Russia’s OT attack teams expand beyond Ukraine: The Russia-linked pair Kamacite and Electrum, which Dragos has tracked since the mid-2010s and is responsible for the 2015 and 2016 cyberattacks that took down parts of Ukraine’s power grid, expanded operations into NATO territory in 2025 after years focused almost exclusively on Ukrainian targets.Kamacite, which serves as the access-and-reconnaissance arm that enables Electrum’s destructive operations, ran a four-month campaign from March to July 2025 scanning internet-exposed US industrial control devices, including Schneider Electric variable-frequency drives, smart HMIs, Accuenergy power meters, and Sierra Wireless cellular gateways.The scanning was not opportunistic, Dragos said. Kamacite targeted specific device types in sequence, suggesting the group was mapping entire control loops rather than probing for isolated vulnerabilities.Earlier in the year, Kamacite targeted attendees of a Gas Infrastructure Europe conference in Munich, engaging targets in multi-day, native-language spear-phishing conversations. The group also targeted at least 25 Ukrainian industrial companies across 10 regions in a sustained supply-chain campaign.Electrum, the operational arm that carries out destructive attacks, struck Polish energy infrastructure in late December 2025 in what Dragos describes as the first major coordinated cyberattack against DERs worldwide.The attack targeted roughly 30 wind farms, solar installations, and a combined heat and power plant, exploiting internet-facing Fortinet devices configured with default credentials and no multi-factor authentication. The attackers deployed wiper malware that destroyed data on HMIs and corrupted firmware on OT devices, causing operators to lose visibility and control over the facilities.Dragos attributed the Poland attack to Electrum with moderate confidence. Lee said the same style of attack in the US, Australia, or the Nordic countries, where grids rely more heavily on distributed energy resources, could have been “potentially catastrophic.””Some of the defender teams across NATO countries stopped worrying as much about certain Russian threat groups because they stopped seeing them,” Lee said. “I’m saying it looks like they might come back to a theater near you and now with a heck of a lot more experience. So keep up on what’s going on in Ukraine, and try to apply those lessons learned, because it could be very impactful for you.”Electrum also developed two new wiper malware variants in 2025. PathWiper, discovered in June but active since March, uses a more thorough and methodical approach for data destruction compared to HermeticWiper, the wiper malware that Sandworm used against Ukrainian targets hours before the Russian invasion started. A second wiper variant was discovered in December.The group is also known to use pro-Russia hacktivist personas to mask their involvement in attacks. In May, the Solntsepek persona that Electrum used on several occasions conducted destructive operations against eight Ukrainian internet service providers.
OT operators lack visibility to detect threats: Less than 10% of OT networks worldwide have any security monitoring in place, according to Dragos’ data. And 90% of asset owners the firm works with still cannot detect the techniques Electrum used to take down Ukraine’s power grid a decade ago, Lee said.In tabletop exercises the company conducted in 2025, 88% of participants had trouble detecting threats, 94% had difficulty with containment, and 82% struggled to activate their incident response plans. During real-world engagements, a third of incident response cases began not with an alert from a product but with an operator noticing something seemed wrong, and in most of those cases, the data needed to investigate the incident had never been collected.Dragos also found that 82% of OT asset owners lack defined criteria for when an operational anomaly should trigger a cybersecurity investigation. On top of that, 81% of environments assessed had poor IT/OT network segmentation, and 56% of penetration tests found that attackers could move laterally inside OT networks using legitimate system tools without being detected.”We’ve told our community, build a big glass house, but the moment that perimeter is breached, like, I don’t know, good luck,” Lee said, noting that roughly 90% of security guidance for OT environments focuses on perimeter defense (“patch, passwords, antivirus, access controls, secure mode access”), with less than 10% addressing detection and response once intruders are inside the network.Dragos calls visibility the foundational control so building network monitoring and improving segmentation is of utmost importance. The firm’s vulnerability analysis found that only 3% of ICS vulnerabilities require immediate patching, while 71% can be addressed through basic network hygiene and 27% pose minimal operational risk.In the US new NERC CIP-015 regulations will require bulk electric system operators to implement internal network security monitoring within three years for high-criticality sites and five years for medium-criticality ones. But the requirement applies only to the electric sector, leaving water, oil and gas, and manufacturing without comparable mandates.”We’re going to have to live with the reality that a portion of our infrastructure is currently compromised and will remain compromised at the current trajectory of the [ICS] community,” Lee said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4140841/state-affiliated-hackers-set-up-for-critical-ot-attacks-that-operators-may-not-detect.html
