Kamacite

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Kamacite, a threat actor believed to be a unit of the Russian military intelligence service (GRU), has been observed targeting infrastructure across Europe, Ukraine, and the United States. This group is primarily focused on gaining initial access to networks using an implant known as Cyclops Blink. Once this initial access is established, Kamacite hands over control to another group called Electrum, which is typically tasked with executing destructive operations. A concerning pattern has emerged in Kamacite's activities; it appears to be working closely with Electrum, functioning as an "ICS effects team". In particular, these groups have been linked to repeated power grid outages in Ukraine, among other incidents. This suggests that Kamacite and Electrum are not just involved in initial breaches but also potentially in subsequent attacks that can cause significant disruption to critical infrastructure. The ongoing activities of Kamacite and Electrum highlight the persistent and evolving threat posed by state-sponsored cyber actors. Both groups are associated with Sandworm, another entity believed to be part of the Russian military intelligence service. The cybersecurity community must remain vigilant against these threats, developing robust defenses and response strategies to mitigate the potential damage caused by these sophisticated threat actors.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ELECTRUM
2
Electrum, a threat actor identified in cyberattacks against Ukraine on February 1, 2022, is known for its Bitcoin-themed attacks. These attacks often involve the use of PDF delivery documents referencing Electrum Bitcoin wallets, similar to those seen in subsequent attacks in April. The initial load
Sandworm
1
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Ics
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cyclops BlinkUnspecified
1
"Cyclops Blink" is a type of modular malware that emerged in 2019, designed to target network infrastructure. It was dubbed the "Son of VPNFilter" due to its similarities with the latter campaign. Specifically crafted to run on Linux systems, particularly those with 32-bit PowerPC architecture, Cycl
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kamacite Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CSO Online
a year ago
Attacks on industrial infrastructure on the rise, defenses struggle to keep up
BankInfoSecurity
5 months ago
Defending Operational Technology Environments: Basics Matter