{ "id": "1f00ad7d-9f49-4e24-a755-608d38b0fb2b", "created_at": "2026-04-29T02:20:28.016234Z", "updated_at": "2026-04-29T08:21:15.862916Z", "deleted_at": null, "sha1_hash": "f14bf3978e2754e3c4e5cc0344d17f612ade1ccd", "title": "", "llm_title": "", "authors": "", "file_creation_date": "2026-03-25T13:50:20Z", "file_modification_date": "2026-03-25T13:50:20Z", "file_size": 2113546, "plain_text": "© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al.\r\nDragos 2026 OT Cybersecurity Report\r\nYear in Review, O\u0026G and Petrochemicals Focus\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 2\r\n• 26 years of experience across automation and ICS/OT security, with roles in O\u0026G\r\ndownstream, upstream, and global technical leadership\r\n• Past titles have included Principal Consultant, Principal ICS Security Engineer, Controls \u0026\r\nAutomation Specialist, Process/CEMS Analyzer Specialist, and Instrumentation \u0026 Electrical\r\nTechnician\r\n• Certified SANS Instructor ICS410/ICS612, GSE #320, Master's in Information Security\r\nEngineering from SANS Technology Institute\r\nMike Hoffman\r\nField CTO, Oil \u0026 Gas and Petrochemicals linkedin.com/in/mjhoffman7\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 3\r\nMiddle East Developments\r\nKinetic Attacks impact to the global O\u0026G and Petrochemical markets\r\n• Qatar LNG assets have been impacted and have declared Force Majeure. Over 17% reduction in\r\nglobal LNG output\r\n• Bahrain Refinery production was affected due to a drone strike, and has declared Force Majeure\r\n• Kuwait Refineries are at reduced capacity and have declared Force Majeure\r\n• Saudi Arabia's refineries targeted\r\n• UAE Refineries, Gas Fields, and Oil Terminals targeted\r\n• Oman Oil Terminas targeted\r\n• Strait of Hormuz shipping lane effectively blocked – affecting 20% of global oil supply\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 4\r\nWhat is going on How to be ready\r\nMiddle East Developments\r\nCyber Attacks\r\n• Considerable amount of GPS attacks around\r\nthe Strait of Hormuz\r\n• Reported Adversarial activity and data\r\nexfiltration in LNG companies\r\n• BAUXITE claimed Jordanian wheat silo\r\ncompromise\r\n• MuddyWater increased activity against the\r\nUS. Israel (historically targeting the EU, but it's\r\nshifting focus to the US and Israel)\r\n• Hacktivism is on the rise (claims have doubled\r\nsince the start of the war)\r\n• Expect Stage1 Activity\r\n• Primary Operational Risk\r\n• Adversaries Will Target Exposed ICS/OT\r\nAssets\r\n• Eliminate or lock down internet-facing devices\r\n• Prepare for Manual Operations\r\n• Ensure you have offline tested backups\r\n• Expect \u0026 Accept Hacktivist Noise\r\n• DDoS campaigns, exaggerated claims of\r\noperational disruption\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 6\r\n9th Annual Dragos Year in Review\r\nNew specialized threat groups with diverse\r\napproaches lower the barrier for established\r\ngroups to achieve OT impact\r\nControl loop mapping demonstrates\r\nadversaries understand industrial\r\noperations at the process level\r\nShift from reconnaissance to attempted\r\noperational effects throughout 2025\r\nRansomware incidents are OT\r\nby consequence despite frequent\r\noversimplification and mislabeling\r\nOrganizations still struggle to implement\r\nbasic controls, preventing an effective\r\nresponse when attacks occur\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 7\r\nDragos Identifies 3 New Threat Groups\r\nOf the 26 threat groups tracked by Dragos, 11 were active in 2025\r\n2017 2018 2019 2020 2021 2022 2023 2024 2025\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 8\r\nof Dragos IR cases involved\r\nactive exploitation or credential\r\nreuse of VPN/jumphosts\r\nNew: SYLVANITE\r\nRapid