Advertisement
Live broadcast

No need for fuel and energy complex: hackers have become more likely to blackmail industrialists

The ransom amounts are estimated in millions of rubles — companies of the fuel and energy complex are of particular interest to criminals.
0
Photo: IZVESTIA/Sergey Konkov
Озвучить текст
Select important
On
Off

Cyber attacks on industrial facilities have doubled in frequency, Izvestia found out. Previously, the main goal of most hackers was espionage, but now they seek to make a profit through extortion and the sale of hacking tools. They can be purchased for as little as $500, and one successful attack can bring tens of millions of rubles. The information about which industries are at high risk and how much businesses may lose as a result of the attack is in the Izvestia article.

How hackers attack

Hackers have increased pressure on the industrial sector, cybersecurity companies told Izvestia. At the same time, they have changed their main motive: instead of collecting data, they are increasingly choosing attacks for the sake of making money. In 2025, the share of such incidents was 5-6%, and in the first half of 2026 it doubled to 11%, experts from BI.ZONE Threat Intelligence reported.

So, in May and June 2026, industrial enterprises were subjected to a series of attacks by the financially motivated group Clubfoot Wolf. They disguised their letters as commercial offers or invoices. The attackers added a postscript Fwd: ("forwarded") to the topic so that people would think they had already communicated with the sender and opened the attachments.

— The ZIP archive attached to the letter contained distracting files, as well as software for remote administration, — said the head of BI.ZONE Threat Intelligence Oleg Skulkin. — This allowed the attackers to remotely control the victim's computer and at the same time remain unnoticed by the security systems. And to make it more difficult to analyze and identify the end URLs, the grouping used link shortening services.

Hackers most often targeted small chemical industry organizations.

According to BI.ZONE DFIR, the Feral Wolf group attacked one of the industrial companies. Hackers gained access to her system due to an incorrect server configuration and stayed online for 20 days.

During the same period, another group, Stray Hyena, hacked another company: first, a contractor company, and two days after the penetration, the infrastructure of the main victim was encrypted.

"In the case of attacks on medium—sized companies, the amount of the ransom can be 15-30 million rubles, but sometimes it reaches 100-200 million rubles," the experts said. "Less often, attackers request even larger amounts."

The growing interest of cybercriminals in the Russian industry is also evidenced by the sale of special hacking tools, Oleg Skulkin emphasized. So, in June, the Wrecking Hyena group sold an updated platform for attacks on industrial infrastructure through its Telegram channel for $500. It includes a complete set of tools, from vulnerability detection and intelligence to data theft and storage. In addition, the platform allows you to analyze the security of systems, exploit vulnerabilities in industrial protocols, conduct DDoS attacks and gain unauthorized remote access.

— The members of Wrecking Hyena initially positioned themselves as hacktivists: They stated that they were acting solely for ideological reasons, and not for financial gain," the expert noted.

Scorched earth tactics: hackers attacking the Russian Federation have moved to total destruction of data
Attackers seek to cause maximum damage to organizations

How much do attacks cost businesses

Today, almost all industrial companies using digital services are at risk, including machine—building, metallurgical, chemical, food and pharmaceutical companies, Dmitry Smirnov, head of the information security department at NGENIX, told Izvestia.

At the same time, the objects of the fuel and energy complex are subject to the most intense attacks, many other sectors of the economy depend on their stable operation, said Boris Gerasin, digital lawyer, Deputy Chairman of the Intellectual Property Council of the Chamber of Commerce and Industry of the Russian Federation, Eurasian and Russian Patent Attorney.

— Simple is very expensive in these areas, — said the expert. — Every day of unscheduled repairs deprives the refinery of millions of rubles, leads to the disruption of previously reached agreements, to the failure to fulfill plans, which is fraught with sanctions from counterparties.

Kirill Levkin, Project manager at Softline Group (MD Audit), added that a separate category is logistics hubs and warehouses with a high degree of automation, where a failure blocks supply chains.

— The food industry, pharmaceuticals, and the agricultural sector are increasingly being attacked. They are interested not so much in data as in the possibility of paralyzing production, because such enterprises cannot afford long—term downtime: products deteriorate, processes cannot be paused," he explained.

For attackers, it's not the industry that's more important, but the cost of business downtime, Dmitry Smirnov agreed.

"The more expensive it is to stop production, the more attractive the goal," the expert believes. — Increasingly, public digital services of companies are becoming a potential entry point: corporate portals, partner personal accounts, VPNs, APIs, and other web resources. Compromising them could be the first stage of a larger attack.

Even a well-developed IT infrastructure with a modern cyber defense system does not guarantee complete security, Boris Gerasin noted.

"Attackers often work not head—on, but surreptitiously, through less secure counterparty systems, trying to hack the contour of the target infrastructure through them," he said.

The damage varies greatly and consists of two parts: payments to intruders and indirect losses, Kirill Levkin added.

The main costs are related to production downtime, restoration of information systems, technical audit, replacement of compromised software, investigation of the incident and compliance with regulatory requirements, said Ekaterina Kosareva, managing partner of the VMT Consult agency.

Experts recommend companies from the most vulnerable industries to separate the corporate and technological contours. Then, if one of the segments is infected, the problem can be localized and the attack cannot spread to the entire infrastructure.

Переведено сервисом «Яндекс Переводчик»

Live broadcast
Subscribe and get the news first
Menu
Advertisement
RSS

Copyright for the iz.ru portal content visualisation system, as well as for the source data, including texts, photos, audio and video materials, graphic images, other works and trademarks, belongs to "MIC Izvestia" LLC

Partial quotation is possible only with a hyperlink to en.iz.ru

The site is operated with the financial support of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation.

The advertiser is responsible for the content of any advertising materials posted on the portal.

The information resource uses recommendation technologies. More detailed

The news, analytics, forecasts and other materials presented on this website do not constitute an offer or recommendation to buy or sell any assets.

Registered by the Federal Service for Supervision of Communications, Information Technology and Mass Communications. Certificates of registration Certificate of registration: EL № FS 77 - 76208 dated July 8, 2019. , Certificate of registration: EL № FS 77 - 72003 dated December 26, 2017.

All rights reserved © «MIC «Izvestia» LLC, 2026