Back to Alerts

Security Alert: Everest Group Targeting Critical Infrastructure

Published on
October 29, 2025
About Everest

Everest is a financially motivated, Russian-speaking cybercriminal group active since late 2020 that engages in data theft, extortion, and access brokering. Although often labeled as a ransomware group, there is no confirmed evidence that Everest deploys encryption payloads. Instead, the group specializes in exfiltrating sensitive data, selling or leaking it to pressure victims, and brokering network access to other threat actors. Everest operates a dark web leak site to publicly expose non-paying victims and frequently monetizes stolen credentials and insider-provided access. It gains entry through vulnerable remote services, stolen credentials, or insider cooperation, using tools such as Cobalt Strike and WinRAR for lateral movement and data exfiltration. Targeted sectors include healthcare, government, and manufacturing, with the group increasingly exploiting third-party and supplier environments to reach high-value targets.

Summary:

Everest is a financially motivated, Russian-speaking group engaged in data theft, extortion, and initial access brokering. It is actively attacking critical infrastructure, and the period from July through October 2025 represents the group’s most active months since its inception in 2020.

Details:

  • Targets: Recent attack and data theft claims include major energy, aviation, and telecommunications sector targets in Sweden, Ireland, Saudi Arabia, and the US.
  • Tactics: Everest exploits vulnerable remote services and uses stolen or insider-provided credentials to breach supplier-managed file-transfer systems, steal sensitive data, and extort victims.

Mitigation:

  • Enforce multi-factor authentication for all remote, vendor, and privileged accounts used to access IT and OT networks. Continuously monitor for abnormal login patterns or access attempts outside standard maintenance windows [M1032].
  • Restrict direct internet exposure of vendor and file-transfer systems connected to energy operations. Use hardened reverse proxies, network segmentation, and strict authentication for external maintenance or data exchange [M1030].
  • Apply least-privilege access for all third-party contractors and integrators. Segment supplier and maintenance networks from production and SCADA environments to prevent lateral movement [M1036].
  • Monitor for credential misuse, command-and-control traffic, large outbound data transfers, and staging activity from engineering or file-transfer servers. Correlate with baseline operational telemetry to detect anomalies in OT-connected systems [M1047].
  • Maintain and harden offline backups of both IT and OT system configurations to enable recovery and reduce extortion leverage. Ensure backup infrastructure is isolated from control networks and tested regularly for restoration [M1053].
  • Identify and remediate known exploited vulnerabilities, such as Fortinet edge device flaws CVE-2024-21762 and CVE-2024-55591, which have been leveraged by other ransomware groups against infrastructure operators [M1051].
  • Deploy dedicated anti-ransomware defenses across IT and OT boundary networks to block malicious binaries pre-execution [M1038], detect runtime behaviors and data exfiltration attempts [M1040], prevent tampering and network intrusion [M1031], and protect the integrity of offline backups to ensure operational recovery [M1053].

References:

Source Summary:

This Alert is based on Halcyon observations, open-source information, and ongoing research. Findings reflect our current understanding of threat actor activity and may be updated as new evidence emerges.

Related Alerts

See All Ransomware Alerts
Software
October 2, 2025
2025

Security Alert: Cl0p Abuses Oracle E-Business Suite for Account Takeover

This is some text inside of a div block.
Read More

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!