exploitation broker enabling\r\nVOLTZITE access to critical infrastructure\r\nOverlaps with: UNC5221, UNC5174, UNC5291, UNC3236,\r\nHOUKEN, Red Dev 61, CL-STA-0048, UTA0178\r\n73%\r\nExploited Ivanti VPN vulnerabilities\r\nwithin 48 hours of disclosure\r\nInstalled persistent web\r\nshells on F5 devices\r\nExtracted Active\r\nDirectory credentials\r\nHanded off access to\r\nVOLTZITE or deeper intrusions\r\nTargets:\r\nElectric Power Water Oil \u0026 Gas Manufacturing Public\r\nAdministration\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 9\r\nRapid Vulnerability\r\nExploitation Campaigns\r\n1 2 3 4\r\nDec 2023\r\nIvanti Connect\r\nSecure CVE-2023-\r\n46805, CVE-2024-\r\n21887\r\n2024\r\nF5 BIG-IP \u0026 ConnectWise\r\nScreenConnect;\r\nF5: CVE-2023-46747;\r\nConnectWise:\r\nCVE-2024-1709\r\nApr 2025\r\nSAP NetWeaver\r\nZero-Day\r\nCVE-2025-31324\r\nMay 2025\r\nIvanti EPMM\r\n(U.S. Utility Victim)\r\nCVE-2025-4427,\r\nCVE-2025-4428\r\n26%\r\nof advisories\r\nhad NO\r\npatch when\r\nannounced\r\n4%\r\nhad public\r\nPOC \u0026 were\r\nactively\r\nexploited\r\n52%\r\nDragos provided\r\nalternate\r\nmitigations when\r\nvendors couldn't\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 10\r\nVOLTZITE\r\nDemonstrated capability to access\r\n\u0026 manipulate OT/ICS assets\r\nOverlaps with: VOLT TYPHOON, BRONZE SILHOUETTE, VANGUARD PANDA, INSIDIOUS TAURUS\r\nExploited VPN gateways to access utility networks\r\nExtracted SCADA configuration files from engineering workstations\r\nObserved operational data to understand process shutdown conditions\r\nMaintained access through web shells on internet-facing appliances\n\n© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary \u0026 Confidential . 11\r\nVOLTZITE Attack Path\r\nORB botnets\r\nincluding JDY -\r\ncomprised of mostly\r\nSOHO devices\r\nC2 Nodes\r\nCommand\r\n\u0026 Control\r\nReconnaissance\r\nVulnerable Internet-facing\r\nRemote Access Gateway\r\nWebshell \u0026\r\nC2 agent\r\ninstallation\r\nCredentials \u0026\r\naccess tokens from\r\nedge device\r\nExploits\r\nvulnerabilities\r\nStolen Credential\r\nReuse\r\nEWS\r\nSoftware\r\nmanipulation\r\nSensor data \u0026\r\noperational process\r\ndata\r\nExfiltration via C2\r\nNetwork perimeter\r\nreconnaissance\r\nCompromise Internet-facing edge devicesEstablish edge\r\ndevice persistence\r\nExfiltrate credential\r\ndata from internet-facing edge devices\r\nReplay legitimate\r\ncredentials for\r\nlateral movement\r\nExfiltrate OT sensor\r\nand operational\r\nprocess data\r\n01 02 03 04 05 06\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 12\r\nAccessed engineer workstations\r\nthrough compromised edge devices\r\nMaintained persistent access for extended\r\nperiods using living off the land techniques\r\nNew: AZURITE\r\nTheft of operational information, long-term access enablement\r\nOverlaps with: Flax Typhoon, Ethereal Panda, UNC5923, Raptor Train, Red Dev 54\r\nCompromised SOHO routers to build proxy\r\ninfrastructure across multiple countries\r\nExfiltrated OT network\r\ndiagrams and\r\noperational data\r\nTargets:\r\nManufacturing Defense Automotive Electric Government\r\nWhat Dragos Observed in 2025\r\nOil \u0026 Gas\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 13\r\nAZURITE\r\nVPN Access to OT Environment and Engineer Workstation\r\nAZURITE\r\nVulnerability\r\nexploitation \u0026\r\ncompromised\r\ncredentials\r\nVPN\r\nDeploy webshell to\r\nexploited VPN\r\nVPN\r\nAdversary at\r\ncontrolled IPs\r\nLateral\r\nMovement\r\nSOCKS Tunnel Jump server\r\ninto OT network\r\nEngineer\r\nWorkstation\r\nCollect OT\r\nInformation\r\nExploit vulnerabilities or\r\nuse VPN credentials from\r\nother credential stuffing\r\nDeploy webshell\r\nto VPN device\r\nAccess OT jump server\r\nwith compromised\r\ncredentials\r\nAccess engineer\r\nworkstation to exfiltrate OT\r\noperational information\r\nExfiltrate alarm data, PLC\r\nconfigurations, HMI data, operational\r\ninformation via SOCKS tunnels\r\n01 02 03 04 05\r\nSOCKS Tunnel SOCKS Tunnel\n\n© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary \u0026 Confidential . 