Publications
Services
Advisories
Statistics

Publications
Services
Advisories
Statistics

Publications

Reports

Blog

Events

Filter

25 February 2021

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

APT,
COVID-19,
Lazarus,
Manuscrypt,
ThreatNeedle

Industries 29

textile

retail

mining

metallurgy

electronics industry

food & beverage

energy sector

logistics

automotive

manufacturing

transportation

utilities

biometrics

buildings automation

construction

ICS engineering

ICS integration

pharmaceutical

water supply

oil & gas

aerospace

shipbuilding

military-defense

robotics

irrigation

industrial automation

waste recycling

government

healthcare

Types of threats 29

personal data leakage

denial of production

denial of operations

denial of IT services

data leakage

denial of service

ransomware

spyware

APT

phishing

cyberespionage

malware

trojans

backdoor

fatalrat

denial of shipment

vulnerabilities

0-day

living-off-the-land

adversary-in-the-middle

supply chain

abuse of IT services

data loss

hacktivists

DLL hijacking

Stolen data exfiltration

business email compromise

COVID-19

KRACK

Industrial control systems 3

statistics

industrial cybersecurity

ICS security

Technologies 28

miners

quantum computing

artificial Intelligence

network equipment

UMTS

HSPA

Java

unitronics

cloud services

Air-gapped networks

USB removable media

dataleak

digital twins

UMAS

IoT

fuzzing

firmware

SMTP

VPN

RDP

RAT

OPC UA

steganography

VNC

cameras

802.11

Wi-Fi

WPA2

Companies and organisations 13

vendors

Telit

CISA

Schneider Electric

Rockwell Automation

Colonial Pipeline

OPC Foundation

Siemens

IIC

Fibaro

Moxa

Gemalto

General Electric

Products and services 14

Centurion

MOVEit MFT

ISaGRAF

Log4j

FortiGate

RMS

TeamViewer

SPPA-T3000

Codesys

Codesys Runtime

Fibaro Home Center

ThingsPro Suite

SafeNet

Machine Learning for Anomaly Detection

APT 29

Cloud Atlas/Inception

Volt Typhoon

Sofacy

Lazarus

Mint Sandstorm

Tortoiseshell

APT29

YoroTrooper

Lancefly

APT41

Andariel

APT43

Earth Longzhi

APT31

EV-0530

Tropic Trooper

UNC4034/ZINC

UNC3890

POLONIUM

TA423/Red Ladon

Budworm

IRIDIUM/Sandworm

Woody Rat

Worok

TA428

Zebrocy

GreyEnergy

Energetic Bear

Crouching Yeti

Laws and regulation 6

UN R 155

ISO/SAE 21434

automotive cybersecurity

legislation

biometric data

critical infrastructure

Malware 30

MATA

Snake

RA

Royal

Vice Society

RomCom

CommonMagic

CloudWizard

PlugX

Kryptik

FourteenHi

MeatBall

ShadowPad

Log4Shell

Manuscrypt

PseudoManuscrypt

DarkSide

Cring

ThreatNeedle

SunBurst

MontysThree

RobinHood

LockerGoga

REvil

GandCrab

WannaCry

Ryuk

Milum

Expetr

CrashOverride/Industroyer

Select an author

Select a date

Back to top

Filter

Industrial control systems 5

industrial cybersecurity

ICS security

smart manufacturing

Industry 4.0

IoT Security Maturity Model

Technologies 13

IoT

PLC

NAT

industrial networks

Open Platform Communications

TCP/IP

HMI

RAT

industrial managed switches

USB removable media

satellite communications

cryptominers

Bluetooth

Malware 25

TRITON

Ryuk

PoetRAT

REvil

Sodinokibi

Maze

Ragnar Locker

TrickBot

ZeroCleare

Dustman

Shamoon

Emotet

Yoroi

MartyMcFly

Leafminer

RASPITE

Thrip

VPNFilter

OMG

Mirai

Satori

Reaper

Expetr

Bad Rabbit

Dragonfly

Companies and organisations 51

Schneider Electric

Red Team

NIST

Rockwell Automation

FIRST

Claroty

Siemens

Emerson

Elexon

BlueScope

Stadler

DESMI

Energias de Portugal

Advantech

Picanol Group

NCA

Bapco

US Coast Guard

WAGO

Rheinmetall Group

Red Lion Controls

EZAutomation

IIC

Mitsubishi Electric

Phoenix Contact

ASCO Industries

Norsk Hydro

Zelio Soft

ENISA

Circontrol

AVEVA

Entes

Fuji Electric

Opto22

Princeton University

Symantec

Dragos

Wecon

Moxa

ABB

Allen-Bradley

Yokogawa

Martem

OPC Foundation

Beckhoff

Intel

General Electric

Palo Alto Networks

US-CERT

MITRE

Abbott

Types of threats 25

APT

vulnerabilities

TTP

initial access

buffer overflow

MitM

denial of service

ransomware

path traversal

argument injection

SQL injection

remote code execution

privilege escalation

XXE

phishing

COVID-19

FragmentSmack

SegmentSmack

improper privilege management

botnets

Spectre

Meltdown

IoT botnet

KRACK

BlueBorne

Laws and regulation 3

legislation

