The Security Brief

Tag: cyber-security

  • Iranian APTs and the Next Phase of Infrastructure Risk

    Iranian APTs and the Next Phase of Infrastructure Risk

    In the wake of escalating tensions in the Middle East this past spring, Iranian state-sponsored hackers turned their focus toward a new frontier: US critical infrastructure.

    From May through June 2025, cybersecurity telemetry revealed a 133% surge in Iran-attributed cyber activity targeting US industrial and operational technology (OT) environments. These campaigns hit transportation and manufacturing sectors, but energy and water infrastructure remain long-standing targets. While espionage remains a primary objective, the evidence increasingly suggests Iran is preparing for more overt disruption.

    Strategic Escalation

    Iran’s cyber posture has always mirrored its geopolitical environment. In Spring 2025, that meant responding to Israeli and US airstrikes with asymmetric cyber operations. Groups like APT33 (Elfin), APT34 (OilRig), and MuddyWater (Static Kitten) ramped up traditional espionage, while more aggressive actors like CyberAv3ngers and Fox Kitten (tied to recent Pay2Key.I2P ransomware operations) pursued OT-focused sabotage and ransomware deployment.

    Iran’s messaging through pseudo-hacktivist fronts and deepening ties with ransomware operators clearly framed this activity as retaliation for “Western aggression.” That framing is part of a broader Iranian cyber doctrine that views critical infrastructure compromised as a form of coercion and deterrence.

    In parallel with APT activity, pro-Iranian hacktivists ramped up operations against US defense and critical infrastructure sectors. Groups like “Mr. Hamza” claimed responsibility for defacing and leaking data tied to defense contractors, including Raytheon technologies (RTX), following US involvement in strikes against Iranian facilities. While attribution remains murky, these operations often mirror Iranian state objectives and timelines, suggesting coordination or at least ideological alignment. The targeting of US DIB entities serves Tehran’s broader goal of projecting reach and retaliation across both digital and strategic domains.

    Pre-Positioning

    Iran’s shift toward OT environments is the most significant development.

    • MuddyWater and APT33 continued to exfiltrate intellectual property from manufacturing and defense-adjacent industries.
    • CyberAv3ngers targeted water control systems and other ICS devices with their custom malware, IOControl, discovered embedded in US and allied OT environments.
    • Fox Kitten evolved into a ransomware-as-a-service operator with an 80% (up from 70%) profit-share for affiliates targeting the US or Israel.

    Alongside collecting information, these actors are also establishing persistence. In many cases, backdoors were quietly planted and left dormant; signaling an intent for future activation should the need arise.

    ActorAffiliationFocusObjective
    MuddyWaterMOISAerospace & Defense, Utilities, Gov, Civil & NGOsEspionage
    APT33IRGCAerospace & Defense, Energy, Gov, HealthcareEspionage and Access
    CyberAv3ngersIRGCWater, ICS, FinanceDisruption
    Fox KittenUnkownIT/OT GatewaysRansomware-as-a-service
    OilRigMOISFinance, GovCredential Theft

    Implications for the US DIB

    Iran’s campaigns are displaying a willingness to target logistics, aerospace, and manufacturing suppliers that support US and Israeli defense sectors. The Defense Industrial Base (DIB) should expect more of this; not only from state-sponsored actors, but from criminal or hacktivist affiliates acting on behalf of Iran’s IRGC or MOIS cyber arms.

    Some immediate implications:

    • DIB contractors should hunt for Iranian TTPs and malware like IOControl and DNSpionage.
    • OT segmentation, remote access policies, and endpoint hygiene are foundational.
    • Incident response (IR) planning must include scenario-based escalation modeling: what happens if the access Iran gains today becomes a wiper event tomorrow?

    US Response: Shields Up

    Initially, the federal response may have felt quieter than prior cyber alerts like those during the Ukraine conflict but the signals were still there.

    On LinkedIn, Jen Easterly, former CISA Director, reactivated the Shields Up mantra within hours of US strikes on Iranian nuclear sites. Her post explicitly warned US critical infrastructure operators to expect:

    • Credential theft and phishing
    • ICS-specific malware
    • Wipers masquerading as ransomware
    • Propaganda-laced hacktivist campaigns

    Easterly urged sectors to segment OT networks, patch internet-facing systems, enforce MFA, rehearse ICS isolation, and actively monitor ISAC channels.

    The various critical infrastructure-related ISACs followed suit. And while no single campaign bannered over the response, the defense posture matched the moment.

    Jen Easterly emphasizes the importance of cybersecurity vigilance for US critical infrastructure in response to recent Iranian cyber activities.

    So What’s Next?

    Iran’s recent activity represents a shift in focus, not necessarily a shift in capability. The targeting of OT environments and critical infrastructure may reflect aspirational doctrine as much as operational readiness. While there’s no conclusive evidence that Iranian actors have staged disruptive payloads in U.S. networks, the direction of their targeting and tooling, particularly the development of ICS and OT-specific malware, suggests a growing interest in operational disruption, and not just information gathering.

    For the US defense and critical infrastructure communities, this creates a clear mandate to prepare for the next phase before it arrives.

