Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Large-scale breaches. Show all posts
Large-scale breaches
Cyber Attacks Cyber Breaches cybercrime group cybercrime group attack Dragos Dragos cybersecurity Dragos hacked Large-scale breaches

Dragos Links Coordinated Polish Power Grid Cyberattack to Russia-Backed ELECTRUM Group

A wave of connected cyber intrusions struck multiple points in Poland’s electricity infrastructure near the end of 2025. Dragos, an industrial control system security firm, assessed with limited certainty that the activity aligns with a Russia-linked group known as ELECTRUM. While attribution is not definitive, the techniques and patterns resemble previous operations tied to the cluster. Investigators also flagged unusual entry routes through third-party maintenance channels, with disruptions occurring amid heightened geopolitical tensions. No major blackouts followed, but systems recorded repeated probing attempts. Response teams moved quickly to isolate affected segments, and attribution was supported by forensic traces left during the breaches. Officials emphasized continued vigilance despite containment. 

At one site, critical hardware was destroyed and left unusable, marking what Dragos described as the first large-scale cyberattack focused on decentralized energy systems such as wind turbines and solar generation connected to the grid. Operational technology used in electricity distribution was accessed without authorization, and systems managing renewable output faced interference even though overall service stayed online. Communication failures also affected combined heat and power facilities. Entry was gained through systems tied to grid stability, with damage remaining localized but irreversible at one location. 

Dragos noted links between ELECTRUM and another group, KAMACITE, with overlaps consistent with the broader Sandworm ecosystem, also tracked as APT44 or Seashell Blizzard. KAMACITE is believed to specialize in initial access, using spear-phishing, stolen credentials, and attacks against exposed public-facing systems. 

After entry, KAMACITE reportedly conducts quiet reconnaissance and persistence in OT environments, creating conditions for later action. Once access is established, ELECTRUM activity is assessed to bridge IT and OT networks, deploying tooling inside operational systems. Actions attributed to ELECTRUM can include manipulating control systems or disrupting physical processes, either through direct operator interface interaction or purpose-built ICS malware depending on objectives. 

Dragos described a division of roles between the clusters that enables long-term access and flexible execution, including delayed disruption. Even without immediate damage, persistent access can create long-term risk. KAMACITE-linked activity also appears geographically unconstrained, with scanning against U.S. industrial systems reported as recently as mid-2025. 

In Poland, attackers targeted systems that connect grid operators with distributed energy resources, disrupting coordination. Roughly three dozen sites experienced operational impact. Investigators said poorly secured network devices and exploited vulnerabilities enabled entry, allowing intruders to reach Remote Terminal Units and move through communications infrastructure. Dragos said the attackers showed strong knowledge of grid systems, successfully disabling communications tools and certain OT components. 

However, the full scope remains unclear, including whether operational commands were issued or whether the focus stayed on communications disruption. Overall, Dragos assessed the incident as more opportunistic than carefully planned, with attackers attempting rapid disruption once inside by wiping Windows systems, resetting configurations, and trying to permanently brick equipment. The hardest-hit devices supported grid safety and stability monitoring. 

Dragos concluded that the damage shows OT intrusions are shifting from preparation into active attacks against systems that manage distributed generation.
Read more »
Security Steps
Cautionary Measures Data Breach Data Breaches 2023 Email Account Compromise Large-scale breaches Security Steps

How Would You Deal with the Inevitable Breaches of 2023?


Large-scale breaches are inevitable in 2023 as a result of cyber criminals speeding up their attacks against businesses today. In the past two months, T-Mobile, LastPass, and the Virginia Commonwealth University Health System have all faced a number of severe breaches. 

In the data breach incident in T-Mobile, around 37 million of the company’s customer record was compromised before being discovered by the US-based wireless carrier, on January 19. Password management platform, LastPass has had a variety of attacks that resulted in the identity of 25 million users being compromised. 

VCU, on the other hand, announced a breach earlier this month wherein information on over 4,000 organ donors and recipients was exposed for more than 16 years. 