14\r\nAZURITE\r\nSOHO Device Compromise to Achieve OT Access\r\nSOCKS Tunnel SOCKS Tunnel\r\nAdversary\r\nNetwork Access\r\nSOHO router, NAS, LTE device\r\non OT network border\r\nVulnerability\r\nExploitation or Default\r\nCredentials Engineer Workstation\r\nDirect access\r\nto exposed\r\nSOHO devices\r\nEnroll device into ORB\r\nnetwork and/or stage\r\ncapabilities on ORB\r\nPivot into OT network\r\nsegment connection\r\nwith the edge device\r\nIdentify and then\r\naccess engineering\r\nworkstations\r\nExfiltrate alarm data, PLC\r\nconfigurations, HMI data, operational\r\ninformation via SOCKS tunnels\r\n01 02 03 04 05\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 15\r\nNew: PYROXENE\r\nCross-domain access enabling\r\nmovement from IT into OT networks\r\nCompromised defense contractor\r\nwebsites to target employees\r\nMoved from corporate IT into\r\noperational technology networks\r\nOverlaps with: APT35, Tortoiseshell, UNC1549, Imperial Kitten, assessed by the U.S. Government to be aligned with the Islamic Revolutionary\r\nGuard Corps Cyber Electronic Command (IRGC-CEC)\r\nCreated fake LinkedIn profiles\r\nposing as aerospace recruiters\r\nUsed stolen credentials to access\r\nCitrix and VMware systems\r\nTargets:\r\nTransportation Logistics Aerospace Aviation Utilities\r\nWhat Dragos Observed in 2025\r\nManufacturing\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 16\r\nInfected Host\r\nPYROXENE Attack Path\r\nAdversary\r\nMalicious\r\nFingerprinting\r\nJavaScript\r\nAdversary Infrastructure Adversary\r\nCompromised\r\nSupply Chain\r\nWebsites\r\nSends\r\nVictim’s\r\nSystem\r\nFingerprint\r\nVisits\r\nPersistence\r\nSocial Engineering\r\n(LinkedIn, DMs)\r\nSends\r\nMalware\r\nDocuments\r\nDownloads\r\nMalware Fake\r\nInstallers\r\nDirects to Spoofed\r\nCareers Portal\r\nCompromised\r\nSteals System\r\nCredentials\r\nSecure Network Phishes Trusted Partners/Suppliers\r\nUses Compromised\r\nMail Server Account\r\nC2 Server\r\nStrategic website\r\ncompromises\r\nSocial engineering\r\ncampaign\r\nDeploy RAT/Backdoor\r\nInfect Victim Host\r\nLateral movement into\r\nsecure network\r\nSupply\r\nChain Attack\r\n01 02 03 04 05\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 17\r\nExpansion of KAMACITE Targets\r\nTargeted reconnaissance \u0026 access\r\nestablishment enabling ELECTRUM attacks\r\nEuropean supply chain campaign targeting 25+\r\nUkrainian ICS vendors and GIE conference attendees\r\nwith multi-week social engineering\r\nU.S. reconnaissance scanning industrial devices:\r\nSchneider Altivar VFDs, Smart HMIs, Accuenergy AXM modules, Sierra Wireless AirLink gateways\r\nIndustry-specific phishing using native languages and technical terminology\r\nHands off established access to ELECTRUM for destructive Stage 2 operations\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 18\r\nSystematic Targeting of\r\nOperational Workflows\r\nKAMACITE U.S. Campaign (March-July 2025)\r\nAdversaries are mapping entire control loops for future targets \u0026 attacks.