Sample Brief — Preview of Subscriber Experience

Subscriber Use Only
TLP: AMBER · Not for Public Release
Distribution: Energy & Utilities Sector Subscribers
Energy & Utilities Sector Intelligence Brief
Correlated · Sector-Specific · Plain Language
Week of March 30, 2026
Sources: CISA · NSA · FBI · Dragos · DOE · NERC · FARA · OSINT
Sector Threat Level
Critical
Volt Typhoon remains embedded inside U.S. utility control loops — confirmed inside the operational systems that manage energy grid processes. Iranian actors pre-positioned inside U.S. energy networks before Operation Epic Fury began. Pro-Russian hacktivists targeting ICS/SCADA at oil and gas facilities. ICS vulnerability disclosures nearly doubled in 2025. Three new OT-focused threat groups identified.
300+
days Volt Typhoon dwelled inside a U.S. utility undetected
2,451
ICS vulnerabilities disclosed in 2025 — nearly double 2024
26
OT-focused threat groups worldwide — 11 active in 2025
136
CVEs in CISA’s Iranian threat actor catalog (CVIE)
Executive Summary What You Need To Know This Week
For Decision Makers — Plain Language

The U.S. energy grid is under sustained, multi-nation-state cyber siege. Chinese state-sponsored actor Volt Typhoon (tracked as Voltzite by Dragos) is not merely accessing utility networks — it is inside the control loops that manage industrial processes. Dragos CEO Robert Lee confirmed in February 2026 that Voltzite was “inside the control loop” of utility systems, positioning for future disruption rather than immediate attack. The Dragos case study of Littleton Electric Light and Water Departments revealed Volt Typhoon maintained access for over 300 days, exfiltrating OT operating procedures and spatial layout data of energy grid operations — information specifically useful for planning physical disruption. The Air Force has publicly warned that this access could enable China to wage “total war” by targeting base utilities.

Iranian-linked actors had already established footholds inside U.S. energy company networks weeks before the February 28 Operation Epic Fury strikes began. Iranian-aligned groups have claimed compromises of industrial control systems in allied nations. CISA’s Cyber Vulnerability Insights Estimate identifies 136 CVEs that Iranian actors have targeted or exploited — many affecting systems deployed in energy environments. Pro-Russian hacktivist groups have aligned with Iranian actors, creating coordinated multi-nation-state campaigns targeting energy infrastructure simultaneously.

The vulnerability landscape is expanding rapidly. ICS vulnerability disclosures nearly doubled from 2024 to 2025 — 2,451 vulnerabilities across 152 vendors. Siemens alone accounted for 1,175 of those. Hacktivists are increasingly targeting exposed HMI and SCADA systems at scale. A survey of over 100 energy facilities revealed widespread OT cybersecurity gaps including unpatched devices, insecure external connections, and weak network segmentation.

The bottom line: adversaries are already inside. The question is not whether your utility has been targeted — it is whether you have the visibility to know if they are already there. Immediate priority actions are listed under each threat item below.

Cyber Threats 80% Active Campaigns Targeting Energy & Utilities CISA · NSA · FBI · Dragos · DOE · NERC
Volt Typhoon — Inside the Control Loop of U.S. Utilities
Critical
Sources: Dragos 2026 Annual Report · CISA AA24-038A · SecurityWeek · Dark Reading · The Register
Volt Typhoon (PRC state-sponsored, tracked as Voltzite by Dragos) represents the most significant cyber threat to U.S. energy infrastructure. Dragos confirmed in February 2026 that Voltzite is now “inside the control loop” — the operational systems that directly manage industrial processes at U.S. utilities. This is not reconnaissance. This is pre-positioned capability for disruption. The Dragos case study of LELWD (Littleton Electric Light and Water Departments) revealed the group maintained access for over 300 days, exfiltrating OT operating procedures and spatial layout data of energy grid operations — information specifically useful for planning where and how to cause physical disruption. Volt Typhoon has also compromised a large U.S. city’s emergency services GIS network and conducted extensive reconnaissance of a telecommunications provider’s external gateways. The group uses living-off-the-land techniques (wmic, netsh, PowerShell), SOHO router compromise for C2, and credential harvesting via NTDS.dit extraction. The KV Botnet has been rebuilt following FBI disruption. Dragos tracks 26 OT-focused threat groups worldwide — 11 were active in 2025, with three new groups identified. Voltzite is the most dangerous.
