← Back to Blog
SecurityAPTEnergy

مجموعة APT الروسية Midnight Blizzard تستهدف قطاع الطاقة الأوروبي — 47 شركة مرافق مخترقة

2026-03-03 · 10 min read
تؤكد Microsoft وKENSAI أن Midnight Blizzard (APT29) اخترقت 47 شركة مرافق طاقة أوروبية باستخدام هجوم سلسلة توريد جديد عبر آلية تحديث مورد SCADA. حادثة حرجة بموجب NIS2.

European Energy Sector Under Coordinated Attack

A coordinated cyber campaign attributed to Russian state-sponsored threat actor Midnight Blizzard (also tracked as APT29, Cozy Bear, and Nobelium) has successfully compromised at least 47 European energy utilities across Germany, France, the Netherlands, Austria, and Poland. The campaign, active since mid-January 2026, represents one of the most significant attacks on European critical infrastructure since the 2022 escalation.

Attack Vector: SCADA Vendor Supply Chain

The attackers compromised the update server of Schneider Electric's EcoStruxure SCADA management platform, injecting a modified firmware update package containing a sophisticated backdoor dubbed 'VoltDrop.' The trojanized update was digitally signed using a stolen code-signing certificate, bypassing integrity verification checks at 47 utility companies that deployed the update between January 18 and February 12, 2026.

VoltDrop Backdoor Capabilities

The VoltDrop implant operates at the firmware level of Schneider Electric Modicon PLCs, providing attackers with:

Confirmed Impact Across DACH Region

Germany bears the heaviest impact with 19 confirmed compromises, including three of the country's largest regional energy providers. Austria reports 7 compromised utilities, and Switzerland, while not directly affected through EcoStruxure, has identified reconnaissance activity against its grid operators. The BSI (Federal Office for Information Security) has issued a RED alert and is coordinating incident response with affected operators.

NIS2 Implications

This incident triggers mandatory NIS2 reporting obligations for all affected entities. Under NIS2 Article 23, essential entities must submit an early warning to their national CSIRT within 24 hours and a full incident notification within 72 hours. KENSAI analysis suggests that at least 12 of the compromised utilities had not yet fully implemented NIS2 supply chain security requirements, highlighting the urgency of compliance.

Detection and Indicators of Compromise

KENSAI has published a comprehensive IoC package including:

Organizations running EcoStruxure versions 3.4 through 3.6.2 should immediately audit their update history and scan for the published IoCs.

Recommended Actions

  1. Immediately isolate any Schneider Electric Modicon PLCs that received updates between January 18 – February 12, 2026
  2. Deploy KENSAI's ICS-specific scanning module to detect VoltDrop indicators
  3. Revoke and rotate all SCADA system credentials
  4. Implement network segmentation between OT and IT environments if not already in place
  5. File NIS2 incident reports with your national CSIRT within the mandatory timeline
  6. Contact Schneider Electric's PSIRT for verified clean firmware images

🗡️ Protect Your Infrastructure

Get a free security scan of your systems in 60 seconds

Free Security Scan →