IRON VIKING

IRON VIKING has been involved in multiple disruptive and destructive cyber campaigns since 2014. It has primarily targeted the government, energy, and financial sectors in Ukraine. CTU researchers assess with high confidence that IRON VIKING is operated by a Russian intelligence service. Based on similarities between the targeting activity of IRON VIKING and IRON TWILIGHT, the groups’ willingness to launch disruptive operations, and credible third party reporting linking IRON VIKING to the Russian General Staff Main Intelligence Directorate (GRU), CTU researchers assess with high confidence that IRON TWILIGHT and IRON VIKING are operated by the same Russian intelligence service.

Early IRON VIKING operations were characterized by their use of a modular and highly modified version of the BlackEnergy malware. In mid-2013, CTU researchers observed BlackEnergy malware being used to target a government-funded research organization; the BlackEnergy variant had added plugins to steal data. In December 2015, IRON VIKING disrupted the power supply to western Ukraine using the power company's own control systems after gaining initial access via the BlackEnergy malware. The group also deployed custom tools such as the KillDisk wiper tool and uninterruptible power supply (UPS) firmware to disrupt the operation of the company's IT infrastructure, forcing four months of manual operations. IRON VIKING also launched operations against Ukrainian mining and transportation organizations and a Ukrainian television station.

In January 2016, attacks against the Ukrainian financial sector were executed using the Telebots and GCAT backdoors. In December 2016, IRON VIKING launched another operation against the Ukrainian energy sector using the Industroyer malware, which could directly communicate via common Industrial Control System (ICS) protocols. The group's later destructive operations are characterized by malware crafted for a particular operation, for example the 2017 NotPetya and BadRabbit campaigns, or a specific target environment, for example the operations against Ukrainian energy companies.

On February 20, 2020 the U.K. and U.S. governments issued statements condemning disruptive cyber attacks against Georgia on October 28, 2019, and attributed the attacks to the Russian GRU's Main Center for Special Technologies (GTsST), also known as Military Unit 74455. The U.K. Foreign & Commonwealth Office (FCO) statement went on to link Military Unit 74455 to several other incidents that CTU researchers attribute to IRON VIKING, including the 2015 BlackEnergy and 2016 Industroyer/CrashOverride attacks, and 2017 NotPetya and BadRabbit ransomware attacks.