    • Monitor beyond the perimeter: Iranian threat actors have historically gained access through default credentials, exposed devices, and lateral movements through flat networks.
    • Expect dual-use operations: Intelligence collection and pre-positioning are not mutually exclusive.
    • Reassess assumptions: Iranian groups are traditionally viewed as less sophisticated than Russian or Chinese APTs, but recent coordination and tooling suggest they’re evolving quickly.

    In short, we’re seeing a doctrinal pivot. Iran is exploring offensive options in OT environments, and testing how far it can go without triggering escalation. This makes detection, attribution, and sector-wide coordination more important than ever.

    References

    https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict

    https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol

    https://www.cisa.gov/news-events/news/joint-statement-cisa-fbi-dc3-and-nsa-potential-targeted-cyber-activity-against-us-critical

    https://therecord.media/iran-state-backed-hackers-industrial-attacks-spring-2025

  • Russia’s Void Blizzard Targets the West’s Digital Backbone

    Russia’s Void Blizzard Targets the West’s Digital Backbone

    Microsoft Threat Intelligence has surfaced a new Russia-affiliated cyber actor: Void Blizzard, also tracked as LAUNDRY BEAR. Active since at least April 2024, this group is focused on long-term espionage targeting sectors critical to Western governments, infrastructure, and policy-making.

    Void Blizzard is not just another APT clone or cluster moniker. It represents an evolution in operational flexibility and tradecraft, shifting from relying on stolen credentials bought off the dark web to more aggressive adversary-in-the-middle (AitM) phishing campaigns. These newer efforts leverage typosquatted domains mimicking Microsoft Entra portals to harvest authentication tokens and compromise enterprise identities.

    Target Profile

    Void Blizzard’s campaign focus aligns closely with Russian state priorities. It has gone after targets in:

    • Defense and government agencies
    • Transportation and healthcare infrastructure
    • NGOs, education institutions, and intergovernmental organizations
    • Media and IT service providers

    While some activity overlaps with known Russian actors like APT29, Void Blizzard appears to operate as a distinct cell, coordinating within a larger ecosystem of state-sponsored espionage.

    Notable Tactics

    • Credential-based access remains a preferred entry point, but the shift to AitM phishing is a signal of increasing confidence and offensive posture.
    • Microsoft Entra impersonation suggests a deliberate focus on trusted identity systems, highlighting how fragile authentication flows can be under targeted pressure.
    • Operational consistency across NATO states and Ukraine further indicates strategic alignment with geopolitical goals, not just opportunistic targeting.

    Analyst Comments

    If you’re in defense, energy, public health, or civil society work, Void Blizzard’s tradecraft should raise alarm bells. Organizations should be:

    • Auditing Entra ID and authentication logs for anomalies tied to session replay or suspicious SSO activity
    • Deploying phishing-resistant MFA such as FIDO2 keys
    • Training users to identify lookalike URLs and domain spoofing, particularly in password reset or login prompts
    • Tracking overlaps with other Russian campaigns, especially Star Blizzard and Midnight Blizzard, to catch infrastructure reuse or strategic convergence

    Final Thoughts

    Void Blizzard is not flashy, but it is serious. It demonstrates how Russia continues to evolve its cyber espionage toolkit beneath the noise of more destructive attacks. In an era of hybrid conflict, groups like Void Blizzard are the quiet operatives laying groundwork for geopolitical advantage. They definitely won’t be the last.

    See Microsoft’s full report: https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/

  • COLDRIVER’s New LOSTKEYS Malware Targets Western Officials

    COLDRIVER’s New LOSTKEYS Malware Targets Western Officials

    Summary

    Between Jan and Apr 2025, suspected Russian FSB-linked threat group COLDRIVER delivered LOSTKEYS malware using a fake CAPTCHA to target Western officials, journalists, think tanks, and NGOs.

    Russian Threat Group COLDRIVER Deploys LOSTKEYS Malware Targeting Western Entities

    The Russian state-sponsored threat group, COLDRIVER (aka UNC4057, Callisto, and Star Blizzard), has expanded its cyberespionage toolkit with the additional of a new malware strain dubbed LOSTKEYS. According to Google’s Threat Intelligence Group (GTIG), this development marks a significant evolution from COLDRIVER’s usual credential phishing tactics to more sophisticated malware development.

    Evolution of Tactics

    Historically, COLDRIVER focused on credential phishing campaigns targeting high-profile individuals in NATO governments, NGOs, and former intelligence and diplomatic officials. The threat group’s primary objective has been intelligence collection in support of Russian strategic interests. More recent activities observed in early-2025 indicate a shift towards deploying more custom malware to further enhance their data exfiltration capabilities.

    Introduction of LOSTKEYS

    LOSTKEYS was designed to steal files from predefined directories and file types, as well as send system information and running processes back to the threat actors. The malware is delivered through a multi-stage infection chain that begins with a lure website featuring a fake CAPTCHA. Once a target interacts with the CAPTCHA, they’re then prompted to execute a PowerShell script, starting the malware installation process. This method, known as “ClickFix”, involves socially engineering targets to copy, paste, and execute malicious PowerShell commands. The technique has been gaining increased notoriety as various other threat actors have begun leveraging it.

