Nozomi/citadel ❲5000+ ULTIMATE❳

Learn more about how Nozomi Networks integrates with your existing infrastructure to provide real-time threat detection. [Link to Nozomi Networks Website/Contact Page]

In the landscape of Operational Technology (OT) and Industrial Control Systems (ICS), the convergence of Information Technology (IT) and OT has created unparalleled efficiency—and unprecedented risk. Security researchers recently turned their attention to a new strain of malware dubbed , a sophisticated threat targeting Schneider Electric’s interactive graphically oriented SCADA system, EcoStruxure.

Based on the campaign’s tradecraft, Nozomi Networks and CISA advised: nozomi/citadel

Nozomi Networks declined to publicly attribute , but confidential briefings to EU CERTs labeled the threat “likely state-sponsored with high confidence.”

Citadel relies on specific protocols to communicate and execute commands. Nozomi performs DPI on OT protocols (such as Modbus, DNP3, or Ethernet/IP). If the malware attempts to download a malicious command or alter a logic controller, the traffic signature triggers an immediate alert. Learn more about how Nozomi Networks integrates with

Citadel exhibited modular design, communicating via encrypted DNS (TXT records) and HTTPS to C2 domains. Key modules:

However, with the right tools, this threat is manageable. transforms the opaque, complex world of OT networks into a transparent, manageable environment. By combining asset visibility, vulnerability intelligence, and behavioral anomaly detection, Nozomi ensures that even sophisticated threats like Citadel are caught before the lights go out. Based on the campaign’s tradecraft, Nozomi Networks and

Citadel is not just another piece of ransomware; it is a targeted attack tool designed to exploit specific vulnerabilities in industrial software. Specifically, it targets the , taking advantage of a deserialization vulnerability (CVE-2024-XXXXX - example placeholder for specific CVE ).

C2 domains resolved to bulletproof hosting providers in Eastern Europe and utilized TLS certificates issued to fictitious entities. DNS beacon intervals varied from 60 seconds (active monitoring) to 24 hours (dormant). A subset of Citadel samples shared code with Industroyer (2016 Ukraine power outage) and VPNFilter (2018 router botnet).

Unlike commodity ransomware, Nozomi/Citadel showed deliberate restraint, exfiltrating engineering workstation configurations and SCADA topology data without triggering operational alarms. This paper dissects the campaign’s technical pillars and strategic implications.