Company experts prevented non-tolerable events at Russian critical infrastructure facilities
From May to July, specialists at the Positive Technologies Expert Security Center's Threat Intelligence group (PT ESC TI) found over 180 infected hosts at Russian organizations. The malicious activity directed at Russia's critical infrastructure was traced back to the PhantomCore cybercriminal group. PT ESC TI experts identified the victims and notified them of the cyberthreats before non-tolerable events occurred.
Compromised organizations included government agencies, research institutes, and enterprises in the defense, shipbuilding, chemical, mining, and manufacturing sectors, as well as IT companies. The first attack occurred on May 12, and activity peaked in June, with 56% of all infections occurring on June 30. On average, the group stayed in compromised networks for 24 days, with a maximum of 78 days. At least 49 hosts are still controlled by the attackers.
According to Positive Technologies, the PhantomCore APT group has been active since early 2024 and aims to gain access to confidential information. The cyberattacks are large-scale and selective: victims include Russian organizations in key sectors of the economy and public administration. PhantomCore has a substantial offensive toolkit—from popular open-source utilities and updated versions of well-known tools to previously unknown proprietary malware. This variety helps the attackers remain undetected in infected networks for extended periods. In addition, the group's malicious infrastructure is strictly segmented by function and by tool class.
Nearly half of the servers (48%) are located in Russia, mainly in the networks of three Russian providers. The remaining 52% is hosted abroad, distributed roughly evenly across Finland, France, the Netherlands, the U.S., Germany, Hong Kong, Moldova, and Poland. Meanwhile, 33% of all servers are concentrated with a Canadian provider.
