Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Targeting Azerbaijan Show Interest in SCADA Systems

A threat actor that has been spotted targeting Azerbaijan has shown an interest in the energy sector, specifically SCADA systems related to wind turbines, Cisco’s Talos threat intelligence and research group reports.

A threat actor that has been spotted targeting Azerbaijan has shown an interest in the energy sector, specifically SCADA systems related to wind turbines, Cisco’s Talos threat intelligence and research group reports.

The attacks are aimed at both government organizations and private sector companies, and they involve a remote access trojan (RAT) that has not been seen before. Talos has not been able to link the attacks to a known threat actor.

According to Talos, the hackers appear to be interested in the energy sector and industrial control systems (ICS).

Hackers target wind turbine SCADA systems

“We believe information pertaining to SCADA systems, with specific interest to wind turbines, was obtained based on the targeting observed,” Warren Mercer, technical lead at Talos, told SecurityWeek.

As for the new Python-based RAT used in these attacks, Talos has dubbed the malware PoetRAT. Once it has been delivered to a device, its operators can instruct it to list files, obtain information about the system, download and upload files, take screenshots, copy and move files, make changes in the registry, hide and unhide files, view and kill processes, and execute operating system commands.

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The malware is typically delivered using specially crafted Word documents that act as a dropper. In one campaign observed in February, the fake document was blurred, but appeared to include the logo of the Defense R&D Organisation of the Ministry of Defence in India. However, Talos says it has found no evidence that India has been targeted.

Another campaign, observed in April, involved documents that apparently referenced the COVID-19 coronavirus outbreak. A coronavirus-themed document was also spotted in a different campaign launched this month. The document was written in Russian and it was made to look like an Azerbaijani government document.

The server delivering this document was also found to host a phishing page that mimicked the login page of the Azerbaijan government’s webmail service.

In addition to PoetRAT, the attackers have been spotted delivering other tools to compromised systems, including ones designed for exfiltrating data via email or FTP, for recording the victim through their webcam, logging keystrokes, stealing credentials from browsers, and escalating privileges.

Related: New Snake Ransomware Targets ICS Processes

Related: Cyberspies Target Hundreds of Industrial Firms in South Korea, Other Countries

Related: More Threat Groups Target Electric Utilities in North America

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...