Vulnerabilities

Chinese Group Targets Azerbaijani Energy Firm via Exchange Flaws

FamousSparrow group conducted multi-wave attacks against oil and gas company over two-month period.

Illustration: Chinese Group Targets Azerbaijani Energy Firm via Exchange Flaws

FamousSparrow group conducted multi-wave attacks against oil and gas company over two-month period.

Summary

  • Chinese-linked FamousSparrow group targeted unnamed Azerbaijani energy company
  • Multi-wave intrusion campaign ran from December 2025 to February 2026
  • Attacks exploited Microsoft Exchange vulnerabilities according to Bitdefender analysis

A Chinese-affiliated threat group conducted a sustained cyber attack against an Azerbaijani oil and gas company over a two-month period, according to new research from Bitdefender.

The security firm attributed the campaign to FamousSparrow (also known as UAT-9244) with moderate-to-high confidence. The attacks occurred between late December 2025 and late February 2026.

Bitdefender described the incident as a “multi-wave intrusion” targeting the unnamed energy company. The campaign represents an expansion of FamousSparrow’s targeting scope.

The attacks exploited vulnerabilities in Microsoft Exchange, though specific technical details of the exploitation methods were not disclosed in the available reporting.

FamousSparrow has previously been documented conducting cyber espionage operations, though this represents notable activity against critical infrastructure in the energy sector.

The targeting of Azerbaijan’s energy sector aligns with broader patterns of nation-state activity against critical infrastructure globally. However, the specific motivations and objectives of this particular campaign remain unclear from available reporting.

Why It Matters

This incident highlights the persistent targeting of critical infrastructure by nation-state actors, particularly in the energy sector. For CISOs in similar industries, this represents both a direct threat indicator and a reminder of the extended timeline sophisticated adversaries can maintain access.

The multi-wave nature of the attack suggests the threat group successfully maintained persistence across a two-month period, indicating potential gaps in detection capabilities that organisations should evaluate in their own environments.

What To Do Now

  • Review Microsoft Exchange security configurations and ensure all patches are current
  • Assess detection capabilities for multi-stage intrusions spanning extended timeframes
  • Monitor for indicators associated with FamousSparrow/UAT-9244 group activities

Sources

Related Posts