Action Required: Hunt for LOLBin abuse in OT-adjacent networks — wmic, netsh, PowerShell execution in environments where these should not be running. Review all SOHO and edge device logs for anomalous outbound connections. Audit Active Directory for NTDS.dit access. Implement CISA CPG 2.0 OT-specific controls. Deploy OT-specific threat detection if not already in place. Monitor for SMB traversal and RDP lateral movement within OT segments. The best way to identify Volt Typhoon is behavioral monitoring — they blend in with trusted traffic.
Iranian Pre-Positioning — Footholds Established Before Epic Fury
Critical
Sources: CISA CVIE March 2026 · Baker Botts Analysis · Dragos 2026 · Qualys · FBI
Iranian state-affiliated hackers had established footholds inside U.S. energy company networks weeks before the February 28 Operation Epic Fury strikes began. CISA’s Cyber Vulnerability Insights Estimate identifies 136 CVEs that Iranian government-sponsored actors have targeted or exploited — many affecting systems deployed in energy and utility environments. Dragos identified Pyroxene (IRGC-linked, overlapping with Imperial Kitten/APT35) conducting supply chain attacks targeting critical infrastructure sectors and expanding from the Middle East into North America. Iranian-aligned groups have claimed compromises of industrial control systems in Israel. Pro-Russian hacktivist groups have aligned with Iranian actors, pooling resources for coordinated campaigns against energy infrastructure. AI-assisted reconnaissance tools have lowered the technical barriers to targeting ICS, and Iran’s dispersed hacker network — including groups like Handala — operates autonomously even as Iran’s own command structure is disrupted.
Action Required: Audit all internet-facing systems against CISA’s CVIE catalog — priority patch any Fortinet, Ivanti, Cisco, or Palo Alto edge devices. Review ICS/SCADA systems for default credentials and internet exposure. Enable MFA on all remote access. Report anomalous authentication attempts to ic3.gov. Assume pre-positioning may already exist in your environment and hunt accordingly.
ICS/SCADA Vulnerability Surge — 2,451 Disclosures in 2025
Critical
Sources: Cyble Annual Threat Landscape Report 2025 · CISA ICS Advisories · Infosecurity Magazine
ICS vulnerability disclosures nearly doubled from 2024 to 2025 — 2,451 vulnerabilities across 152 vendors. Siemens was the most affected vendor with 1,175 reported vulnerabilities. The third quarter of 2025 alone accounted for 45% of the year’s disclosures. Hacktivists and cybercriminals are increasingly targeting exposed HMI and SCADA systems, with groups like Z-Pentest conducting repeated intrusions against a wide range of industrial technologies. A survey of over 100 energy facilities revealed widespread OT cybersecurity gaps: unpatched devices, insecure external connections, VLAN misconfigurations, time synchronization errors, and weak network segmentation. CISA CPG 2.0, released December 2025, now addresses IT and OT holistically with new zero-trust requirements. Energy systems with 20-30 year physical asset lifespans cannot be patched or rebooted like IT systems — compensating controls are essential.
Action Required: Inventory all ICS/OT systems against current CISA ICS advisories. Prioritize Siemens, Schneider Electric, and Rockwell systems for patching or compensating controls. Audit HMI and SCADA exposure — ensure nothing is internet-facing without proper segmentation. Deploy network-level intrusion detection in OT environments where endpoint agents cannot be installed. Review CPG 2.0 zero-trust goals for OT applicability. Document compensating controls for assets that cannot be patched.
Hacktivist Targeting of Oil, Gas, and Utility ICS/SCADA
High
Sources: CISA/FBI/EPA/DOE Alert · SecurityWeek · Cyble · SC Media
CISA warned that unsophisticated cyber actors are increasingly targeting ICS/SCADA systems at oil and natural gas organizations. These are primarily hacktivist groups — or actors claiming hacktivist motivations — targeting SCADA and other ICS left exposed to the internet with default passwords or no authentication. While their claims are often exaggerated, industrial cybersecurity experts warn these attacks can have significant real-world impact. The Cyble report documented Z-Pentest as the most active hacktivist group targeting ICS in 2025, conducting repeated intrusions against a wide range of industrial technologies. Hacktivist groups heavily targeted energy and utilities organizations alongside transportation. The convergence of politically motivated hacktivists with nation-state capabilities — particularly the Russian-Iranian alignment — means even “unsophisticated” actors may have access to sophisticated tools and intelligence.
