Threat Intelligence Tarot
Vol. II · 90
Russia (FSB Centre 16)
G0108
risk 5/5
The Patient Inheritor
Berserk Bear
Energetic Bear · Dragonfly 2.0 · Crouching Yeti · Bromine
Energy sectorICS/SCADA systemsElectric utilitiesNuclear facilitiesGovernmentDefense
Active since ~2010 · Espionage, Pre-positioning in critical infrastructure
The Patient Inheritor does not wish to destroy the machine but to own it, placing invisible hands on the controls of power grids and fuel lines until the day they are needed. Patience measured in years, not months.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1190
Exploit Public-Facing Application
Initial Access
T1133
External Remote Services
Initial Access
T1078
Valid Accounts
Defense Evasion
T1021.001
Remote Desktop Protocol
Lateral Movement
T1005
Data from Local System
Collection
T1074
Data Staged
Collection
T1040
Network Sniffing
Credential Access
Notable Operations
  • US electric grid intrusions (2017-2018, DHS/FBI alert)
  • German energy company targeting
  • Nuclear facility network access in the US
  • Multi-year persistent access in energy sector OT networks
Defenses
Reversed: Their Weakness
Air-gapping operational technology networks from IT networks is its primary barrier. ICS-specific intrusion detection systems and strict vendor access controls make persistent pre-positioning significantly harder.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe First FrostNext →The Battering Ram
Related Adversaries
The Gate Merchant
Pioneer Kitten
4 shared TTPs
The Harvester of Roots
Flax Typhoon
4 shared TTPs
The Signal Thief
LightBasin
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.