critical infrastructure

cyber weapon

Industries 4

smart cities

water supply

healthcare and medical

energy sector

Products and services 58

ABB 800xA

WebAccess/NMS

Modicon

SPPA-T3000

SiNVR 3

XHQ Operations Intelligence

Cisco IOS

Crimson

EZ PLC Editor

EZ Touch Editor

FR Configurator2

SIMATIC

PCS7

TIA Administrator

WinCC

Interactive Graphical SCADA System

Floating License Manager

ABB Panel Builder 600

SICK MSC800

Advantech WebAccess

PC Worx

Automation Worx Software Suite

Cisco Industrial Network Director

Optergy Proton/Enterprise

SIMATIC PCS 7

SIMATIC WinCC

IIoT Monitor

GP-Pro EX

SINUMERIK

SESU

CirCarLife

Wecon PI Studio

Alpha5

FRENIC

AMS Device Manager

TD Keypad Designer

SCALANCE

PAC Control Basic

PAC Control Professional

PowerLogic

DeltaV

LeviStudioU

NPort

Panel Builder

e!DISPLAY

SIPROTEC

Stratix

Delta Industrial Automation

U.motion Builder

Cisco Talos

TELEM-GW6/GWM

PACSystems

FL SWITCH

TIM 1531 IRC

TwinCAT

Codesys

Nari PCS-9611

Dnsmasq

Events and conferences 2

Kaspersky Industrial Cybersecurity Conference 2019

IT Security for Industrial Systems

APT 1

GreyEnergy

Select an author

Select a date

Back to top

Filter

Companies and organisations 6

Kaspersky ICS CERT

TÜV Austria

Kaspersky

MIT

Fraunhofer IOSB

UC Berkeley

Types of events 8

webinar

training

attack and defense CTF

industrial CTF

ICS detection challenge

capture the flag

conference

seminar

Technologies 1

IoT

Conferences 4

Kaspersky Industrial Cybersecurity Conference

Kaspersky Industrial CTF

Kaspersky Security Analyst Summit

S4x19

Products and services 1

KICS for Networks

Select a date

Back to top

Select a tag

Industries 29

textile

retail

mining

metallurgy

electronics industry

food & beverage

energy sector

logistics

automotive

manufacturing

transportation

utilities

biometrics

buildings automation

construction

ICS engineering

ICS integration

pharmaceutical

water supply

oil & gas

aerospace

shipbuilding

military-defense

robotics

irrigation

industrial automation

waste recycling

government

healthcare

Types of threats 29

personal data leakage

denial of production

denial of operations

denial of IT services

data leakage

denial of service

ransomware

spyware

APT

phishing

cyberespionage

malware

trojans

backdoor

fatalrat

denial of shipment

vulnerabilities

0-day

living-off-the-land

adversary-in-the-middle

supply chain

abuse of IT services

data loss

hacktivists

DLL hijacking

Stolen data exfiltration

business email compromise

COVID-19

KRACK

Industrial control systems 3

statistics

industrial cybersecurity

ICS security

Technologies 28

miners

quantum computing

artificial Intelligence

network equipment

UMTS

HSPA

Java

unitronics

cloud services

Air-gapped networks

USB removable media

dataleak

digital twins

UMAS

IoT

fuzzing

firmware

SMTP

VPN

RDP

RAT

OPC UA

steganography

VNC

cameras

802.11

Wi-Fi

WPA2

Companies and organisations 13

vendors

Telit

CISA

Schneider Electric

Rockwell Automation

Colonial Pipeline

OPC Foundation

Siemens

IIC

Fibaro

Moxa

Gemalto

General Electric

Products and services 14

Centurion

MOVEit MFT

ISaGRAF

Log4j

FortiGate

RMS

TeamViewer

SPPA-T3000

Codesys

Codesys Runtime

Fibaro Home Center

ThingsPro Suite

SafeNet

Machine Learning for Anomaly Detection

APT 29

Cloud Atlas/Inception

Volt Typhoon

Sofacy

Lazarus

Mint Sandstorm

Tortoiseshell

APT29

YoroTrooper

Lancefly

APT41

Andariel

APT43

Earth Longzhi

APT31

EV-0530

Tropic Trooper

UNC4034/ZINC

UNC3890

POLONIUM

TA423/Red Ladon

Budworm

IRIDIUM/Sandworm

Woody Rat

Worok

TA428

Zebrocy

GreyEnergy

Energetic Bear

Crouching Yeti

Laws and regulation 6

UN R 155

ISO/SAE 21434

automotive cybersecurity

legislation

biometric data

critical infrastructure

Malware 30

MATA

Snake

RA

Royal

Vice Society

RomCom

CommonMagic

CloudWizard

PlugX

Kryptik

FourteenHi

MeatBall

ShadowPad

Log4Shell

Manuscrypt

PseudoManuscrypt

DarkSide

Cring

ThreatNeedle

SunBurst

MontysThree

RobinHood

LockerGoga

REvil

GandCrab

WannaCry

Ryuk

Milum

Expetr

CrashOverride/Industroyer

Select an author

Select a date

Filter

Select a tag

Industrial control systems 5

industrial cybersecurity

ICS security

smart manufacturing

Industry 4.0

IoT Security Maturity Model

Technologies 13

IoT