Action Required: Ensure no ICS/SCADA systems are internet-facing without proper segmentation and authentication. Eliminate all default passwords on OT devices. Audit remote access to OT environments — restrict to known IPs with MFA. Monitor for hacktivist reconnaissance activity against your external infrastructure. Review CISA/FBI/EPA/DOE joint guidance on protecting OT in oil and gas environments.
Critical Vulnerabilities — F5 BIG-IP, Citrix NetScaler, Cisco Firewalls
High
Sources: CISA KEV Catalog · BleepingComputer · F5 Advisory · Help Net Security · March 2026
F5 BIG-IP APM (CVE-2025-53521): Reclassified to critical RCE on March 30 — active exploitation confirmed with webshell deployment. CVSS v4: 9.3. Widely used in enterprise and utility environments. Citrix NetScaler ADC (CVE-2026-3055): Critical flaw (CVSS 9.3) under active reconnaissance. Appliances configured as SAML Identity Providers are vulnerable. Cisco Firewall (CVE-2026-20131): Interlock ransomware exploited this as a zero-day for 36 days before a patch existed. Energy organizations using Cisco firewall infrastructure are at risk. Ivanti EPM (CVE-2026-1603): Authentication bypass allowing remote unauthenticated credential data leakage. Added to CISA KEV catalog. Any of these vulnerabilities in your environment represents an immediate pathway for adversary access.
Action Required: Patch F5 BIG-IP APM immediately. Audit Citrix NetScaler for SAML IDP configuration exposure. Patch Cisco firewalls against CVE-2026-20131. Verify Ivanti EPM installations are updated. Cross-reference all internet-facing assets against the CISA KEV catalog weekly.
Physical & Proximity 10% Infrastructure Proximity & Physical Pre-Positioning FARA Filings · OSINT · FBI Counterintelligence · Congressional Reports
Foreign Land Purchases Near Critical Energy Infrastructure
Elevated
Sources: FARA Registration Database · Congressional Reporting · FBI Counterintelligence · OSINT
Chinese nationals and CCP-linked entities continue purchasing farmland and property adjacent to military bases, energy infrastructure, pipelines, and water treatment facilities across the United States. This includes documented purchases in Maine, the Midwest, and other regions with critical grid infrastructure. The threat model is direct: physical proximity to a substation or grid infrastructure enables hardware implant placement, signals intelligence collection, physical security vulnerability mapping, and in worst-case scenarios, sabotage that could appear as equipment failure. This pattern is consistent with Volt Typhoon’s cyber pre-positioning — both represent different layers of the same strategic objective: the ability to disrupt U.S. critical infrastructure during geopolitical conflict. FARA-flagged entities operating near energy facilities should be treated as a watch item in any utility’s threat assessment.
Action Required: Cross-reference any recent land sales or new business incorporations near your facilities against FARA registrations and public corporate records. Report any unusual physical surveillance, unexpected drone activity, or suspicious vendor approaches to your security officer and local FBI field office. Coordinate with local law enforcement on critical infrastructure awareness. This is a watch item — not a confirmed threat — but the pattern warrants attention.
Supply Chain & Insider Recruitment Targeting Energy Sector
Elevated
Sources: Flashpoint 2026 GTIR · FBI Counterintelligence · Dragos 2026
Flashpoint documented 91,321 instances of insider recruiting activity in 2025, with extortionist groups specifically targeting employees at critical infrastructure organizations. The IRGC-linked group Pyroxene uses recruitment-themed social engineering via fake social media profiles before delivering targeted spearphishing. Energy sector employees with access to SCADA systems, grid operations data, or physical facility access represent high-value recruitment targets. The insider threat is not purely digital — it begins with physical and social access. Supply chain attacks against OT vendors have quadrupled over the past five years, with attackers targeting less-defended vendors to gain access to multiple utilities through a single compromise.
Action Required: Review contractor and vendor vetting procedures for all personnel with OT or facility access. Ensure all third-party physical access is logged and badged. Brief employees — especially those with SCADA access or grid operations roles — on recruitment-themed social engineering. Establish a confidential insider threat reporting mechanism. Audit supply chain vendor security practices with specific attention to OT access.
