Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Group That Caused Power Outage Stops Focusing Exclusively on Ukraine

Electrum, the Russia-linked hacker group believed to be responsible for the 2016 power outage in Ukraine, no longer focuses exclusively on this country, according to industrial cybersecurity firm Dragos.

Electrum, the Russia-linked hacker group believed to be responsible for the 2016 power outage in Ukraine, no longer focuses exclusively on this country, according to industrial cybersecurity firm Dragos.

Electrum is said to have used Crashoverride/Industroyer, a piece of malware designed to target industrial control systems (ICS), to cause the power outage in December 2016. Researchers have also found links to Sandworm (aka TeleBots and BlackEnergy), which has been blamed for the 2015 power outage that hit Ukraine. Sandworm is also believed to have played a role in the ongoing VPNFilter campaign.

According to Dragos, Electrum initially focused on development and facilitating Sandworm attacks. However, starting with the Crashoverride attack, it took on operational tasks as well.

The group is still active and starting with last year it has been seen focusing on organizations outside of Ukraine. While Dragos is unable to disclose which regions have been targeted, the company tells SecurityWeek that the hackers have launched attacks on organizations in the water and electric sectors.

The security firm has been monitoring Electrum and earlier this year it came across new information on the threat actor’s infiltration techniques and capabilities of the Crashoverride malware. Researchers say the group relies on common attack methods rather than zero-day vulnerabilities and exploits.

“For instance, the group used Microsoft SQL database servers as the gateway that bridges both the business and industrial control networks, to successfully compromise industrial control systems where they used stolen credentials to execute code,” explained Sergio Caltagirone, director of threat intelligence at Dragos. 

Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

The company told SecurityWeek it had not identified any new deployment of the Crashoverride malware. “Crashoverride was a very specific framework for electric grid attacks. We would only expect to see this immediately prior to an ICS impact,” it said.

“The group’s ongoing activity and link to the Sandworm team indicate Electrum’s sponsor could direct ICS disruption operations to other geographic areas,” Caltagirone noted. “Dragos considers Electrum to be one of the most competent and sophisticated threat actors currently in the ICS industry.”

Dragos has published brief reports on several of the groups that pose a threat to ICS, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime, the group believed to be behind the Triton/Trisis attacks.

Last week, it reported that a threat actor linked to North Korea’s Lazarus Group had stopped targeting organizations in the United States.

Related: NotPetya Connected to BlackEnergy/KillDisk

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.