\r\nHMIs (command origin) VFDs (physical control)\r\nMeters (process visibility) Gateways (remote access)\r\nTargeted\r\nAlso Observed: VOLTZITE: Dumps configs\r\nto find process stop triggers\r\nAZURITE: Exfiltrates alarm data\r\nfor operational boundaries\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 19\r\nELECTRUM: 10 Years of Practice\r\nFrom manual breaker commands to automated grid attacks\r\n90% still can't detect Electrum-style attacks\r\n1 2 3\r\nDecember 2015\r\nCoordinated attack on 3\r\nUkrainian distribution\r\noperators causing power\r\noutages during winter\r\nDecember 2016\r\nDeployed CRASHOVERRIDE\r\nmalware against Ukrainian\r\ntransmission substation\r\naffecting hundreds of\r\nthousands\r\n2022-2025\r\nDeployed Industroyer2,\r\nLOTL scripts targeting\r\ndistribution automation,\r\nand multiple custom\r\nwipers\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 21\r\nBAUXITE\r\nDirect ICS manipulation and destructive operations targeting\r\ninternet-exposed operational technology\r\nOverlaps with: CyberAv3ngers (hacktivist persona)\r\nThreatening email campaign targeting cybersecurity\r\nvendors, ICS researchers, and media\r\nContinued Stage 2 activity: Direct manipulation of\r\ninternet-exposed HMIs, PLCs, and industrial devices\r\nTargets:\r\nCritical infrastructure globally, with focus on\r\norganizations with internet-exposed OT devices\r\nWhat Dragos Observed in 2025\r\nDeployed two wiper malware variants against\r\nIsraeli targets during Iran-Israel conflict\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 22\r\nBAUXITE 2025 Activity\r\nBAUXITE\r\nUses VPS\r\nInfrastructure\r\nDistributes Wiper\r\nWin/ Linux malware\r\nTargeted Israeli\r\norganizations\r\nCyberAv3ngers\r\nAPTIran\r\nAdversary-controlled Infrastructure\r\n• CyberAv3ngers branded domains\r\n• Associated email accounts\r\n• Telegram channels\r\n• X accounts\r\nSends threatening, coercive emails\r\nCybersecurity Vendors\r\nICS/OT Vendors\r\nTargeted Individuals\r\nPromotes Hacktivism claims of\r\nDisruption, DDOS, Intrusions:\r\n• ICS/OT Devices\r\n• Perimeter Security Devices\r\n• Energy \u0026 Utilites\r\n• Oil \u0026 Gas\r\n• Railways \u0026 Transport\r\nPsychological, Influence Operations Destructive attacks against Israeli targets\r\n01 02\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 23\r\nRoot Cause Analysis Problem\r\n30%\r\nof IR cases began with\r\n“something is wrong”\r\n82%\r\nlack criteria for when operational\r\nanomalies trigger cyber investigation\r\nIs it cyber?\r\nIs it mechanical?\r\nIs it operator error?\r\nMany attacks don’t\r\nlook like cyber\r\nThey’re just operational misuse\r\nof legitimate equipment\r\nVOLTZITE config dumping\r\nlooks like troubleshooting\r\nKAMACITE VFD scanning\r\nlooks like standard system\r\nenumeration\r\nYou can’t determine root cause if you lack monitoring BEFORE the incident.\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 24\r\nAI Compounds the Visibility Problem\r\nEstablish visibility BEFORE deploying AI or risk creating exponentially greater blind spots.\r\nWas this cyber, equipment\r\nfailure, AI error, or authorized\r\nchange?\r\nImpossible to answer without OT\r\nvisibility \u0026 foundational telemetry\r\nalready in place beforehand\r\nOrganizations\r\nare deploying\r\nin operational\r\nenvironments without\r\nfirst establishing\r\nvisibility.\r\n“\r\n“\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 25\r\nRansomware by Sector\r\nIn 2025, 3300 ransomware attacks targeted industrial organizations\r\n0\r\n100\r\n200\r\n300\r\n400\r\n500\r\n600\r\n700\r\n800\r\n900\r\nQ1 Q2 Q3 Q4\r\nManufacturing Transport ICS Communications Electric\r\nOil \u0026 Gas Government Renewables Mining Water\r\n5 days\r\naverage dwell time\r\n(getting faster)\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 26\r\nClassify by consequence:\r\nDid operations stop? It's an OT incident.\r\nRansomware in OT is\r\nMislabeled as IT Problem\r\nDon’t call it an IT breach if OT stops working\r\nIt only hit\r\nWindows systems.\r\nEngineering workstations run\r\nWindows. HMIs run Windows.\r\nHistorians run Windows.\r\nIf you classify by operating system,\r\nyou miss the operational impact.\r\nIf you classify by network segment,\r\nyou miss IT/OT dependencies.