G0088 TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.³²⁴

Item	Value
ID	G0088
Associated Names	XENOTIME
Version	1.3
Created	16 April 2019
Last Modified	30 November 2022
Navigation Layer	View In ATT&CK® Navigator

Associated Group Descriptions

Name	Description
XENOTIME	The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.¹⁵³²

Techniques Used

Domain	ID	Name	Use
enterprise	T1583	Acquire Infrastructure	-
enterprise	T1583.003	Virtual Private Server	TEMP.Veles has used Virtual Private Server (VPS) infrastructure.³
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.001	PowerShell	TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.² The group has also used PowerShell to perform Timestomping.³
enterprise	T1074	Data Staged	-
enterprise	T1074.001	Local Data Staging	TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.³
enterprise	T1546	Event Triggered Execution	-
enterprise	T1546.012	Image File Execution Options Injection	TEMP.Veles has modified and added entries within `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` to maintain persistence.³

enterprise	T1133	External Remote Services	TEMP.Veles has used a VPN to persist in the victim environment.³
enterprise	T1070	Indicator Removal	-
enterprise	T1070.004	File Deletion	TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.³
enterprise	T1070.006	Timestomp	TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.³
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Name or Location	TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.³

enterprise	T1571	Non-Standard Port	TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.³
enterprise	T1027	Obfuscated Files or Information	-
enterprise	T1027.005	Indicator Removal from Tools	TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.²
enterprise	T1588	Obtain Capabilities	-
enterprise	T1588.002	Tool	TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.³
enterprise	T1003	OS Credential Dumping	-
enterprise	T1003.001	LSASS Memory	TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials. ³
enterprise	T1021	Remote Services	-
enterprise	T1021.001	Remote Desktop Protocol	TEMP.Veles utilized RDP throughout an operation.³
enterprise	T1021.004	SSH	TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.³
enterprise	T1053	Scheduled Task/Job	-
enterprise	T1053.005	Scheduled Task	TEMP.Veles has used scheduled task XML triggers.³
enterprise	T1505	Server Software Component	-
enterprise	T1505.003	Web Shell	TEMP.Veles has planted Web shells on Outlook Exchange servers.³
enterprise	T1078	Valid Accounts	TEMP.Veles has used compromised VPN accounts.³
ics	T0817	Drive-by Compromise	TEMP.Veles utilizes watering hole websites to target industrial employees. ⁷
ics	T0886	Remote Services	TEMP.Veles utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. ⁶
ics	T0862	Supply Chain Compromise	TEMP.Veles targeted several ICS vendors and manufacturers. ⁸
ics	T0859	Valid Accounts	TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment. ⁶

Software

ID	Name	References	Techniques
S0002	Mimikatz	³	SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0029	PsExec	³¹	Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1009	Triton	¹	Change Operating Mode Commonly Used Port Detect Operating Mode Execution through API Exploitation for Evasion Exploitation for Privilege Escalation Hooking Indicator Removal on Host Loss of Safety Masquerading Modify Controller Tasking Native API Program Download Program Upload Remote System Discovery Scripting Standard Application Layer Protocol System Firmware

References

Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019. ↩↩↩
FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. ↩↩↩↩
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. ↩
Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019. ↩
Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ↩↩
Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ↩
Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ↩