Electrum Kamacite Ten Years Adversary Tradecraft Intel Report 01 26

Since December 2015, a limited number of cyber operations have fundamentally altered how defenders assess risk to industrial control environments. Subsequent campaigns attributed to ELECTRUM and KAMACITE, beginning in 2015, demonstrated how these techniques could be operationalized at scale against civilian critical infrastructure, extending cyber-physical risk from exceptional cases into sustained threat activity. Beginning with the first publicly confirmed cyber-induced power outages in 2015 and 2016, these operations demonstrated how access to enterprise networks could translate into deliberate disruptions of industrial control systems under real-world conditions.

ELECTRUM and KAMACITE are closely linked threat groups whose operations reflect a coordinated approach to achieving operational technology (OT) impact. Dragos tracks ELECTRUM and KAMACITE as distinct threat groups based on their roles, tradecraft, and operational focus within intrusion campaigns targeting industrial environments. KAMACITE operates primarily as an access and enablement threat group. Its activity focuses on establishing and maintaining initial access to targeted organizations, typically through techniques such as spearphishing, credential compromise, exploitation of exposed services, and lateral movement within enterprise environments. ELECTRUM is responsible for executing actions on objectives that result in direct interaction with industrial control systems. Following access enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling within operational networks, and performs ICS-specific actions that manipulate control systems or disrupt physical processes.

ELECTRUM’s ability to affect industrial control systems did not emerge fully formed, nor did it follow a simple trajectory toward increasingly complex or automated attacks. The December 2015 Ukraine power grid disruption marked the first publicly confirmed instance of a cyber operation directly manipulating ICS to interrupt civilian electric service. In that operation, adversaries used hands-on interaction with operator environments followed by enterprise compromise, leveraging legitimate interfaces and workflows to open breakers and disrupt power delivery. This attack demonstrated that OT impact could be achieved against live civilian infrastructure using adversary tradecraft. The December 2016 Ukraine power grid attack, which involved the deployment of CRASHOVERRIDE (also known as Industroyer), represented a clear shift toward operationalization. Rather than relying on manual interaction with operator interfaces, the malware could issue automated control commands via native ICS protocols.

Taken together, ELECTRUM and KAMACITE represent a coordinated operational model in which access, positioning, and OT execution are treated as distinct but interdependent functions. This separation of roles has enabled sustained OT-focused activity across multiple incidents and operational contexts. The sustained use of OT-focused tradecraft over multiple years reflects the development of an experienced operational capability, repeatedly exercised under real-world conditions. This experience, once gained, does not dissipate. As a result, the risk posed by disruption of industrial processes is shaped not only by specific tools and campaigns but by the persistence of adversary knowledge, operational confidence, and tested execution models that remain relevant well beyond any single conflict or region.

To read the complete article see: Electrum Kamacite Report