\r\n“\r\n“\n\n© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary \u0026 Confidential . 27\r\nThe State Of ICS/OT Vulnerabilities\r\n15% of vulnerabilities Dragos assessed in 2025 had incorrect CVSS data\r\n2\r\nMore Severe CVSS\r\n52% of advisories required Dragos to provide mitigations vendors didn’t\r\n64%\r\nLess Severe CVSS\r\n31%\r\nThe Same\r\n4%\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 28\r\nWhere Vulnerabilities Reside\r\nVULNERABLE\r\nASSETS\r\nBORDERING THE\r\nENTERPRISE ARE\r\nEXPLOITED FOR\r\nINITIAL ACCESS LEVELS\r\n3.5 | 4 | 5\r\n22%\r\nVULNERABLE\r\nASSETS\r\nDEEP WITHIN\r\nICS NETWORKS\r\nARE CLOSE\r\nTO CRITICAL\r\nPROCESSES\r\nSENSOR\r\nOT\r\nI\r\nT\r\nEnterprise Operations\r\nSystems\r\nSupervisory\r\nControl\r\nBasic\r\nControl\r\nPhysical\r\nProcess\r\nLEVEL 0 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4\r\nSOC SIEM\r\nIT SECURITY\r\nSENSORS ACTUATORS\r\nPLC\r\ns\r\nRTUs\r\nSCADA \u0026\r\nHMI\r\nSENSORS ACTUATORS\r\nDCS PLCs SIS\r\nCONTROLLERS\r\nHMI \u0026 SERVERS\r\nHISTORIAN\r\nDMZ JUMP SERVER,\r\nAV, PATCH\r\nHOST LOG\r\nCOLLECTORS\r\nACTIVE\r\nLEVEL 3.5\r\nEC\r\nSENSOR ACTIVE\r\nLEVEL 5\r\nWEB SERVERS EMAIL SERVERS\r\nLEVELS\r\n0 | 1 | 2 | 3\r\n73%\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 29\r\nNecessity of Risk-Based Decision\r\nOnly some vulnerabilities need immediate action\r\nMitigate through network\r\nmonitoring, segmentation \u0026 MFA\r\nMonitor these for\r\nsigns of exploitation\r\nof ICS/OT\r\nvulnerabilities\r\nneeded to be addressed\r\n2%\r\nare network exploitable with\r\nno direct operational impact\r\nThese need to be addressed\r\npose a possible threat\r\nbut rarely require action\r\nThey likely never need to be addressed\r\nNOW NEXT NEVER\r\n71% 27%\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 30\r\nDefenders Can’t Keep Up\r\nFindings from pentests, tabletop exercises, assessments, and incident response\r\nCan’t Respond Fast Enough\r\nhave no OT visibility, 56% impeding root cause analysis\r\ndetected ANY red team 50% activity below IT/OT boundary\r\nCan't See Fast Enough\r\nTTX struggled to detect \u0026\r\nrespond before process\r\nimpact\r\n80%\r\nrecovery times 1-3\r\nweek\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 31\r\nActive Threat Groups\r\nWho is targeting oil and gas – and how?\r\nVOLTZITE Stage 2\r\nUpgraded to Stage 2 — targeting pipeline operations\r\nCompromised Sierra Wireless Airlink gateways across U.S. midstream,\r\nupstream, and downstream pipeline operations. Pivoted to engineering\r\nworkstations to dump config files and alarm data - mapping what triggers\r\noperational processes to stop.\r\n▸ Sierra Wireless Airlink RV50/RV55 exploitation ▸ Sensor and operational data exfiltration from\r\nOT ▸ JDY botnet pre-staging VPN appliances across O\u0026G\r\nSYLVANITE Stage 1\r\nInitial access provider targeting O\u0026G at scale\r\nTargets O\u0026G across North America and Saudi Arabia. Exploits internet-facing\r\nedge devices and passes access to VOLTZITE within days. Port scanning alone\r\nhas caused unintended disruption to legacy OT devices.\r\n▸ N-day exploitation of F5, Ivanti, SAP, and ConnectWise ▸ Credential harvesting; lateral\r\nmovement via SOCKS5/FRP ▸ Passes access to VOLTZITE for follow-on OT operations\r\nAZURITE Stage 2\r\nStealing O\u0026G operational data to enable future attacks\r\nTargets oil and gas engineering workstations to exfiltrate alarm data, config\r\nfiles, and process information. Not disrupting now, collecting the intelligence\r\nneeded to develop OT-specific attack capability later.\r\n▸ Exploits internet-facing Ivanti, Fortinet, and F5 devices ▸ RDP access to EWS using\r\ncompromised credentials ▸ Data staged outside OT network via SOCKS5 tunneling\r\nKAMACITE Stage 1\r\nMapping U.S. energy infrastructure to prepare ELECTRUM for operations\r\nBetween March and July 2025, KAMACITE conducted sustained reconnaissance of U.S.