Introduction
This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage
Activities and Tactics
Targeted Sectors: Electric, Energy, Industrial, Private sector, Government
Country of Origin: π·πΊ Russia
Risk Level: High
Incident Type: Espionage
Suspected Victims: Russia, Lithuania, Kyrgyzstan, Israel, Ukraine, Belarus, Kazakhstan, Georgia, Poland, Azerbaijanβ¦
Notable Campaigns
- Viasat KA-SAT (February 2022; Sandworm (RU APT))
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- BlackEnergy
- PowerDuke
- POWERSTATS
- Power Loader
- POWERSOURCE
- BLACKCOFFEE
- Blackshades
- BlackNix
- BlackHole
- PowerRAT
Russian APT Tool Matrix observations
| Category | Observed tools |
|---|---|
| Defense Evasion | SDelete, libprocesshider |
| Exfiltration | Rclone |
| LOLBAS | BITSAdmin, BITSadmin, certutil, curl |
| Networking | Chisel, OpenSSH, Pivotnacci, ReGeorg, Tor |
| OffSec | Cobalt Strike, Empyre, Impacket, JuicyPotatoNG, Metasploit, Meterpreter, PAS Web Shell, PoshC2, PowerShell Empire, RottenPotatoNG, WSO Web Shell, Weevely Web Shell |
| RMM Tools | Atera, RemCom, Splashtop |
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
References pending cataloguing.