This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia.  In 2018, Germany’s domestic intelligence agency released a technical alert about this threat actor, and the United Kingdom attributed the actor to Russian military intelligence. In May 2020, the NSA publicly accused the group of targeting email servers worldwide.
Suspected victims
  • Russia
  • Lithuania
  • Kyrgyzstan
  • Israel
  • Ukraine
  • Belarus
  • Kazakhstan
  • Georgia
  • Poland
  • Azerbaijan
  • Iran
Suspected state sponsor
  • Russian Federation
Type of incident
  • Espionage
Target category
  • Private sector
  • Government