\r\ninternet-exposed industrial devices — targeting HMIs, VFDs, meters, and cellular gateways\r\nin sequence to map entire control loops. O\u0026G infrastructure was directly in scope.\r\nKAMACITE's mission is building persistent access for ELECTRUM to operationalize.\r\n▸ Systematic scanning of exposed HMIs, VFDs, meters, and Airlink gateways ▸ Spear-phishing of\r\noperators, vendors, and integrators ▸ Passes persistent access to ELECTRUM\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 32\r\nOil \u0026 Gas Sector Risks\r\nKey threat themes converging on oil \u0026 gas operations in 2025-2026\r\n01 C E L L U L A R G A T E W A Y E X P L O I T A T I O N\r\nYour most exposed OT entry point is a device IT doesn't know exists\r\nVOLTZITE compromised Sierra Wireless Airlink gateways across midstream, upstream, and downstream\r\npipeline operations. These cellular routers create unauthorized OT pathways, bypass traditional\r\nsecurity controls, and are often invisible to IT teams. Once inside, VOLTZITE pivoted to engineering\r\nworkstations to map what triggers process shutdowns.\r\n02 O T I N T EL L I G E N C E C O L L E C T I O N\r\nAdversaries are building the capability to attack oil \u0026 gas\r\nAZURITE targets O\u0026G engineering workstations to exfiltrate alarm data, configuration files, and process\r\ninformation. This is not disruption — it is the preparation for disruption. The data stolen today almost\r\ncertainly supports developing OT-specific attack tooling for future physical-consequence operations.\r\n03 A C C E S S - P R O V I D E R EC O S Y S T E M\r\nRansomware reaches OT without touching a single industrial protocol\r\nAffiliates authenticate into VPN portals using stolen credentials, pivot to ESXi hypervisors hosting\r\nSCADA and historian VMs, and encrypt. Operations lose visibility and control without any ICS-specific\r\nexploit. 73% of Dragos IR cases involved VPN or credential reuse as the entry point, and O\u0026G has the\r\nhighest rate of default credentials of any sector.\r\nOPER AT IONAL\r\nCONSEQU E NCE S\r\nLoss of View\r\nStolen config files and alarm data give\r\nadversaries the intelligence to cause process\r\ndisruption while operators lose trust in their\r\nown telemetry.\r\nLoss of Control\r\nVOLTZITE specifically mapped what triggers\r\npipeline processes to stop. That intelligence\r\nenables targeted disruption of operations\r\nwhen an adversary chooses to act.\r\nPhysical Impact\r\nRansomware encrypting OT-support\r\nhypervisors causes multi-day operational\r\nshutdowns. 100% of Dragos OT ransomware\r\ncases in 2025 resulted in significant operational\r\ndisruption.\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 33\r\n5\r\nTHE FIVE ICS CYBER SECURITY\r\nCRITICAL CONTROLS\r\n01 ICS Incident Response Plan\r\n02 Defensible Architecture\r\n03 ICS Network Monitoring Visibility\r\n04 Secure Remote Access\r\n05 Risk-based Vulnerability Management\r\nRECOMMENDATIONS\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 34\r\nField Data, TTX Results \u0026 Priority Actions for Oil \u0026 Gas Operators\r\n O\u0026G TTXs show Major Challenges in COMMUNICATE, CONTAIN, and DOCUMENT\r\nWhen incidents occur, O\u0026G operators struggle to coordinate, stop, and record what happened.\r\n2025 TT X R ES UL T S — OI L \u0026 GAS SE CTOR\r\nDragos tabletop exercise performance across OT incident response capabilities\r\nActivate Some Challenges\r\nDetect Some Challenges\r\nRespond Some Challenges\r\nCommunicate MAJOR Challenges\r\nRecover Some Challenges\r\nContain MAJOR Challenges\r\nDocument MAJOR Challenges\r\nPR IOR IT Y ACT IONS FOR O\u0026G OPE RAT ORS\r\n1\r\nAudit every Sierra Wireless Airlink gateway\r\nVOLTZITE specifically targeted these across midstream, upstream, and\r\ndownstream. Many O\u0026G operators will find gateways IT didn't know existed.