PLC

NAT

industrial networks

Open Platform Communications

TCP/IP

HMI

RAT

industrial managed switches

USB removable media

satellite communications

cryptominers

Bluetooth

Malware 25

TRITON

Ryuk

PoetRAT

REvil

Sodinokibi

Maze

Ragnar Locker

TrickBot

ZeroCleare

Dustman

Shamoon

Emotet

Yoroi

MartyMcFly

Leafminer

RASPITE

Thrip

VPNFilter

OMG

Mirai

Satori

Reaper

Expetr

Bad Rabbit

Dragonfly

Companies and organisations 51

Schneider Electric

Red Team

NIST

Rockwell Automation

FIRST

Claroty

Siemens

Emerson

Elexon

BlueScope

Stadler

DESMI

Energias de Portugal

Advantech

Picanol Group

NCA

Bapco

US Coast Guard

WAGO

Rheinmetall Group

Red Lion Controls

EZAutomation

IIC

Mitsubishi Electric

Phoenix Contact

ASCO Industries

Norsk Hydro

Zelio Soft

ENISA

Circontrol

AVEVA

Entes

Fuji Electric

Opto22

Princeton University

Symantec

Dragos

Wecon

Moxa

ABB

Allen-Bradley

Yokogawa

Martem

OPC Foundation

Beckhoff

Intel

General Electric

Palo Alto Networks

US-CERT

MITRE

Abbott

Types of threats 25

APT

vulnerabilities

TTP

initial access

buffer overflow

MitM

denial of service

ransomware

path traversal

argument injection

SQL injection

remote code execution

privilege escalation

XXE

phishing

COVID-19

FragmentSmack

SegmentSmack

improper privilege management

botnets

Spectre

Meltdown

IoT botnet

KRACK

BlueBorne

Laws and regulation 3

legislation

critical infrastructure

cyber weapon

Industries 4

smart cities

water supply

healthcare and medical

energy sector

Products and services 58

ABB 800xA

WebAccess/NMS

Modicon

SPPA-T3000

SiNVR 3

XHQ Operations Intelligence

Cisco IOS

Crimson

EZ PLC Editor

EZ Touch Editor

FR Configurator2

SIMATIC

PCS7

TIA Administrator

WinCC

Interactive Graphical SCADA System

Floating License Manager

ABB Panel Builder 600

SICK MSC800

Advantech WebAccess

PC Worx

Automation Worx Software Suite

Cisco Industrial Network Director

Optergy Proton/Enterprise

SIMATIC PCS 7

SIMATIC WinCC

IIoT Monitor

GP-Pro EX

SINUMERIK

SESU

CirCarLife

Wecon PI Studio

Alpha5

FRENIC

AMS Device Manager

TD Keypad Designer

SCALANCE

PAC Control Basic

PAC Control Professional

PowerLogic

DeltaV

LeviStudioU

NPort

Panel Builder

e!DISPLAY

SIPROTEC

Stratix

Delta Industrial Automation

U.motion Builder

Cisco Talos

TELEM-GW6/GWM

PACSystems

FL SWITCH

TIM 1531 IRC

TwinCAT

Codesys

Nari PCS-9611

Dnsmasq

Events and conferences 2

Kaspersky Industrial Cybersecurity Conference 2019

IT Security for Industrial Systems

APT 1

GreyEnergy

Select an author

Select a date

Filter

Select a tag

Companies and organisations 6

Kaspersky ICS CERT

TÜV Austria

Kaspersky

MIT

Fraunhofer IOSB

UC Berkeley

Types of events 8

webinar

training

attack and defense CTF

industrial CTF

ICS detection challenge

capture the flag

conference

seminar

Technologies 1

IoT

Conferences 4

Kaspersky Industrial Cybersecurity Conference

Kaspersky Industrial CTF

Kaspersky Security Analyst Summit

S4x19

Products and services 1

KICS for Networks

Select a date

Filter

Newsletter subscription E-mail

Your company or organization name

Vulnerability data

Threat Information

I agree to provide my contact information to Kaspersky Lab (first name, last name, email address, phone, country postal code) to be contacted by Kaspersky Lab sales representatives by phone for a personalized offer that could be based, in particular, on geography and company size information provided; to receive information via email about Kaspersky Lab products and services including promotional offers, product updates and premium assets like white papers, webcasts, videos, events etc.; to participate in surveys to vocalize opinion on various aspects of Kaspersky Lab business, in particular, about products, and technical support. I understand that I can withdraw this consent at any time via unsubscribe link from email or via Privacy Policy

A global project run by Kaspersky to coordinate the efforts of industrial automation system vendors and industrial facility owners and operators.

Publications
Services
Advisories
Statistics
About

Download PGP/GPG key

Authorized to Use CERT™

CERT is a mark owned by
Carnegie Mellon University

© 2025 AO Kaspersky Lab

Privacy policy Cookies

If you have any questions remaining, please email us at ics-cert@kaspersky.com