Connect with us

Hi, what are you looking for?



Hackers Targeting Azerbaijan Show Interest in SCADA Systems

A threat actor that has been spotted targeting Azerbaijan has shown an interest in the energy sector, specifically SCADA systems related to wind turbines, Cisco’s Talos threat intelligence and research group reports.

A threat actor that has been spotted targeting Azerbaijan has shown an interest in the energy sector, specifically SCADA systems related to wind turbines, Cisco’s Talos threat intelligence and research group reports.

The attacks are aimed at both government organizations and private sector companies, and they involve a remote access trojan (RAT) that has not been seen before. Talos has not been able to link the attacks to a known threat actor.

According to Talos, the hackers appear to be interested in the energy sector and industrial control systems (ICS).

Hackers target wind turbine SCADA systems

“We believe information pertaining to SCADA systems, with specific interest to wind turbines, was obtained based on the targeting observed,” Warren Mercer, technical lead at Talos, told SecurityWeek.

As for the new Python-based RAT used in these attacks, Talos has dubbed the malware PoetRAT. Once it has been delivered to a device, its operators can instruct it to list files, obtain information about the system, download and upload files, take screenshots, copy and move files, make changes in the registry, hide and unhide files, view and kill processes, and execute operating system commands.

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The malware is typically delivered using specially crafted Word documents that act as a dropper. In one campaign observed in February, the fake document was blurred, but appeared to include the logo of the Defense R&D Organisation of the Ministry of Defence in India. However, Talos says it has found no evidence that India has been targeted.

Another campaign, observed in April, involved documents that apparently referenced the COVID-19 coronavirus outbreak. A coronavirus-themed document was also spotted in a different campaign launched this month. The document was written in Russian and it was made to look like an Azerbaijani government document.

Advertisement. Scroll to continue reading.

The server delivering this document was also found to host a phishing page that mimicked the login page of the Azerbaijan government’s webmail service.

In addition to PoetRAT, the attackers have been spotted delivering other tools to compromised systems, including ones designed for exfiltrating data via email or FTP, for recording the victim through their webcam, logging keystrokes, stealing credentials from browsers, and escalating privileges.

Related: New Snake Ransomware Targets ICS Processes

Related: Cyberspies Target Hundreds of Industrial Firms in South Korea, Other Countries

Related: More Threat Groups Target Electric Utilities in North America

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.