Cyber Risk in the Utilities Sector

Understand more about cyber risk in this sector.

Cyber Risk Graph

Explore how this sector relates to the wider risk graph

Threat Reports

Publicly available threat reporting on cyber attacks against Utilities.

Report

Cloaked and Covert: Uncovering UNC3886 Espionage Operations

This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...

View Source
Report

APT45: North Korea’s Digital Military Machine

This report from threat intelligence analysts at Google's Mandiant marks the graduation of this cyber actor to a fully designated APT - APT45. The ...

View Source
Report

UAC-0133 (Sandworm) plans for cyber sabotage at almost 20 critical infrastructure facilities in Ukraine

This medium post translates a UA-CERT alert and adds additional technical analysis of the QUEUESEED/KAPEKA backdoor which has been used against ...

View Source
Report

Threat Assessment: Black Basta Ransomware

This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...

View Source
Report

VOLTZITE Espionage Operations Targeting U.S. Critical Systems

This report details activity related to the VOLTZITE intrusion set as observed by Dragos. The report identifies sectors and geographies targeted ...

View Source
Report

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets

This report from Microsoft Threat Intelligence describes a subset of activity related to the Mint Sandstorm actor. The campaign includes the theft ...

View Source
Report

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...

View Source

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use against Utilities.

ATT&CK ID Title Associated Tactics
T1014 Rootkit Defense Evasion
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1003 OS Credential Dumping Credential Access
T1071 Application Layer Protocol Command and Control
T1489 Service Stop Impact
T1082 System Information Discovery Discovery
T1112 Modify Registry Defense Evasion
T1569.002 Service Execution Execution
T1218.010 Regsvr32 Defense Evasion
T1573 Encrypted Channel Command and Control
T1486 Data Encrypted for Impact Impact
T1562.001 Disable or Modify Tools Defense Evasion
T1136 Create Account Persistence
T1566.001 Spearphishing Attachment Initial Access
T1543.003 Windows Service Persistence, Privilege Escalation
T1047 Windows Management Instrumentation Execution
T1219 Remote Access Software Command and Control
T1622 Debugger Evasion Defense Evasion, Discovery
T1140 Deobfuscate/Decode Files or Information Defense Evasion
T1555 Credentials from Password Stores Credential Access
T1560.001 Archive via Utility Collection
T1562.009 Safe Mode Boot Defense Evasion
T1484.001 Group Policy Modification Defense Evasion, Privilege Escalation
T1059.001 PowerShell Execution
T1574.001 DLL Search Order Hijacking Defense Evasion, Persistence, Privilege Escalation
T1567 Exfiltration Over Web Service Exfiltration
T1490 Inhibit System Recovery Impact
T1021.001 Remote Desktop Protocol Lateral Movement
T1016 System Network Configuration Discovery Discovery
T1087.002 Domain Account Discovery
T1562.004 Disable or Modify System Firewall Defense Evasion
T1098 Account Manipulation Persistence, Privilege Escalation
T1070.004 File Deletion Defense Evasion
T1592 Gather Victim Host Information Reconnaissance
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1090.003 Multi-hop Proxy Command and Control
T1090.001 Internal Proxy Command and Control
T1090 Proxy Command and Control
T1105 Ingress Tool Transfer Command and Control
T1113 Screen Capture Collection
T1074 Data Staged Collection
T1560 Archive Collected Data Collection
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1550 Use Alternate Authentication Material Defense Evasion, Lateral Movement
T1021.007 Cloud Services Lateral Movement
T1563 Remote Service Session Hijacking Lateral Movement
T1124 System Time Discovery Discovery
T1007 System Service Discovery Discovery
T1033 System Owner/User Discovery Discovery
T1016.001 Internet Connection Discovery Discovery
T1614 System Location Discovery Discovery
T1518 Software Discovery Discovery
T1012 Query Registry Discovery
T1057 Process Discovery Discovery
T1069 Permission Groups Discovery Discovery
T1120 Peripheral Device Discovery Discovery
T1046 Network Service Discovery Discovery
T1654 Log Enumeration Discovery
T1083 File and Directory Discovery Discovery
T1217 Browser Information Discovery Discovery
T1010 Application Window Discovery Discovery
T1087.001 Local Account Discovery
T1552.004 Private Keys Credential Access
T1552 Unsecured Credentials Credential Access
T1003.003 NTDS Credential Access
T1003.001 LSASS Memory Credential Access
T1555.003 Credentials from Web Browsers Credential Access
T1110.002 Password Cracking Credential Access
T1218 System Binary Proxy Execution Defense Evasion
T1027.002 Software Packing Defense Evasion
T1036.005 Match Legitimate Name or Location Defense Evasion
T1070.001 Clear Windows Event Logs Defense Evasion
T1070.009 Clear Persistence Defense Evasion
T1006 Direct Volume Access Defense Evasion
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1059.004 Unix Shell Execution
T1059 Command and Scripting Interpreter Execution
T1133 External Remote Services Initial Access, Persistence
T1190 Exploit Public-Facing Application Initial Access
T1588.005 Exploits Resource Development
T1587.004 Exploits Resource Development
T1584.004 Server Resource Development
T1584.005 Botnet Resource Development
T1583.003 Virtual Private Server Resource Development
T1594 Search Victim-Owned Websites Reconnaissance
T1593 Search Open Websites/Domains Reconnaissance
T1591 Gather Victim Org Information Reconnaissance
T1590 Gather Victim Network Information Reconnaissance
T1589.002 Email Addresses Reconnaissance
T1589 Gather Victim Identity Information Reconnaissance