G0088 TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.324
| Item | Value |
|---|---|
| ID | G0088 |
| Associated Names | XENOTIME |
| Version | 1.4 |
| Created | 16 April 2019 |
| Last Modified | 17 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| XENOTIME | The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.1532 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.003 | Virtual Private Server | During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastructure.3 |
| enterprise | T1595 | Active Scanning | In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.2 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | During the C0032 campaign, TEMP.Veles used staging folders that are infrequently used by legitimate users or processes to store data for exfiltration and tool deployment.3 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | In the Triton Safety Instrumented System Attack, TEMP.Veles developed, prior to the attack, malware capabilities that would require access to specific and specialized hardware and software.9 |
| enterprise | T1573 | Encrypted Channel | In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic.2 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.012 | Image File Execution Options Injection | During the C0032 campaign, TEMP.Veles modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.3 |
| enterprise | T1133 | External Remote Services | During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | During the C0032 campaign, TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.3 |
| enterprise | T1070.006 | Timestomp | During the C0032 campaign, TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.3 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.003 | Web Portal Capture | In the Triton Safety Instrumented System Attack, TEMP.Veles captured credentials as they were being changed by redirecting text-based login codes to websites they controlled.10 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | In the Triton Safety Instrumented System Attack, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files. |
| enterprise | T1571 | Non-Standard Port | During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.3 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.005 | Indicator Removal from Tools | In the Triton Safety Instrumented System Attack, TEMP.Veles modified files based on the open-source project cryptcat in an apparent attempt to decrease anti-virus detection rates.2 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | In the Triton Safety Instrumented System Attack, TEMP.Veles used tools such as Mimikatz and other open-source software.2 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | In the Triton Safety Instrumented System Attack, TEMP.Veles used Mimikatz.8 |
| enterprise | T1572 | Protocol Tunneling | During the C0032 campaign, TEMP.Veles used encrypted SSH-based PLINK tunnels to transfer tools and enable RDP connections throughout the environment.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation.3 |
| enterprise | T1021.004 | SSH | During the C0032 campaign, TEMP.Veles relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.3 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | In the Triton Safety Instrumented System Attack, TEMP.Veles installed scheduled tasks defined in XML files.2 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | During the C0032 campaign, TEMP.Veles planted Web shells on Outlook Exchange servers.3 |
| enterprise | T1078 | Valid Accounts | During the C0032 campaign, TEMP.Veles used compromised VPN accounts.3 |
| ics | T0830 | Adversary-in-the-Middle | In the Triton Safety Instrumented System Attack, TEMP.Veles changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.10 |
| ics | T0807 | Command-Line Interface | In the Triton Safety Instrumented System Attack, TEMP.Veles’ tool took one option from the command line, which was a single IP address of the target Triconex device.9 |
| ics | T0817 | Drive-by Compromise | TEMP.Veles utilizes watering hole websites to target industrial employees. 7 |
| ics | T0872 | Indicator Removal on Host | In the Triton Safety Instrumented System Attack, TEMP.Veles would programmatically return the controller to a normal running state if the Triton malware failed. If the controller could not recover in a defined time window, TEMP.Veles programmatically overwrote their malicious program with invalid data.9 |
| ics | T0867 | Lateral Tool Transfer | In the Triton Safety Instrumented System Attack, TEMP.Veles made attempts on multiple victim machines to transfer and execute the WMImplant tool.2 |
| ics | T0828 | Loss of Productivity and Revenue | In the Triton Safety Instrumented System Attack, TEMP.Veles tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.9 |
| ics | T0843 | Program Download | In the Triton Safety Instrumented System Attack, TEMP.Veles downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.9 |
| ics | T0886 | Remote Services | In the Triton Safety Instrumented System Attack, TEMP.Veles utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls 10, along with other traditional malware backdoors, to move into the ICS environment.810 |
| ics | T0853 | Scripting | In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.2 |
| ics | T0862 | Supply Chain Compromise | TEMP.Veles targeted several ICS vendors and manufacturers. 6 |
| ics | T0855 | Unauthorized Command Message | In the Triton Safety Instrumented System Attack, TEMP.Veles leveraged Triton to send unauthorized command messages to the Triconex safety controllers.8 |
| ics | T0859 | Valid Accounts | In the Triton Safety Instrumented System Attack, TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment.8 |
Software
References
-
Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019. ↩↩↩
-
FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. ↩↩↩↩↩↩↩↩↩↩
-
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. ↩
-
Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019. ↩
-
Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ↩
-
Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ↩
-
Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024. ↩↩↩↩
-
Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018. ↩↩↩↩↩
-
Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024. ↩↩↩↩
-
Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021. ↩