Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names.
Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions.
This is the list of 9 publicly reported groups tracked in ATT&CK for ICS:
|ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly / Dragonfly 2.0, although ALLANITE’s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.1|
|APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.2|
|Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.3 A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.3|
|Dragonfly 2.0||Dragonfly 2.0|
|Dragonfly 2.0 is a suspected Russian threat group that has targeted government entities and multiple U.S. critical infrastructure sectors and parts of the energy sector within Turkey and Switzerland since at least December 2015. 4 There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to those being tracked as two separate groups.5|
|HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE's targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.6|
|Lazarus group||Guardians of Peace|
|Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America.78 Links have been established associating this group with the WannaCry ransomware from 2017.9 While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.7 Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.|
|OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas.101112 OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco.|
|Sandworm Team is a destructive threat group that has been attributed to Russian GRU Unit 74455.13 Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical sector and the 2017 NotPetya attacks. 1415 Sandworm Team has been active since at least 2009 and has been linked to Industroyer, BlackEnergy 3, and KillDisk malware.1316|
|XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.17|
- Dragos. (n.d.). Allanite. Retrieved October 27, 2019.
- Enterprise ATT&CK. (n.d.). APT33. Retrieved October 27, 2019.
- Enterprise ATT&CK. (n.d.). Dragonfly. Retrieved October 27, 2019.
- Symantec. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 14, 2017.
- Robert Hackett. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved December 4, 2019.
- Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
- CISA. (n.d.). HIDDEN COBRA - North Korean Malicious Cyber Activity. Retrieved October 31, 2019.
- Dragos. (n.d.). Covellite. Retrieved October 27, 2019.
- CISA. (2017, May 12). Alert (TA17-132A). Retrieved October 31, 2019.
- N.A. (n.d.). Advanced Persistent Threat Group 34. Retrieved October 31, 2019.
- Manish Sardiwal et al.. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved October 31, 2019.
- Dragos. (n.d.). Chrysene. Retrieved October 27, 2019.
- UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA. (2020, October 15). Indictment: Conspiracy to Commit an Offense Against the United States. Retrieved April 7, 2021.
- Dragos. (n.d.). Electrum. Retrieved October 27, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.
- Dragos. (n.d.). Xenotime. Retrieved October 27, 2019.