Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities
Essential information
- Published
- 17/03/2026 11:03
- Modified
- 17/03/2026 11:17
- Tags
- 2026-03-17 central asia critical-infrastructure custom implants energy sector espionage jlorat kazakhstan telegram telemiris water resources
- Related entities
- 41 observables, 1 intrusion sets (apt), 21 techniques (mitre), 2 malware, 49 others
Description
Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.