Threat Intelligence Tarot
Vol. II · 92
Russia (GRU-linked hacktivist, Sandworm affiliate)
risk 3/5
The Iron Tide
Cyber Army of Russia Reborn
CARR · CyberArmyofRussia
Water treatment facilitiesHydroelectric damsUS critical infrastructurePolandFranceUS utilities
Active since 2022 · Disruption of Western infrastructure, Pro-Kremlin propaganda
The Iron Tide rises not from oceans but from pipelines and water mains, a current that flows backward through the veins of civilian infrastructure. Where Sandworm uses bombs, its offspring uses valves.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1498
Network Denial of Service
Impact
T1190
Exploit Public-Facing Application
Initial Access
T1489
Service Stop
Impact
T1485
Data Destruction
Impact
T1071.001
Web Protocols
Command and Control
T1583
Acquire Infrastructure
Resource Development
Notable Operations
  • Muleshoe Texas water facility manipulation (2024)
  • Indiana water utility disruption
  • Polish water system targeting
  • French hydroelectric dam HMI access and manipulation
Defenses
  • Remove all OT/HMI systems from internet exposure: no direct internet connection
    ICS-CERT advisory
  • Change all default credentials on industrial control systems and HMIs
    CIS Control 5
  • Network segmentation between corporate IT and operational technology networks
    NIST CSF: PR.PT
  • Continuous monitoring of ICS network for unauthorized command injection
    NIST CSF: DE.CM
Reversed: Their Weakness
HMI systems exposed to the internet with default credentials are its entire attack surface. Removing internet-facing OT interfaces and enforcing industrial network segmentation eliminates almost all of its capability.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Battering RamNext →The Obsidian Hammer
Related Adversaries
The Arsonist
Predatory Sparrow
3 shared TTPs
The Battering Ram
NoName057(16)
2 shared TTPs
The Fractured Flag
GhostSec
2 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.