Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

Recent Activity in Dragos Tracked Activity Groups

This blog is the third in a three-part series defining Cyber Threat Intelligence (CTI). The first part explained the concepts of CTI, including its history, emergence, and challenges. The second part featured an in-depth explanation of practical uses for the Diamond Model in CTI analysis.

Dragos is currently developing three new Activity Groups this year and has also discovered activity across three existing activity groups: KAMACITE, WASSONITE, and STIBNITE. Dragos will provide more information on the new Activity Groups (AG) as it becomes available. This blog updates activity on the three AGs listed above. 

KAMACITE 

Multiple government and third-party entities link KAMACITE, active since 2014, to Russian military intelligence operations. KAMACITE uses GREYENERGY, a modular malware and successor to BLACKENERGY. GREYENERGY is associated with two known dropper variants. This year, Dragos identified two GREYENERGY dropper variants in the wild, one in March of 2021 and one in August of 2021, respectively. Dragos assesses with moderate confidence that due to the modular structure, which is similar to BLACKENERGY, GREYENERGY could add ICS components in the future. The GREYENERGY dropper satisfies Stage 1: Install/Modify of the ICS Cyber Kill Chain.

STIBNITE

STIBNITE targeted wind turbine system companies in Azerbaijan in their 2020 campaigns. In their February 2021 campaigns, STIBNITE targeted Azerbaijani-speaking industrial experts, researchers, and practitioners in the environmental science, technology, and engineering fields. In March 2021, they continued to target Azerbaijan government entities, more specifically the Azerbaijan Ministry of Ecology and Natural Resources, with an Oil and Gas spearphishing lure.

Malwarebytes published a report highlighting activity using a State Oil Company of the Azerbaijan Republic (SOCAR) spearphishing lure targeting an Azerbaijan government entity. Dragos assessed with high confidence that STIBNITE is associated with this activity. The recipient of this spearphishing lure could unknowingly execute a macro in the document that would drop a new version of PoetRAT written in Python. This is the fifth variant of PoetRAT documented by Dragos. This version of PoetRAT includes a similar persistence technique to previous versions. The C2 infrastructure of this campaign overlaps with previous STIBNITE campaigns.

WASSONITE

During June 2021, Dragos discovered multiple victims in the Oil and Gas, Electric, and Component Manufacturing industries communicating with a WASSONITE C2 server associated with Appleseed backdoor. Appleseed is a multi-component backdoor that can take screenshots, log keystrokes, and collect removable media information and specific victim files. It can also upload, download, and execute follow-on commands from the C2 server. WASSONITE previously leveraged DTRACK to infect the Kudankulam Nuclear Power Plant (KKNPP) nuclear facility in India. 

Dragos discovered and analyzed two variants of the Appleseed backdoor. It can also upload, download, and execute follow-on commands from the C2 server. Dragos analyzed the network communication function of Appleseed and identified an associated IP address hardcoded C2 domain. Dragos then pivoted on network telemetry to discover multiple victims in three ICS industries communicating with the WASSONITE C2 server associated with Appleseed infections.

Dragos assess with moderate confidence that the Appleseed backdoor infected five ICS verticals. Dragos previously discovered WASSONITE tools and behavior targeting multiple ICS entities, including electric generation, nuclear energy, manufacturing, and organizations involved in space-centric research.

VANADINITE

In July, the Cybersecurity & Infrastructure Security Agency (CISA) and FBI released an Alert regarding a People’s Republic of China (PRC) state-sponsored campaign targeting United States oil and natural gas companies between 2011 and 2013. The U.S. Department of Justice published indictments that associate activities that link to VANADINITE, with operators working on behalf of the People’s Republic of China (PRC). Dragos hunters have seen more recent activity in this AG, but it is not specified at the time of this writing as investigations continue with this activity.

Dr. Tom Winston
Dr. Tom Winston
Dr. Tom Winston is a director of intelligence content for Dragos. Tom has over 25 years of professional experience in many areas to include cybersecurity, ICS/SCADA systems, Critical Infrastructure protection, academics as well as systems and network engineering. He joined Dragos after serving for several years as a professor of cybersecurity engineering at George Mason University. Prior to that Tom served in a 15 year-long career at the CIA as an operations, digital forensics, and ICS/SCADA expert. His experience focused on threats to critical infrastructure (ICS/SCADA) systems, as well as foreign cyber intelligence and threat analysis. Tom has extensive experience in mobile device, removable/fixed media digital forensics, as well and has visited over 30 countries worldwide, and speaks over a dozen foreign languages.

Related Posts

White Paper Excerpt: Implementing an IACS Cybersecurity Program

ISA/IEC 62443 provides a powerful tool to reduce the risk of financial, reputational, human, and environm...
Gary Rathwell Jan 11, 2022 5:30:00 AM

LOGIIC Endorses ISA Industrial Control Systems Cybersecurity Training

ICS Cybersecurity Training for Remote Staff In late 2019, LOGIIC (Linking the Oil and Gas Industry to Imp...
Brian Peterson Jan 4, 2022 5:30:00 AM

Automation Systems Cybersecurity: From Standards to Practices

From first steps to a sustained response. Improving the state of cybersecurity in critical infrastructure...
Eric Cosman Dec 28, 2021 5:30:00 AM