Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Activity Groups. Show all posts

Latest Activity in Dragos Tracked Activity Groups

 

This year, Dragos is working on three new Activity Groups, as well as discovering activity in three existing Activity Groups: KAMACITE, WASSONITE, and STIBNITE. As per the sources, the updates on the three AGs mentioned above are as follows:

KAMACITE: KAMACITE, which has been operating since 2014, has been linked to Russian military intelligence operations by many government and third-party groups. GREYENERGY, a modular malware and the successor to BLACKENERGY, is used by KAMACITE. GREYENERGY is linked to two different dropper variants. Dragos discovered two GREYENERGY dropper variations in the wild this year, one in March 2021 and the other in August 2021. Dragos believes that GREYENERGY could add ICS components in the future because of the modular structure, which is comparable to BLACKENERGY. The GREYENERGY dropper completes Stage 1: Install/Modify of the ICS Cyber Kill Chain. 

STIBNITE: In their 2020 campaigns, STIBNITE targeted wind turbine system firms in Azerbaijan. STIBNITE targeted Azerbaijani-speaking industry experts, researchers, and practitioners in the disciplines of environmental science, technology, and engineering in their February 2021 campaigns. With an Oil and Gas spearphishing lure, they continued to attack Azerbaijan government entities in March 2021, notably the Azerbaijan Ministry of Ecology and Natural Resources. Malwarebytes released a report revealing spearphishing activity targeting an Azerbaijan government institution utilising a State Oil Company of the Azerbaijan Republic (SOCAR) spearphishing lure. 

Dragos concluded that STIBNITE is linked to this activity with a high degree of confidence. The recipient of this spearphishing offer may unwittingly execute a macro in the document, resulting in the installation of a new Python version of PoetRAT. Dragos has documented the fifth variant of PoetRAT. The persistence approach used in this version of PoetRAT is identical to that used in earlier versions. This campaign's C2 infrastructure overlaps with previous STIBNITE campaigns. 

WASSONITE: Multiple victims in the Oil and Gas, Electric, and Component Manufacturing industries were detected connecting with a WASSONITE C2 server related to the Appleseed backdoor in June 2021, as per Dragos. Appleseed is a multi-component backdoor that can capture screenshots, log keystrokes, and gather information from removable media and specific victim documents. From the C2 server, it can also upload, download, and perform follow-on tasks. WASSONITE previously used DTRACK to infect the Indian nuclear power plant Kudankulam Nuclear Power Plant (KKNPP). 

Dragos found and evaluated two Appleseed backdoor variants. From the C2 server, it can also upload, download, and perform follow-on tasks. Dragos investigated Appleseed's network connection mechanism and discovered a hardcoded IP address for the C2 domain. Dragos then shifted his focus to network telemetry, discovering many victims in three ICS businesses that were connecting with the WASSONITE C2 server, which was linked to Appleseed infections. 

Dragos assess that the Appleseed backdoor infected five ICS verticals with moderate confidence. Dragos had previously discovered WASSONITE tools and behavior aimed at a variety of ICS institutions, including electric generation, nuclear energy, manufacturing, and space-centric research companies. 

VANADINITE: In July, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued an alert about a People's Republic of China (PRC) state-sponsored campaign targeting US oil and natural gas firms between 2011 and 2013. 

The US Department of Justice has issued indictments linking VANADINITE-related operations to operators working for the People's Republic of China (PRC). Dragos hunters have noticed more recent activity in this AG, but no details are available at this moment as investigations into this activity continue.