Full Report
Following last month’s post highlighting its capabilities for protecting ICS (industrial control systems) and OT (operational technology) environments,... The post Team Cymru warns exposed ICS and OT devices targeted by nation-state actors raise industrial, critical infrastructure risks appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Dragonfly
## Attribution & Identity
- **Name/Alias:** Dragonfly
- **Associated Groups:** Also known as Energetic Bear, Berserk Bear, or Crouching Yeti.
- **Affiliation:** Russian-linked/state-sponsored actor.
- **Identification Source:** Attributed by Poland’s CERT-PL and analyzed by Team Cymru.
## Activity Summary
The report focuses on a campaign occurring in late 2025 (specifically cited on December 29, 2025) targeting the Polish power grid. The operation involved exploiting internet-exposed Industrial Control Systems (ICS) to perform destructive "hardware brinking" attacks, aimed at degrading critical national infrastructure.
## Tactics, Techniques & Procedures
- **Credential Access:** Exploitation of default, non-rotated factory credentials on web interfaces.
- **Persistence/Access:** Targeting internet-exposed ICS/OT devices (IT/OT convergence vulnerabilities).
- **Execution (Destructive):** Uploading corrupted ELF (Executable and Linkable Format) firmware files.
- **Inhibiting System Recovery:** Executing "hard brick" attacks where firmware is modified to force the processor into invalid instruction cycles/infinite reboots, often requiring physical hardware replacement.
- **Evasion/Protocol Usage:** Exploiting modern industrial protocols such as IEC 61850.
## Targeting
- **Sectors:** Energy, Electrical Grids, Utilities (Substation automation).
- **Geography:** Poland.
- **Victims:** Polish power grid infrastructure, specifically facility-to-system operator communication channels.
## Tools & Infrastructure
- **Malware:** Corrupted ELF firmware files designed to brick processors.
- **Targeted Hardware:**
- **Hitachi RTU560:** Modular remote terminal units used for grid stability.
- **Moxa NPort:** Serial-to-Ethernet device servers used to bridge legacy equipment (sensors, PLCs, meters) to IP networks.
- **Infrastructure:** Publicly exposed web interfaces of OT devices.
## Implications
- **Strategic Intent:** The actor demonstrates a clear move beyond mere espionage toward disruptive and destructive capabilities ("pre-positioning").
- **Operational Impact:** While electricity generation remained intact in this instance, the loss of communication between facilities and operators severely degrades situational awareness and response capabilities during a crisis.
- **Maintenance Burden:** "Hard bricking" represents a high-impact TTP because it bypasses software-based recovery, necessitating expensive and time-consuming physical replacement of hardware in critical environments.
## Mitigations
- **Credential Management:** Immediate rotation of factory-default credentials on all OT/ICS devices.
- **Network Segmentation:** Ensure ICS devices are never directly exposed to the public internet; use of secure remote access solutions.
- **Protocol Security:** Disable unnecessary web interfaces on RTUs and serial converters.
- **Vulnerability Scanning:** Use of threat intelligence (e.g., Team Cymru data) to identify organization-specific IP exposures before they are exploited.
- **Integrity Checks:** Implementation of firmware signing and integrity validation to prevent the execution of corrupted or unauthorized ELF files.