New Malware Campaign Targets Power Grids and Government Networks
A previously undocumented infostealer malware, tracked as BusySnake, has been found infiltrating government agencies and electrical power companies in Russia, Brazil, and Kazakhstan. Security researchers at Kaspersky attribute the campaign to a threat actor they call Armored Likho.
The discovery marks a worrying expansion of cyber-espionage into operational technology environments. While the malware itself is not designed to disrupt power grids directly, its ability to siphon credentials, system data, and internal communications gives attackers a dangerous foothold.
Think about it: once you have an attacker inside a utility’s IT network, the jump to industrial control systems becomes far easier. That’s the real nightmare scenario.
What Is BusySnake? A Low-and-Slow Data Thief
BusySnake is not a fast-moving worm. It’s the opposite — a stealthy, modular infostealer that operates in stages. The malware arrives via spear-phishing emails, often disguised as official correspondence from government or energy-sector partners.
Once executed, it performs several key actions:
- Credential harvesting — steals login data from browsers, email clients, and VPN software
- Screen capture — takes periodic screenshots of the victim’s desktop
- Keylogging — records keystrokes to capture passwords and sensitive conversations
- File exfiltration — uploads documents matching specific extensions (.doc, .xls, .pdf) to a command-and-control server
The malware communicates over HTTPS to blend in with normal traffic, making detection harder for traditional network monitoring tools.
Armored Likho: Who’s Behind the Attacks?
Kaspersky’s researchers have been tracking Armored Likho since mid-2024. The group shows a clear preference for targeting critical infrastructure — primarily electricity generation and distribution entities, along with central government bodies.
Geographically, the campaign has hit three countries hardest:
- Russia — multiple regional energy companies and federal agencies
- Brazil — at least two major electrical utilities and a state-level government network
- Kazakhstan — a national power grid operator and a ministry
Why these three? The geographic spread suggests the attackers are not driven by simple regional conflict. Instead, they appear interested in energy-sector intelligence across different continents. This could point to state-sponsored espionage or a sophisticated cybercrime group selling access to the highest bidder.
How BusySnake Evades Detection
The malware uses several tricks to stay under the radar. First, it checks for sandbox environments and debuggers before executing its payload — a common anti-analysis technique. If it detects a virtual machine or security tool, it simply shuts down.
Second, BusySnake encrypts its configuration files and uses steganography to hide stolen data inside innocent-looking image files before exfiltration. Security teams scanning for unusual file transfers might miss these pictures entirely.
Third, the malware employs a modular structure. The initial dropper is small and lightweight. Only after confirming a successful infection does it download additional components from the C2 server. This makes signature-based detection nearly useless.
Implications for Critical Infrastructure Security
For organizations running power plants, electrical grids, or government networks, the BusySnake campaign is a wake-up call. The attackers are not just after credit card numbers — they want operational blueprints, SCADA credentials, and internal communications.
Once an attacker has that level of access, they can map out the entire network. From there, it’s a short step to sabotaging industrial control systems or launching ransomware that could black out a city.
Security teams should take immediate action:
- Segment IT and OT networks — ensure that compromised office computers cannot directly communicate with industrial systems
- Deploy behavioral detection — look for unusual data transfers, not just known malware signatures
- Train staff on spear-phishing — many BusySnake infections start with a single employee clicking a malicious attachment
- Monitor for BusySnake indicators — Kaspersky has published IOCs including C2 domains, file hashes, and registry keys
What Comes Next?
The Armored Likho group shows no signs of slowing down. Kaspersky expects them to expand into other regions and sectors, possibly targeting oil and gas or water treatment facilities next.
For now, the best defense is awareness. Critical infrastructure security teams need to assume they are already being probed. The question is not if an infostealer like BusySnake will arrive at their network perimeter — it’s whether they’ll catch it before the data walks out the door.
Organizations that have not yet reviewed their cybersecurity best practices for power grids should do so immediately. And for anyone still relying on antivirus alone to stop modern infostealers — it’s time to rethink that strategy.