Energy Sector Incident Report

On December 29, 2025, coordinated destructive cyberattacks targeted Poland's energy infrastructure during severe winter weather. Approximately 30 wind and solar farms, a manufacturing company, and a combined heat and power plant serving nearly 500,000 customers were affected. Attackers exploited vulnerable FortiGate perimeter devices using stolen credentials and default passwords to access industrial control systems. Multiple types of wiper malware, including DynoWiper and LazyWiper, were deployed to destroy data across IT and OT environments. While renewable facilities lost communication with distribution operators without affecting electricity generation, the incidents demonstrated significant capability to cause physical disruption. Infrastructure analysis revealed connections to threat clusters known as Static Tundra, Ghost Blizzard, and potentially Sandworm, marking a notable escalation in cyber-sabotage operations.

Pulse ID: 69f32ac81834d5a878e8fac0
Pulse Link: https://otx.alienvault.com/pulse/69f32ac81834d5a878e8fac0
Pulse Author: AlienVault
Created: 2026-04-30 10:11:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberAttacks #CyberSecurity #IndustrialControlSystems #InfoSec #Malware #Manufacturing #OTX #OpenThreatExchange #Password #Passwords #Poland #RAT #Sandworm #Word #Worm #bot #AlienVault

Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection.

Pulse ID: 69f1f50a5410ca637c84368c
Pulse Link: https://otx.alienvault.com/pulse/69f1f50a5410ca637c84368c
Pulse Author: AlienVault
Created: 2026-04-29 12:09:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Espionage #InfoSec #LNK #OTX #Onion #OpenThreatExchange #Phishing #RAT #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #ZIP #bot #AlienVault

疑似APT-C-13（Sandworm）组织利用SSH+TOR隧道实现隐蔽持久化的攻击活动分析-安全资讯-360官网

Pulse ID: 69f1f472cc1acc636d7983ef
Pulse Link: https://otx.alienvault.com/pulse/69f1f472cc1acc636d7983ef
Pulse Author: CyberHunter_NL
Created: 2026-04-29 12:07:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #SSH #Sandworm #Worm #bot #CyberHunter_NL

Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection.

Pulse ID: 69f06b1eeeb1fca735cb0bb8
Pulse Link: https://otx.alienvault.com/pulse/69f06b1eeeb1fca735cb0bb8
Pulse Author: AlienVault
Created: 2026-04-28 08:09:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Dropbox #Email #Espionage #Government #InfoSec #LNK #Malware #OTX #Onion #OpenThreatExchange #Opera #PDF #Phishing #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #bot #AlienVault

Sandworm uses SSH tunneled over Tor to maintain long-term, stealthy persistence on compromised systems. Layers inside layers — it's almost elegant, in a deeply unsettling way.

The real takeaway: lateral movement detection and egress monitoring matter more than ever when the attacker is patient, quiet, and in no hurry to leave. 🕵️

#infosec #Sandworm #ThreatIntel
https://gbhackers.com/ssh-over-tor-tunnel/

"He who can command the worm, can command the breakfast."

#Dune #sandworm

Cyber warfare groups: Sandworm
https://negativepid.blog/cyber-warfare-groups-sandworm/

#cyberWarfare #Sandworm #criticalInfrastructure #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

Cyber warfare groups: Sandworm
https://negativepid.blog/cyber-warfare-groups-sandworm/

#cyberWarfare #Sandworm #criticalInfrastructure #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid