IRON LIBERTY

Active since at least 2010, IRON LIBERTY has historically targeted the energy sector, including energy companies and organizations financing the energy vertical in the U.S. and Europe. Following public reporting of IRON LIBERTY's capabilities in 2014, CTU monitoring of the group's activity suggests that it stopped using its known tools and retired its infrastructure. In late 2016, IRON LIBERTY re-emerged with a campaign targeting the energy sector. CTU researchers temporarily tracked this activity as the CASTLE threat group, until links to IRON LIBERTY were verified. In 2019, IRON LIBERTY used strategic web compromises against Ukrainian sport, media, energy and telecommunications websites for NTLM hash stealing operations. In 2020, third party reports suggested that IRON LIBERTY had expanded this targeting to aviation organizations in the U.S. CTU researchers assess with moderate confidence that the group operates on behalf of Russia.

Prior to 2014, IRON LIBERTY used custom malware, primarily Sysmain and Havex, combined with commodity penetration testing and tools shared by cybercriminals. In 2014, the group embedded Havex into legitimate remote management software for industrial control systems and created industrial control scanning and enumeration modules. When it re-emerged in 2016, IRON LIBERTY used spearphishing and strategic web compromise methodologies and has also used NTLM hash stealing via LNK files and customized malware such as Karagany and MCMD.