Cyber SQEP

This is a series of links to background information on specific OT/ICS Cyber Incidents. Up to date as of Jul 2025.

FrostyGoop (2024)

• Unit42 | FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications | 19 Nov 24
• SANS Institute | What’s the Scoop on FrostyGoop: The Latest ICS Malware and ICS Controls Considerations | 09 Aug 24
• Nozomi Networks Labs | Protecting OT Systems Against FrostyGoop/BUSTLEBERM Malware | 24 Jul 24
• Dragos | Protect Against the FrostyGoop ICS Malware Threat with OT Cybersecurity Basics | 23 Jul 24
• Dragos | Impact of FrostyGoop ICS Malware on Connected OT Systems | Jul 24

Fuxnet (2024)

• Dragos | Strategic Overview of the Fuxnet Malware | May 24
• Claroty | Unpacking the Blackjack Group’s Fuxnet Malware | 12 Apr 24

Unitronics Attack / CyberAv3ngers (2023)

• CISA | IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities | 18 Dec 24
• Claroty | From Exploits to Forensics: Unraveling the Unitronics Attack | 07 Aug 24
• Dragos | Crossing the Rubicon: Hacktivist Intrusions Against Israeli-Made OT | 14 Dec 23

Danish Critical Infrastructure Attack (2023)

• SektorCERT | The attack against Danish critical infrastructure | Nov 23

Ukraine Electric Power Attack (2022)

• Dragos | ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022 | 11 Dec 23
• Mandiant | Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | 09 Nov 23

Iranian Steel Mill / Predatory Sparrow (2022)

• SCADAfence | Industrial Cyber Attack on Iranian Steel Companies Explained | 07 Jul 22
• WIRED | How a Group of Israel-Linked Hackers Has Pushed the Limits of Cyberwar | 25 Jan 24

Industroyer2 (2022)

• Mandiant | INDUSTROYER.V2: Old Malware Learns New Tricks | Mandiant | 25 Apr 25
• ESET | Industroyer2: Industroyer reloaded | 12 Apr 22

INCONTROLLER / PIPEDREAM (2022)

• S4 | INCONTROLLER – YouTube | 06 Sep 22
• CISA | APT Cyber Tools Targeting ICS/SCADA Devices | 25 May 22
• SANS ICS Security | PIPEDREAM and Countering ICS Malware Webcast – YouTube | 18 May 22
• S4 | PIPEDREAM – Most Flexible & Capable ICS Malware To Date – YouTube | 02 May 22)
• Dragos | CHERNOVITE’s PIPEDREAM Targeting Industrial Control Systems | 13 Apr 22
• Mandiant | INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple ICS | 13 Apr 22

COSMICENERGY (2021)

• Mandiant | COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises | 25 May 2023
• Dragos | COSMICENERGY – Not an Immediate Threat | Jun 23

TRITON/TRISIS/HatMan (2017)

• CISA | HatMan – Safety System Targeted Malware (Update B) | 27 Feb 19
• Nozomi Networks | TRITON: The First ICS Cyberattack on Safety Instrument Systems | 08 Aug 18
• WIRED | Triton Malware Targets Industrial Safety Systems In the Middle East | 14 Dec 17
• Mandiant | TRITON Malware | Attackers Deploy New ICS Attack Framework | 14 Dec 17

CRASHOVERRIDE / Industroyer (2016)

• CISA | CrashOverride Malware | 20 Jul 21
• Book | Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers | 20 Oct 20
• CISA | CRASHOVERRIDE Malware | 25 Jul 17
• Dragos | CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids | 12 Jun 17
• WIRED | Crash Override Malware Took Down Ukraine’s Power Grid Last December | 12 Jun 17
• ESET | Industroyer: Biggest threat to industrial control systems since Stuxnet | 12 Jun 17

BlackEnergy (2015)

• CISA | Cyber-Attack Against Ukrainian Critical Infrastructure | 20 Jul 21
• Book | Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers | 20 Oct 20
• ISA | Ukrainian power grids cyberattack – A forensic analysis based on ISA/IEC 62443 | Apr 17
• WIRED | Everything We Know About Ukraine’s Power Plant Hack | 28 Jan 16
• Booz Allen Hamilton | When the Lights Went Out | Sep 16
• SANS Industrial | Confirmation of a Coordinated Attack on the Ukrainian Power Grid | 06 Jan 16

Havex (2013)

• CISA | ICS Focused Malware (Update A) | 22 Aug 18
• GIAC | The Impact of Dragonfly Malware on Industrial Control Systems | 18 Jan 16
• Palo Alto Networks | Threat Mitigation for Havex, DragonFly and Variants | 10 Jul 14
• F-Secure Labs | Havex Hunts for ICS/SCADA Systems | 23 Jun 14

Stuxnet (2010)

• Gov | Fully Operational: Stuxnet 15 Years Later and the Evolution of Cyber Threats to Critical Infrastructure | 22 Jul 25
• Gov | Fully Operational Stuxnet 15 Years Later & the Evolution of Cyber Threats to Critical Infrastructure – YouTube | 22 Jul 25
• S4 | Langner’s Stuxnet Deep Dive – YouTube | 18 Jun 16
• Book | Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon | 01 Sep 15