FAIRFAX,VA — InfraShield, a leading cybersecurity firm specializing in critical infrastructure and industrial security, today issued an industry alert warning industrial engineering firms and engineering-focused service providers of a sharp rise in targeting by the prolific threat actor “Zestix,” also known as “Sentap.”
-targeting-industrial-engineering-firms-and-critical-infrastructure/InfraShield-Issues-Industry-Alert-on-Escalating-Threat-Actor-Zestix-Blog-Thumbnail.png)
Summary
InfraShield, a leading cybersecurity firm specializing in critical infrastructure and industrial security, has issued an immediate and industry-wide alert today warning industrial engineering firms and engineering-focused service providers of a sharp rise in targeting by the prolific, lone-wolf threat actor “Zestix,” also known as “Sentap.” Over the past year, InfraShield has tracked Zestix/Sentap-linked activity impacting 15 engineering companies or engineering-focused datasets, underscoring an emerging trend in which threat actors increasingly treat engineering documentation, schematics, geospatial archives, and OT-adjacent project materials as high-value strategic assets. This activity reflects a sustained effort to monetize engineering data and potentially enable follow-on operational disruption.
-targeting-industrial-engineering-firms-and-critical-infrastructure/InfraShield Issues Industry Alert on Escalating Threat Actor “Zestix” First Screenshot Blog.png)
Over the past year, InfraShield has tracked Zestix/Sentap-linked activity impacting 15 engineering companies or engineering-focused datasets, underscoring an emerging cybercriminal trend in which threat actors increasingly treat engineering documentation, schematics, geospatial archives, and OT-adjacent project materials as high-value strategic assets. While this threat actor has started to attract more coverage from cybersecurity researchers and journalists, their focus on critical infrastructure, particularly engineering targets, has so far been underreported. Overall, this activity reflects a sustained effort to monetize engineering data and potentially enable follow-on operational disruption.
-targeting-industrial-engineering-firms-and-critical-infrastructure/InfraShield Issues Industry Alert on Escalating Threat Actor “Zestix” Second Screenshot Blog.png)
“Zestix’s campaign should be a wake-up call for engineering firms and the critical infrastructure ecosystem they support,” said Mark Rorabaugh, CEO and President of InfraShield. “This actor has repeatedly pursued sensitive engineering datasets that can be used for reconnaissance, follow-on compromise, and in certain cases, disruption planning. Engineering firms are increasingly becoming a gateway into critical infrastructure, and defenders need to respond with urgency.”
InfraShield notes that reporting and threat intelligence indicate Zestix functions as a data seller and initial access broker, frequently leveraging credential-based access to corporate cloud collaboration environments and enterprise file-sharing portals. Hudson Rock research has highlighted how threat actors are gaining access through infostealer-harvested credentials, particularly in environments lacking consistent MFA coverage or credential hygiene.
Beyond engineering targets, Zestix/Sentap was arguably the most prolific lone-wolf threat actor in terms of attacking critical infrastructure last year. In a threat landscape where “global ransomware attacks against critical industries surged by 34% in 2025,” according to Kela research, Zestix/Sentap distinguished himself by listing databases stolen from over 30 critical infrastructure victims in 2025. Victims listed by Zestix/Sentap span aerospace, defense, orbital communications, mining, telecom, transportation, and more.
In an interview with a cybercrime blogger last year, Zestix, using the Sentap persona, revealed his approach to targeting organizations. The threat actor said: “Target selection is entirely driven by financial analysis. I use data from underground markets and dark web platforms to identify organizations whose data—like financial records, intellectual property, or infrastructure details—has high demand.
Then, I assess their vulnerabilities using scanning tools and public info (OSINT). My criteria include:
- Data value in the market.
- System security level (weaker security means lower intrusion costs)
- Likelihood of detection and traceability (targets with poor monitoring systems get priority).
Dark Signal Research: High-Confidence Iran Nexus
InfraShield also highlights recent analysis from Dark Signal, which assesses with high confidence that Sentap/Zestix is based in Iran. This assessment reinforces that Zestix’s activity may extend beyond opportunistic cybercrime, potentially aligning with broader regional patterns of intelligence collection, strategic targeting, and asymmetric disruption.
Spotlight Incident: CRRC MA America / Los Angeles Metro Data Leak
InfraShield is particularly concerned by a recent Zestix listing advertising 238 GB of purportedly confidential CRRC MA America and Los Angeles Metro engineering data, including signaling drawings, infrastructure documentation, and materials referencing Union Station. The post claims access to highly sensitive rail engineering artifacts and operational documentation.
-targeting-industrial-engineering-firms-and-critical-infrastructure/InfraShield Issues Industry Alert on Escalating Threat Actor “Zestix” Third Screenshot Blog.png)
The exposure of mass transit signaling and control documentation can carry risks beyond business harm. Detailed infrastructure materials can support adversarial study of critical nodes, system dependencies, and disruption pathways. In the wrong hands, such datasets could be leveraged to enable operational interference or even terroristic disruption, placing public safety and human life at risk.
Mitigations
InfraShield recommends that industrial engineering firms immediately assess exposure and harden defenses, particularly across cloud collaboration environments, file-sharing platforms, and credential access points. Key mitigations aligned with Hudson Rock research include:
- Enforce MFA universally, especially for ShareFile, Nextcloud, ownCloud, and third-party collaboration portals
- Monitor for infostealer-related credential exposure, including historical credential sets that may remain exploitable
- Rotate passwords and invalidate sessions rapidly when compromise is suspected
- Harden cloud file-sharing deployments with least privilege access, strong identity controls, and robust logging/alerting
- Conduct third-party exposure assessments for repositories containing engineering drawings, geospatial data, and OT-adjacent documentation
“Many of these compromises are not driven by advanced exploitation,” Rorabaugh added. “They are enabled by credential theft, inadequate MFA coverage, and weak monitoring. Industrial engineering data is now treated as a strategic commodity in the underground economy, and security programs need to evolve accordingly.”
About InfraShield
InfraShield is a cybersecurity firm specializing in critical infrastructure defense, operational technology security, and industrial sector resilience. InfraShield supports engineering firms and critical infrastructure operators by reducing exposure to credential-based intrusions, strengthening cloud collaboration security, and building secure-by-design principles into AI and OT integration initiatives.
