ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Operation Electric Powder

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Operation Electric Powder

NamesOperation Electric Powder (ClearSky)
MotivationInformation theft and espionage
First seen2016
Description(ClearSky) From April 2016 until at least February 2017, attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These include domains, file names, Java package names, and Facebook activity. We dubbed this campaign “Operation Electric Powder“.

Israel Electric Company (also known as Israel Electric Corporation) “is the largest supplier of electrical power in Israel. The IEC builds, maintains, and operates power generation stations, sub-stations, as well as transmission and distribution networks. The company is the sole integrated electric utility in the State of Israel. It installed generating capacity represents about 75% of the total electricity production capacity in the country.”

It is notable that the operational level and the technological sophistication of the attackers are not high. Also, they are having hard time preparing decoy documents and websites in Hebrew and English. Therefore, in most cases a vigilant target should be able to notice the attack and avoid infection. We do not have indication that the attacks succeeded in infecting IEC related computers or stealing information.

Currently we do not know who is behind Operation Electric Powder or what its objectives are.

Also see WildCard.

This actor is reported as potentially linked to the threat actor known as Molerats, Extreme Jackal, Gaza Cybergang, but no strong evidence has been found.
ObservedSectors: Energy.
Countries: Israel.
Tools usedSysJoker.

Last change to this card: 30 November 2023

Download this actor card in PDF or JSON format

Previous: Operation Earth Kitsune
Next: Operation EmailThief, TEMP_Heretic

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]