\r\n2\r\nRemove default credentials on field devices\r\n26% of O\u0026G sites still have them. Ransomware variants Fog and Greenlux\r\nexploited exactly these weaknesses in 2025.\r\n3\r\nSegment OT from IT - especially vendor access\r\n29% of O\u0026G reports found poor IT/OT segmentation. Flat architectures allowed\r\nransomware to move laterally without resistance in 2025.\r\n4\r\nDeploy ICS-aware monitoring on SCADA and historians\r\nAZURITE operated inside O\u0026G OT environments undetected. 46% of\r\narchitecture reviews found significant visibility gaps in O\u0026G.\r\n5\r\nExercise O\u0026G-specific incident response playbooks\r\nTTXs show Major Challenges in three of seven core IR capabilities. Practice\r\ncoordinated IT/OT response before an incident forces it.\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 35\r\nField Data, Defensible Architecture Stats\r\n O\u0026G is still struggling with basic controls\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 36\r\nField Data, OT Visibility Stats (All Engagements)\r\n46.00%\r\n56.00%\r\n5.00%\r\n0.00%\r\n50.00%\r\n100.00%\r\nOT Visibility Gaps Detection Gaps\r\n(Native Tools)\r\nPowershell\r\nExecution Logging\r\nEnabled\r\nNetwork and Host Visibility\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 37\r\nField Data, Secure Remote Access\r\n 50% of engagements included SRA findings\n\n© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary \u0026 Confidential . 38\r\nField Data, Vulnerability Findings\r\n 80% of engagements included vulnerability findings\n\n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 39\r\nQ U E S T I O N S A N D A N S W E R S\n\n© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary \u0026 Confidential . 40\r\nThank you\n\nQ U E S T I O N S A N D A N S W E R S \n© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary \u0026 Confiden ti al. 39", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "pdf" ], "references": [ "https://hub.dragos.com/hubfs/2026_YIR_ExecutiveBriefing%20O_G.pdf?hsLang=en" ], "report_names": [ "2026_YIR_ExecutiveBriefing%20O_G.pdf?hsLang=en" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-29T06:58:58.270898Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-29T06:58:56.316107Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision", "COBALT MIRAGE", "Agent Serpens" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-29T06:58:56.755633Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-29T06:58:58.254021Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-29T06:58:56.751454Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "Red Dev 61", "UNC5221" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-29T06:58:57.833725Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-29T06:58:57.745497Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "source_name": "MITRE:MuddyWater", "tools": [ "MuddyViper", "STARWHALE", "LP-Notes", "POWERSTATS", "Rclone", "Out1", "Tsundere Botnet", "PowerSploit", "Small Sieve", "Fooder", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-29T06:58:56.681943Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "Smoke Sandstorm", "BOHRIUM", "IMPERIAL KITTEN" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-29T06:58:56.310338Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK51", "Boggy Serpens", "Earth Vetala", "Static Kitten", "COBALT ULSTER", "Mango Sandstorm", "TA450", "TEMP.Zagros", "Seedworm", "G0069" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-29T06:58:56.416735Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Crimson