\nWeb Access. \r\nArchive Collected Data  T1560 \r\nCompressed data into .zip files prior to\r\nexfiltration. \r\nData from Configuration\r\nRepository: Network Device\r\nConfiguration Dump \r\nT1602.002  Dumping firewall device configuration \r\nCOMMAND AND CONTROL       \r\nApplication Layer Protocol: File\r\nTransfer Protocols \r\nT1071.002  Used SMB for C2. \r\nProxy   T1090  \r\nUse of reverse SOCKS Proxy and the\r\nTor Network \r\nIngress Tool Transfer    T1105  Downloading tools from Dropbox \r\nRemote Access Tools: Remote\r\nDesktop Software \r\nT1219.002  \r\nUse of RDP to connect to devices in the\r\ninternal network \r\nHide Infrastructure   T1665  \r\nUse of compromised infrastructure for\r\ncommunication \r\nEXECUTION       \r\nCommand and Scripting\r\nInterpreter \r\nT1059  Used the command line for execution. \r\nPowerShell  T1059.001  Used PowerShell scripts for execution. \r\nWindows Command Shell  T1059.003 \r\nUsed various types of scripting to\r\nperform operations, including batch\r\nscripts. \r\nPython  T1059.006 \r\nUsed various types of scripting to\r\nperform operations, including Python\r\nscripts. The group\r\nwas observed installing Python 2.7 on a\r\nvictim. \r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 14 of 15\n\nPermission Groups\r\nDiscovery: Domain Groups \r\nT1069.002 \r\nUsed batch scripts\r\nto enumerate administrators and users in\r\nthe domain. \r\nUser Execution: Malicious File  T1204.002 \r\nUsed various forms of spearphishing in\r\nattempts to get users to open malicious\r\nattachments. \r\nSystem Services: Service\r\nExecution \r\nT1569.002  \r\nExecution of commands using\r\nthe PsExec tool \r\nEXFILTRATION       \r\nExfiltration Over Web Service  T1567  \r\nExfiltration of stolen data via\r\nHTTP o the attacker-controlled servers \r\nExfiltration Over Web Service:\r\nExfiltration Over Webhook \r\nT1567.004  \r\nTransmission of script execution results\r\nto a Slack channel \r\nIMPACT       \r\nData Destruction   T1485   File corruption by the wiper \r\nInhibit System Recovery    T1490 \r\nChange of IP addressing on\r\ncompromised devices \r\nSystem Shutdown/Reboot  T1529  \r\nDevice shutdown performed by the\r\nwiper \r\nSources \r\n1. https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf\r\n2. https://www.sophos.com/en-us/research/resurgent-iron-liberty-targeting-energy-sector\r\n3. https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers\r\n4. https://vblocalhost.com/uploads/VB2021-Slowik.pdf\r\n5. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a#revisions\r\n6. https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors\r\n7. https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers\r\nSource: https://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nhttps://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.truesec.com/hub/blog/detecting-russian-threats-to-critical-energy-infrastructure" ], "report_names": [ "detecting-russian-threats-to-critical-energy-infrastructure" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434357, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ca87f66d0ac4d13fc1697f91f74fc885ff4f7c7.pdf", "text": "https://archive.orkl.eu/9ca87f66d0ac4d13fc1697f91f74fc885ff4f7c7.txt", "img": "https://archive.orkl.eu/9ca87f66d0ac4d13fc1697f91f74fc885ff4f7c7.jpg" } }