Blog / Automation

When Your Automation Becomes the Attack Surface: Learning from Armored Likho

A new threat actor targets critical infrastructure through integrated systems. What this means for developers building workflows.

Juan David Avellaneda July 3, 2026 4 min read 5 views
When Your Automation Becomes the Attack Surface: Learning from Armored Likho

The Infrastructure We Keep Building

Last week I read about Armored Likho—a threat actor running dual operations across Russia, Brazil, and Kazakhstan. They're targeting government agencies and power infrastructure while simultaneously stealing credentials from regular people. The technical analysis from Kaspersky describes a blend of financial motivation and espionage, which at first seemed contradictory. Why would the same group do both? Then I realized I was thinking about it wrong.

I build automation systems. Workflows. API integrations. Payment pipelines that connect your e-commerce platform to your inventory management. CI/CD deployments. When you're building systems that talk to each other—especially systems that touch critical operations—you create something that looks invisible to most people but absolutely essential to operations. That's exactly the territory where attacks like this happen.

Why Integrated Systems Are Tempting Targets

  • A single compromised integration point can expose multiple systems at once, which is attractive if you're financially motivated and need quick wins
  • Power sector SCADA systems, government networks—they often run on older tech stacks with integrations bolted on over decades of infrastructure changes
  • Most automation platforms I work with assume the devices and services connecting to them are already trusted
  • Credential theft from one workflow layer propagates upward faster than anyone realizes
  • We don't usually audit the integrations. We audit the endpoints.

Here's where I'm genuinely uncertain about my own work: when I build a new integration—say, connecting a client's accounting system directly to their payment processor with automated reconciliation—I'm creating a pathway that, if compromised, could expose far more than the integration itself was ever designed to touch. I'm not sure we (developers building these systems) spend enough time thinking about what happens when the integration becomes the vulnerability rather than just connecting two safe systems together. The attack doesn't need to break into the power grid directly. It needs to break into the automation layer.

The Dual-Purpose Problem

What interests me most about Armored Likho isn't the technical sophistication. It's the operational model. They're running two completely different campaigns simultaneously—credential stealing from individuals mixed with targeted attacks on critical infrastructure. This suggests they're comfortable with scale and complexity.

I wonder if that's actually the more dangerous part. Not the technical capability, but the comfort with operating at multiple levels of sophistication at once. When you're building automation, you're often consolidating operations. You're making things run at scale. If those operations are malicious, you've just created leverage that didn't exist before. A single compromised automation script deployed across a government agency's systems could touch dozens of departments. A single stealer trojan embedded in a workflow library could harvest credentials from every company using that integration.

The financial motivation is almost secondary to the access it buys you.

What This Actually Changes

For developers building these systems—and I mean integrations, workflows, automation platforms—this isn't a call to add more authentication layers or implement zero-trust architecture. You should be doing that anyway. This is something more unsettling.

It's the realization that we've been thinking about security as a property of endpoints when we should be thinking about it as a property of the connections between them. We've been treating the integration as the neutral middle ground when it's actually the highest-value target in most modern business operations.

I don't have a clean answer here.

The platforms we use—Zapier, n8n, Make, custom solutions—they're all designed for ease of integration, not adversarial design. That's a tradeoff we made collectively. Whether it was the right one, whether the productivity gains justify the surface area we've created for attacks like this: I genuinely don't know. I keep building these systems because the business need is real and the productivity gain is measurable. But Armored Likho's operation against critical infrastructure suggests that the cost side of that equation isn't being calculated correctly.

If you're running government infrastructure or power systems and relying on automated integrations, you probably need to audit those more aggressively than you're currently doing.

If you're building those integrations, you might want to start thinking about what happens when you're not the only one with access to your workflow.

#cybersecurity #automation #infrastructure #threat-actors #integrations #API-security

Was this helpful?

Juan David Avellaneda

Juan David Avellaneda

Innovation Specialist · Bogotá, Colombia