Known Actors 10% Active Threat Actor Profiles — Energy Sector MITRE ATT&CK · Dragos · CISA · FBI · Cyble
Volt Typhoon (Voltzite)
Also known as: Bronze Silhouette · Vanguard Panda · Insidious Taurus · Dev-0391
PRC State-Sponsored
The defining threat to U.S. energy infrastructure. Active since mid-2021. Primary mission: pre-position inside critical infrastructure for future disruption during geopolitical conflict — particularly a Taiwan scenario. Confirmed inside utility control loops as of February 2026. Dwelled inside a Massachusetts utility for over 300 days, exfiltrating OT operating procedures and energy grid spatial layout data. Has also compromised telecommunications providers, emergency services GIS networks, and military-adjacent infrastructure. Uses living-off-the-land techniques to blend with trusted traffic, making detection extremely difficult. KV Botnet rebuilt after FBI disruption. Dragos assesses Voltzite has Stage 2 ICS Cyber Kill Chain capability — meaning it can develop and test attacks on industrial control systems.
Primary TTPs
LOLBins, SOHO Router C2, NTDS.dit, GIS Exfiltration
Target Sectors
Energy, Water, Telecom, Transportation
Activity Level
Critical · Embedded · Pre-Positioned
Pyroxene (IRGC-Linked)
Overlaps with: Imperial Kitten · APT35 · Parisite (initial access provider)
Iranian State-Sponsored
Newly identified by Dragos in 2025. Conducts supply chain attacks targeting critical infrastructure and industrial sectors, expanding from the Middle East into North America and Western Europe. Works with Parisite as an initial access broker. Uses recruitment-themed social engineering via fake social media profiles before delivering spearphishing. The IRGC has historically targeted energy infrastructure — CISA has documented Iranian techniques against U.S. water and energy systems. Elevated activity following Operation Epic Fury. Iran’s disrupted command structure has dispersed cyber capability across autonomous groups, making the threat harder to predict and attribute.
Primary TTPs
Supply Chain, Social Engineering, Spearphishing
Target Sectors
Energy, Critical Infrastructure, Industrial
Activity Level
Active · Expanding into North America
Z-Pentest & Pro-Russian Hacktivist Groups
Multiple aligned groups targeting ICS/SCADA at energy and utilities
Russian-Aligned Hacktivists
Z-Pentest was the most active hacktivist group targeting ICS in 2025, conducting repeated intrusions against a wide range of industrial technologies. Pro-Russian hacktivist groups have aligned with Iranian-linked actors, pooling resources and capabilities. They target SCADA and ICS systems exposed to the internet with default passwords or no authentication. While individual attacks may be unsophisticated, the volume is significant and the convergence with nation-state resources makes them increasingly dangerous. CISA, FBI, EPA, and DOE have issued joint guidance specifically addressing hacktivist targeting of oil and gas ICS/SCADA.
Primary TTPs
Internet-Exposed ICS, Default Credentials, HMI Takeover
Target Sectors
Energy, Oil & Gas, Water, Transportation
Activity Level
Active · High Volume · Converging with Iran
Priority Actions This Week’s Non-Negotiables
Immediate — This Week
1. Hunt for LOLBin abuse in OT-adjacent networks (wmic, netsh, PowerShell)
2. Patch F5 BIG-IP APM and Cisco firewalls (CVE-2026-20131)
3. Audit all internet-facing ICS/SCADA for exposure and default credentials
4. Review systems against CISA CVIE Iranian threat catalog
5. Audit Citrix NetScaler and Ivanti EPM configurations
6. Verify OT network segmentation from IT and internet
Near-Term — 30 Days
1. Deploy OT-specific threat detection and behavioral monitoring
2. Implement CISA CPG 2.0 zero-trust OT controls
3. Conduct supply chain vendor security audit for OT access
4. Brief employees on recruitment-themed social engineering
5. Cross-reference nearby land sales and entities against FARA database
6. Develop utility disruption contingency plan for Volt Typhoon scenarios
LogicalIntelligence
LogicalIntelligence.us · Week of March 30, 2026 · Energy & Utilities Sector Brief · TLP: AMBER · Subscriber Use Only
Correlated from public sources. Not classified. For security awareness purposes.
logicalintelligence.us@gmail.com