Even After Investing in Robust Cybersecurity, Breaches may only Increase in 2023 

Company CEOs and board members tend to invest in advanced cybersecurity systems in order to acquire better risk control and management strategy. According to Evanti’s State of Security Preparedness 2023 report, 71% of CISOs and security experts believe their budgets will rise this year by an average of 11%. 

They added further that a record $261.48 billion will be spent on information and security risk management globally in 2026, up from $167.86 billion in 2021. The unsettling paradox is that despite these constantly rising cyber security and zero-trust budgets, ransomware and other sophisticated assaults continue to be successful. 

Apparently, the power dynamic is in favor of cyber criminals, cybercrime organizations, and advanced persistent threat (APT) attack groups. Cyberattacks are becoming more sophisticated and severe, often studying a business for months prior to attacking it with "low and slow" strategies to escape discovery. The Evanti report predicts this year will be difficult for CISOs and their teams due to the growth in ransomware, phishing, software vulnerabilities, and DDoS attacks. 

Steps Organizations can Work on to Tackle Breaches 

John Kinderwag, an authority in his field and developer of Zero Trust says “Start with a single security surface because this will allow you to segment cyber security into manageable pieces. The best thing about doing this is that it is non-disruptive.” 

 We are listing below more such steps that would further aid in tackling breaches: 

1. Audit all Access Privileges, Remote Irrelevant Accounts, and Toggle Back Administrator Rights

Cyber attackers tend to pool business email breaches, social engineering, phishing, fraudulent multifactor authentication (MFA) sessions, and more in order to lure victims into giving them their passwords. Around 80% of breaches take place following the compromise of such privileged credentials.

Contractors, sales partners, service providers, and support partners from previous years frequently still retain access to portals, internal websites, and applications. Access credentials for invalid accounts and partners must be cleared. 

With MFA, valid accounts are only slightly protected. MFA needs to be enabled right away on all legitimate accounts. It should come as no surprise that in 2022 it will take an average of 277 days, or almost nine months, to find and fix a breach.

 2. Monitor Multifactor Authentication from the User’s Perspective 

Protecting every legitimate identity is standard practice with MFA. Although, making it as unobtrusive and secure as feasible is a challenge. Techniques for contextual risk-based analysis have the potential to enhance the user experience. Despite its adoption issues, CIOs and CISOs tell VentureBeat that MFA is one of their favorite quick wins because of how quantifiably it adds an extra layer of security to an organization's defense against data breaches.

According to Andrew Hewitt, senior analyst at Forrester, the best place to secure one’s identity is “always implementing multi-factor authentication. This can go a long way toward ensuring that enterprise data is secure. From there, it is enrolling devices and maintaining a solid compliance standard with Unified Endpoint Management (UEM) tools.”

Furthermore, Forrester advises enterprises to consider what-you-do (biometric), what-you-do (behavioral biometric), or what-you-have (token) factors for better results in MFA implementation. He recommends organizations consider adding PIN codes or implementing single-factor authentication.

3. Keep Cloud-based Email Security Programs Updated to the Latest Version

Apparently, CISOs are pressuring the providers of email security to improve their anti-phishing tools and implement zero-trust-based controls for URLs that might be harmful and attachment screening. Computer vision is used by the top suppliers in this space to find URLs that need to be quarantined or removed.

Cyber security teams are switching to cloud-based email security suites with integrated email sanitization features. It has also been advised to organizations to consider email-centric security orchestration automation and response (SOAR) tools, like M-SOAR, such as M-SOAR, or Extended Detection and Response (XDR), which include email security in a way to safeguard from attacks pertaining to emails.

Moreover, one of the most effective approaches an organization can implement is by accepting and acknowledging the fact the breach is inevitable and allocating and investing in a well-formulated strategy rather than avoiding the risks. In order to withstand a breach attempt, developing a culture of cyber-resilience is one of the best actions a company may proceed to work on.  

Read more »
Subscribe to: Comments (Atom)