Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybercrime group attack. Show all posts
Large-scale breaches
Cyber Attacks Cyber Breaches cybercrime group cybercrime group attack Dragos Dragos cybersecurity Dragos hacked Large-scale breaches

Dragos Links Coordinated Polish Power Grid Cyberattack to Russia-Backed ELECTRUM Group

A wave of connected cyber intrusions struck multiple points in Poland’s electricity infrastructure near the end of 2025. Dragos, an industrial control system security firm, assessed with limited certainty that the activity aligns with a Russia-linked group known as ELECTRUM. While attribution is not definitive, the techniques and patterns resemble previous operations tied to the cluster. Investigators also flagged unusual entry routes through third-party maintenance channels, with disruptions occurring amid heightened geopolitical tensions. No major blackouts followed, but systems recorded repeated probing attempts. Response teams moved quickly to isolate affected segments, and attribution was supported by forensic traces left during the breaches. Officials emphasized continued vigilance despite containment. 

At one site, critical hardware was destroyed and left unusable, marking what Dragos described as the first large-scale cyberattack focused on decentralized energy systems such as wind turbines and solar generation connected to the grid. Operational technology used in electricity distribution was accessed without authorization, and systems managing renewable output faced interference even though overall service stayed online. Communication failures also affected combined heat and power facilities. Entry was gained through systems tied to grid stability, with damage remaining localized but irreversible at one location. 

Dragos noted links between ELECTRUM and another group, KAMACITE, with overlaps consistent with the broader Sandworm ecosystem, also tracked as APT44 or Seashell Blizzard. KAMACITE is believed to specialize in initial access, using spear-phishing, stolen credentials, and attacks against exposed public-facing systems. 

After entry, KAMACITE reportedly conducts quiet reconnaissance and persistence in OT environments, creating conditions for later action. Once access is established, ELECTRUM activity is assessed to bridge IT and OT networks, deploying tooling inside operational systems. Actions attributed to ELECTRUM can include manipulating control systems or disrupting physical processes, either through direct operator interface interaction or purpose-built ICS malware depending on objectives. 

Dragos described a division of roles between the clusters that enables long-term access and flexible execution, including delayed disruption. Even without immediate damage, persistent access can create long-term risk. KAMACITE-linked activity also appears geographically unconstrained, with scanning against U.S. industrial systems reported as recently as mid-2025. 

In Poland, attackers targeted systems that connect grid operators with distributed energy resources, disrupting coordination. Roughly three dozen sites experienced operational impact. Investigators said poorly secured network devices and exploited vulnerabilities enabled entry, allowing intruders to reach Remote Terminal Units and move through communications infrastructure. Dragos said the attackers showed strong knowledge of grid systems, successfully disabling communications tools and certain OT components. 

However, the full scope remains unclear, including whether operational commands were issued or whether the focus stayed on communications disruption. Overall, Dragos assessed the incident as more opportunistic than carefully planned, with attackers attempting rapid disruption once inside by wiping Windows systems, resetting configurations, and trying to permanently brick equipment. The hardest-hit devices supported grid safety and stability monitoring. 

Dragos concluded that the damage shows OT intrusions are shifting from preparation into active attacks against systems that manage distributed generation.
Read more »
GuidePoint Security
Akira Ransomware Cyber Crime Cyber Security Ransomware Attacks cybercrime group cybercrime group attack cybersecurity threat actors GuidePoint Security

Global Ransomware Groups Hit Record High as Smaller Threat Actors Emerge

 

The number of active ransomware groups has reached an unprecedented high, marking a new phase in the global cyber threat landscape. According to GuidePoint Security’s latest Ransomware & Cyber Threat Report, the total number of active groups surged 57%, climbing from 49 in the third quarter of 2024 to an all-time peak of 77. Despite this sharp rise, the number of victims has remained consistent, averaging between 1,500 and 1,600 per quarter since late last year. 

The United States continues to bear the brunt of these attacks, accounting for 56% of all reported victims. Germany and the United Kingdom followed distantly at 5% and 4%, respectively. Manufacturing, technology, and the legal sectors were among the hardest hit, with the manufacturing industry alone reporting 252 publicly claimed attacks in the second quarter—a 26% increase from the previous quarter. 

GuidePoint’s senior threat intelligence analyst, Nick Hyatt, noted that while the overall ransomware volume has stabilized, the number of distinct groups is soaring. He explained that this growth reflects both the consolidation of experienced threat actors under major ransomware-as-a-service (RaaS) platforms and the influx of newer, less skilled operators trying to gain traction in the ecosystem. 

Among the most active groups, Qilin led with a dramatic 318% year-over-year surge, claiming 234 victims this quarter. Akira followed with 130 victims, while IncRansom—first detected in August 2023—emerged as the third most active group after a sharp increase in attacks. Another rising player, SafePay, has steadily expanded its operations since its appearance in late 2024, now linked to 258 victims across 29 industries and 30 countries in 2025 alone. 

GuidePoint’s researchers also observed a growing number of unclaimed or unattributed ransomware attacks, suggesting that many threat actors are either newly formed or deliberately avoiding public identification. This trend points to an increasingly fragmented and unpredictable ransomware environment. 

While the stabilization in overall attack numbers might appear reassuring, experts warn against complacency. The rapid diversification of ransomware groups and the proliferation of smaller, anonymous actors underline the evolving sophistication of cybercrime. As Hyatt emphasized, this “new normal” reflects a sustained, adaptive threat landscape that demands continuous vigilance, proactive defense strategies, and cross-industry collaboration to mitigate future risks.
Read more »
ransomware prevention
Black Basta Ransomware cybercrime group attack file-encrypting malware malware Microsoft Teams malware phishing campaigns 2024 ransomware prevention

Black Basta Targets Microsoft Teams with New Ransomware Tactics

 

The Black Basta ransomware group has resurfaced with a concerning method of spreading file-encrypting malware, now targeting Microsoft Teams. The group, notorious for cyberattacks on technology, finance, and public sector industries, exploits the popular collaboration platform to infiltrate networks.

First observed in October 2024, this new tactic shows a shift from previous approaches. Active since April 2022, Black Basta initially used spam and social engineering to distribute malware. Now, they impersonate IT support staff or colleagues, tricking users into providing credentials for fake network logins, enabling the deployment of malware. This deceptive method replaces older techniques like phone-based social engineering.

Microsoft Teams is a strategic target due to its global use in corporate communication. Many employees trust messages within the platform, often overlooking verification steps. This makes them more vulnerable to attackers who exploit this trust to gain unauthorized access.

In 2023, Black Basta was connected to email phishing campaigns involving links to malicious websites. While those campaigns focused on harvesting credentials and delivering malware, the group's shift to real-time platforms like Teams indicates a significant evolution in their strategy.

Microsoft urges users to exercise caution with suspicious messages, especially those requesting sensitive information or financial transactions. "If a message in Teams appears to ask for credentials or money transfers, users are advised to verify the sender’s identity through other channels," the company recommended. Avoiding unknown links and confirming requests through phone or email are key practices to prevent such attacks.
Read more »
Subscribe to: Comments (Atom)