Sandstorm", "CURIUM", "IMPERIAL KITTEN", "Imperial Kitten", "TA456", "DUSTYCAVE", "Cuboid Sandstorm", "Smoke Sandstorm", "Yellow Liderc" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0f91a2f-ae05-4658-a6df-14938355eecb", "created_at": "2024-03-02T02:00:03.833721Z", "updated_at": "2026-04-29T06:58:56.823603Z", "deleted_at": null, "main_name": "UNC1549", "aliases": [ "Nimbus Manticore" ], "source_name": "MISPGALAXY:UNC1549", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-29T06:58:56.837813Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-29T06:58:57.891787Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-29T06:58:57.895048Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-29T06:58:56.199012Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "Blue Echidna", "FROZENBARENTS", "UAC-0113", "UAC-0082", "Quedagh", "TEMP.Noble", "TeleBots", "IRIDIUM", "Seashell Blizzard", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "ELECTRUM" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-29T06:58:57.738664Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-29T06:58:57.506187Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "42ee1c89-d75c-4e1e-91fa-dab8c0e83bf6", "created_at": "2024-04-20T02:00:03.5779Z", "updated_at": "2026-04-29T06:58:56.858749Z", "deleted_at": null, "main_name": "UNC5291", "aliases": [], "source_name": "MISPGALAXY:UNC5291", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-29T06:58:57.735943Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus", "DazedToad" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-29T06:58:58.009074Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-29T06:58:57.996042Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-29T06:58:57.501827Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-29T06:58:57.873095Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-29T06:58:57.491949Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-29T06:58:57.508616Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-29T06:58:58.229959Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-29T06:58:57.59961Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-29T06:58:57.573614Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-29T06:58:57.585466Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-29T06:58:57.589482Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-29T06:58:56.581488Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "VOLTZITE", "Dev-0391", "Storm-0391", "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba909e34-bce1-4af4-b89a-3e855718f193", "created_at": "2026-01-18T02:00:03.059161Z", "updated_at": "2026-04-29T06:58:57.054243Z", "deleted_at": null, "main_name": "Houken", "aliases": [], "source_name": "MISPGALAXY:Houken", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1820b6d5-4c68-4c37-bd25-034fd77cf1bf", "created_at": "2026-01-17T02:00:03.195495Z", "updated_at": "2026-04-29T06:58:57.052089Z", "deleted_at": null, "main_name": "CL-STA-0048", "aliases": [ "CL STA 0048" ], "source_name": "MISPGALAXY:CL-STA-0048", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "24286a10-f789-4cc1-bae6-0bc324cdf9fa", "created_at": "2026-03-24T02:00:04.644523Z", "updated_at": "2026-04-29T06:58:57.163316Z", "deleted_at": null, "main_name": "APTIran", "aliases": [], "source_name": "MISPGALAXY:APTIran", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-29T06:58:57.716092Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1777429228, "ts_updated_at": 1777450875, "ts_creation_date": 1774446620, "ts_modification_date": 1774446620, "files": { "pdf": "https://archive.orkl.eu/f14bf3978e2754e3c4e5cc0344d17f612ade1ccd.pdf", "text": "https://archive.orkl.eu/f14bf3978e2754e3c4e5cc0344d17f612ade1ccd.txt", "img": "https://archive.orkl.eu/f14bf3978e2754e3c4e5cc0344d17f612ade1ccd.jpg" } }