    Targets and Objectives

    COLDRIVER’s recent campaigns have targeted current and former advisors to Western governments, militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine. The group’s operations aim to gather intelligence that aligns with Russian strategic interests. In some cases, COLDRIVER has been linked to hack-and-leak campaigns targeting officials in the UK and NGOs.

    Analyst Comments:

    The evolution of COLDRIVER from basic credential phishing to deploying custom malware like LOSTKEYS emphasizes a broader trend in Russian cyberespionage: the increasing willingness to burn bespoke tools in pursuit of higher value intelligence collection. The shift seems to suggest mounting pressure on Russian intelligence services to deliver actionable insights amid ongoing geopolitical tensions, particularly related to NATO support for Ukraine and Western policy responses.

    Through their targeting of advisors, think tanks, and NGOs, COLDRIVER is focusing on influencers and policy shapers, not just government officials. This indicates a strategic effort of preempting or shaping foreign policy decisions. Their adoption of techniques like ClickFix also signals an emphasis on user-driven execution, a smart bypass of traditional email defenses and endpoint controls. As we’ve seen in the past, employees are the weakest link in an organization’s security posture.

    For us network defenders, this campaign highlights the importance of defense-in depth strategies, user education (a must), and proactive threat hunting. The fact that COLDRIVER now deploys malware directly onto victim systems raises the stakes for organizations previously focused only on account compromise prevention.

    In short, COLDRIVER’s operational pivot is just another reminder that cyberespionage groups adapt faster than most defensive postures. Organizations in policy-adjacent sectors should assume they are in the targeting scope, even if they don’t handle classified information, and adjust security postures accordingly.

    Reference(s) and Further Reading:

    https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a

    https://home.treasury.gov/news/press-releases/jy1962

  • The Escalation of GRU Unit 29155: Espionage and Sabotage Tactics

    The Escalation of GRU Unit 29155: Espionage and Sabotage Tactics

    Disclaimer: This post is based on unclassified, open-source reporting and reflects my personal analysis and interpretations. The views expressed here are my own and do not represent the views or positions of my employer.

    Background

    Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia’s asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations.

    Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage.

    Primary TTPs

    • Espionage and Data Theft
      • Unit 29155 conducts extensive espionage campaigns aimed at gathering intelligence from NATO countries, European union members, and multiple nations in Latin America and Central Asian. They’ve exploited critical infrastructure and government systems leveraging reconnaissance tools like Nmap and Shodan to scan for vulnerabilities and gather intelligence [2].
      • Sensitive information obtained through these operations are occasionally leaked or shared publicly in order to damage the reputations of their victims as part of influence efforts [3].
    • Destructive Operations
      • Unit 29155 was tracked as the group deploying the destructive WhisperGate malware, disguised as ransomware but meant to erase victim data. This wiper was used in targeting of Ukrainian governmental and critical infrastructure entities. This activity provided evidence of a clear shift to sabotage tactics aligned with Russian military objectives early in the Russia/Ukraine conflict.
      • Destructive attacks have also been directed towards logistics operations supporting Ukraine, as seen in repeated attacks against infrastructure crucial to NATO and EU support for Ukraine [2].
    • Infrastructure Scanning/Domain Enumeration
      • Unit 29155 engaged in over 14,000 documented cases of domain scanning, targeting NATO infrastructure and EU entities. The scanning has been described as preparatory, often identifying weak points for later exploitation efforts. Open-source and custom tools like Acunetix, WPScan, and VirusTotal were commonly used for this reconnaissance [3].
    • Cybercriminal Overlap
      • Not wholly unique to Unit 29155, but rather the broad spectrum of Russian state-sponsored APT groups, researchers report collaboration with known cybercriminal elements, employing non-GRU actors to facilitate operations. This working relationship extends the group’s reach and allows it to exploit technical expertise outside formal military ranks while obscuring attribution. It is also believed that this particular unit consists of primarily junior personnel and so may operate at a less sophisticated level than other groups like APT28 or APT29 [4].

    Mitigations and Recommendations

    Cyber defenders across critical sectors are encouraged to implement mitigations against known tactics:

    • Prioritize patching of known vulnerabilities and enforce multi-factor authentication (MFA).
    • Monitor networks for unusual scanning or reconnaissance activity and segment networks to mitigate lateral movement, post infiltration.
    • Use intrusion detection tools to monitor for technical indicators of compromise (IOCs) relating to Unit 29155.

    Unit 29155’s evolution highlights a blend of traditional espionage with enhanced cyber and sabotage capabilities, particularly in relation to high-stakes geopolitical targets. The expanded use of cyber tactics show the importance for affected nations and organizations to maintain vigilance and robust cyber defenses.

    References

    [1] https://www.fbi.gov/wanted/cyber/gru-29155-cyber-actors

    [2] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3895808/%5B3%5D https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/russian-military-cyber-actors-target-us-and-global-critical-infrastructure

    [4] https://www.rferl.org/a/germany-gru-russia-cyber-warning/33112764.html