Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Recent Activity in Dragos Tracked Activity Groups

This blog is the third in a three-part series defining Cyber Threat Intelligence (CTI). The first part explained the concepts of CTI, including its history, emergence, and challenges. The second part featured an in-depth explanation of practical uses for the Diamond Model in CTI analysis.

Dragos is currently developing three new Activity Groups this year and has also discovered activity across three existing activity groups: KAMACITE, WASSONITE, and STIBNITE. Dragos will provide more information on the new Activity Groups (AG) as it becomes available. This blog updates activity on the three AGs listed above. 

KAMACITE 

Multiple government and third-party entities link KAMACITE, active since 2014, to Russian military intelligence operations. KAMACITE uses GREYENERGY, a modular malware and successor to BLACKENERGY. GREYENERGY is associated with two known dropper variants. This year, Dragos identified two GREYENERGY dropper variants in the wild, one in March of 2021 and one in August of 2021, respectively. Dragos assesses with moderate confidence that due to the modular structure, which is similar to BLACKENERGY, GREYENERGY could add ICS components in the future. The GREYENERGY dropper satisfies Stage 1: Install/Modify of the ICS Cyber Kill Chain.

STIBNITE

STIBNITE targeted wind turbine system companies in Azerbaijan in their 2020 campaigns. In their February 2021 campaigns, STIBNITE targeted Azerbaijani-speaking industrial experts, researchers, and practitioners in the environmental science, technology, and engineering fields. In March 2021, they continued to target Azerbaijan government entities, more specifically the Azerbaijan Ministry of Ecology and Natural Resources, with an Oil and Gas spearphishing lure.

Malwarebytes published a report highlighting activity using a State Oil Company of the Azerbaijan Republic (SOCAR) spearphishing lure targeting an Azerbaijan government entity. Dragos assessed with high confidence that STIBNITE is associated with this activity. The recipient of this spearphishing lure could unknowingly execute a macro in the document that would drop a new version of PoetRAT written in Python. This is the fifth variant of PoetRAT documented by Dragos. This version of PoetRAT includes a similar persistence technique to previous versions. The C2 infrastructure of this campaign overlaps with previous STIBNITE campaigns.

WASSONITE

During June 2021, Dragos discovered multiple victims in the Oil and Gas, Electric, and Component Manufacturing industries communicating with a WASSONITE C2 server associated with Appleseed backdoor. Appleseed is a multi-component backdoor that can take screenshots, log keystrokes, and collect removable media information and specific victim files. It can also upload, download, and execute follow-on commands from the C2 server. WASSONITE previously leveraged DTRACK to infect the Kudankulam Nuclear Power Plant (KKNPP) nuclear facility in India. 

Dragos discovered and analyzed two variants of the Appleseed backdoor. It can also upload, download, and execute follow-on commands from the C2 server. Dragos analyzed the network communication function of Appleseed and identified an associated IP address hardcoded C2 domain. Dragos then pivoted on network telemetry to discover multiple victims in three ICS industries communicating with the WASSONITE C2 server associated with Appleseed infections.

Dragos assess with moderate confidence that the Appleseed backdoor infected five ICS verticals. Dragos previously discovered WASSONITE tools and behavior targeting multiple ICS entities, including electric generation, nuclear energy, manufacturing, and organizations involved in space-centric research.

VANADINITE

In July, the Cybersecurity & Infrastructure Security Agency (CISA) and FBI released an Alert regarding a People’s Republic of China (PRC) state-sponsored campaign targeting United States oil and natural gas companies between 2011 and 2013. The U.S. Department of Justice published indictments that associate activities that link to VANADINITE, with operators working on behalf of the People’s Republic of China (PRC). Dragos hunters have seen more recent activity in this AG, but it is not specified at the time of this writing as investigations continue with this activity.

Dr. Tom Winston
Dr. Tom Winston
Dr. Tom Winston is a director of intelligence content for Dragos. Tom has over 25 years of professional experience in many areas to include cybersecurity, ICS/SCADA systems, Critical Infrastructure protection, academics as well as systems and network engineering. He joined Dragos after serving for several years as a professor of cybersecurity engineering at George Mason University. Prior to that Tom served in a 15 year-long career at the CIA as an operations, digital forensics, and ICS/SCADA expert. His experience focused on threats to critical infrastructure (ICS/SCADA) systems, as well as foreign cyber intelligence and threat analysis. Tom has extensive experience in mobile device, removable/fixed media digital forensics, as well and has visited over 30 countries worldwide, and speaks over a dozen foreign languages.

Related Posts

Innovations in R&D: How AI Is Transforming Industrial Cybersecurity Operations

Industrial control systems are becoming more complex as evolved cyberattacks threaten industry functions....
Devin Partida Nov 15, 2024 7:00:00 AM

In Conversation with Authors of ISAGCA White Paper on Zero Trust and ISA/IEC 62443

The ISA Global Cybersecurity Alliance (ISAGCA) recently published a white paper exploring the application...
Kara Phelps Nov 8, 2024 12:00:00 PM

Webinar: Zero Trust Outcomes Using ISA/IEC 62443 Standards

The ISA Global Cybersecurity Alliance (ISAGCA) held a webinar on 24 October 2024 to provide insights into...
Kara Phelps Nov 1, 2024 12:00:00 PM