Inside a threat actor's critical infrastructure targeting
In January 2026, 139 gigabytes of engineering data from a U.S. power infrastructure company appeared for sale on an underground forum. The seller wanted 6.5 Bitcoin. The data included LiDAR point clouds of transmission line corridors, substation configurations, and vegetation mapping for three major utilities.
The seller explicitly noted the data was "suitable for infrastructure analysis, modeling, risk assessment, or specialized research."
That language matters. The actor understands exactly what this data enables.
What the Data Contains
The breach targeted an engineering firm that provides surveying and design services to electric utilities. The stolen files include:
- 800+ LiDAR point cloud files mapping transmission corridors
- High-resolution orthophotos of substations
- MicroStation design files with line configurations
- Vegetation analysis along rights-of-way
For a utility or engineering firm, this is operational data. For an adversary, this is reconnaissance gold. The files map exactly where power lines run, how they're configured, what vegetation threatens them, and where substations connect to the grid.
Why This Matters
Grid infrastructure has become a high-value target. Physical attacks on substations have increased in recent years. Cyber-physical attacks that combine digital intrusion with physical action remain a persistent concern in the intelligence community.
Data like this enables detailed planning. An adversary could identify vulnerable transmission corridors, understand redundancy patterns, or map critical interconnection points. The threat model here extends beyond financial cybercrime.
The Access Method
This wasn't a sophisticated attack on industrial control systems. It wasn't a supply chain compromise or zero-day exploit. According to public reporting on the same threat actor, the likely access method was testing infostealer-harvested credentials against cloud file-sharing platforms.
Someone at the company had their browser credentials stolen by commodity malware. Those credentials weren't protected by MFA. The threat actor logged in and extracted 139GB of sensitive engineering data.
The Pricing Signal
At 6.5 Bitcoin (roughly $600,000 at current prices), this is the highest-value individual listing we’ve observed from this actor. Compare that to a law firm breach listed at 0.09 Bitcoin or a furniture manufacturer at $1,500.
The pricing reflects what the actor believes the data is worth to potential buyers. Critical infrastructure data commands a premium. The buyer pool for this data includes parties with resources and motivations beyond simple financial crime.
Defensive Lessons
Organizations handling sensitive infrastructure data should treat that data like it's already being targeted. Specific recommendations:
Segment sensitive project data. Engineering files for critical infrastructure shouldn't sit on the same file-sharing platform as general corporate documents.
Enforce MFA without exception. Especially for any system accessible from the internet. The credential that got tested was probably years old. MFA would have made it worthless.
Monitor access patterns. Bulk downloads of sensitive files should trigger alerts. 139GB doesn't exfiltrate quietly unless no one is watching.
Vet third-party security. Utilities often rely on engineering contractors who have weaker security postures. Your security extends to everyone with access to your data.
Assume the perimeter is porous. Design controls assuming credentials will eventually leak. Because they will.
The Broader Pattern
This actor has listed data from 50+ organizations across 15 countries. Aviation. Healthcare. Government. Construction. Critical infrastructure is one target category among many. The common thread is opportunistic access via stolen credentials and absent MFA.
The infostealer economy doesn't discriminate. It harvests everything. Threat actors like Zestix specialize in identifying the high-value targets within that ocean of compromised credentials.
Critical infrastructure organizations need to understand they're operating in this environment. The threat isn't hypothetical adversaries with nation-state resources. It's financially motivated actors selling grid data to the highest bidder.
Mike Bell is Founder and CEO of Suzu Labs, building AI-powered platforms for meeting intelligence, business intelligence, and secure document processing. He brings a security-first perspective to threat analysis based on over two decades in cybersecurity spanning penetration testing, incident response, security architecture, and AI security.
.png)
