Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

A Chinese-affiliated threat actor exploited Microsoft Exchange servers to conduct a sustained attack against an Azerbaijani energy company over three months. Bitdefender attributed the intrusion to FamousSparrow, also tracked as UAT-9244, with moderate-to-high confidence.

The attacker executed a "multi-wave intrusion" spanning from late December 2025 through late February 2026, leveraging Exchange vulnerabilities to establish persistent access. This campaign represents an expansion of FamousSparrow's targeting beyond previous operations.

FamousSparrow maintains connections to Chinese state interests and specializes in targeting critical infrastructure sectors. The group's exploitation of Exchange servers aligns with established tactics for gaining initial footholds in enterprise networks. Once inside, attackers typically establish web shells and lateral movement capabilities.

For the targeted Azerbaijani energy firm, the risks include intellectual property theft, operational disruption, and potential sabotage of infrastructure systems. Energy sector networks often connect to industrial control systems, raising concerns about supply chain impacts. If the attackers maintained access for three months, they likely gathered extensive network intelligence and credentials.

The multi-wave nature of the attack suggests deliberate persistence rather than opportunistic compromise. Each wave probably introduced new access methods or exfiltrated data batches. Organizations in Azerbaijan and neighboring regions depend on this energy company for supply stability.

Energy companies globally should treat this incident as a wake-up call. Microsoft Exchange remains a high-value target despite patch availability. Many organizations run outdated versions or fail to apply critical updates promptly. FamousSparrow's continued success against known vulnerabilities reflects this patching gap.

Defensive priorities for energy firms include deploying Exchange updates immediately, monitoring for web shell artifacts, and reviewing email forwarding rules and OAuth token usage. Implement network segmentation between IT and operational technology systems. Consider restricting external