This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.
Group: XENOTIME, TEMP.Veles
Jump to navigation
Jump to search
| XENOTIME, TEMP.Veles | |
|---|---|
| Group | |
| ID | G0001 |
| Associated Groups | XENOTIME, TEMP.Veles |
| External Contributors | Dragos Threat Intelligence |
XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.1
Associated Group Descriptions
- XENOTIME - 1
- TEMP.Veles - Fireeye attributes with high confidence that intrusion activity and Triton development was supported by a Russian government-owned technical research institution.2
Techniques Used
- Drive-by Compromise - XENOTIME utilizes watering hole websites to target industrial employees.3
- Remote Services - XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment.4
- Supply Chain Compromise - XENOTIME targeted several ICS vendors and manufacturers.5
- Valid Accounts - XENOTIME used valid credentials when laterally moving through RDP jump boxes into the ICS environment.4
Software
References
- a b c Dragos. (n.d.). Xenotime. Retrieved October 27, 2019.
- ^ Fireeye Intelligence. (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved December 5, 2019.
- ^ Chris Bing. (2018, May 24). Trisis masterminds have expanded operations to target U.S. industrial firms. Retrieved January 3, 2020.
