This blog is the third in a three-part series defining Cyber Threat Intelligence (CTI). The first part explained the concepts of CTI, including its history, emergence, and challenges. The second part featured an in-depth explanation of practical uses for the Diamond Model in CTI analysis.
Dragos is currently developing three new Activity Groups this year and has also discovered activity across three existing activity groups: KAMACITE, WASSONITE, and STIBNITE. Dragos will provide more information on the new Activity Groups (AG) as it becomes available. This blog updates activity on the three AGs listed above.
Multiple government and third-party entities link KAMACITE, active since 2014, to Russian military intelligence operations. KAMACITE uses GREYENERGY, a modular malware and successor to BLACKENERGY. GREYENERGY is associated with two known dropper variants. This year, Dragos identified two GREYENERGY dropper variants in the wild, one in March of 2021 and one in August of 2021, respectively. Dragos assesses with moderate confidence that due to the modular structure, which is similar to BLACKENERGY, GREYENERGY could add ICS components in the future. The GREYENERGY dropper satisfies Stage 1: Install/Modify of the ICS Cyber Kill Chain.
STIBNITE targeted wind turbine system companies in Azerbaijan in their 2020 campaigns. In their February 2021 campaigns, STIBNITE targeted Azerbaijani-speaking industrial experts, researchers, and practitioners in the environmental science, technology, and engineering fields. In March 2021, they continued to target Azerbaijan government entities, more specifically the Azerbaijan Ministry of Ecology and Natural Resources, with an Oil and Gas spearphishing lure.
Malwarebytes published a report highlighting activity using a State Oil Company of the Azerbaijan Republic (SOCAR) spearphishing lure targeting an Azerbaijan government entity. Dragos assessed with high confidence that STIBNITE is associated with this activity. The recipient of this spearphishing lure could unknowingly execute a macro in the document that would drop a new version of PoetRAT written in Python. This is the fifth variant of PoetRAT documented by Dragos. This version of PoetRAT includes a similar persistence technique to previous versions. The C2 infrastructure of this campaign overlaps with previous STIBNITE campaigns.
During June 2021, Dragos discovered multiple victims in the Oil and Gas, Electric, and Component Manufacturing industries communicating with a WASSONITE C2 server associated with Appleseed backdoor. Appleseed is a multi-component backdoor that can take screenshots, log keystrokes, and collect removable media information and specific victim files. It can also upload, download, and execute follow-on commands from the C2 server. WASSONITE previously leveraged DTRACK to infect the Kudankulam Nuclear Power Plant (KKNPP) nuclear facility in India.
Dragos discovered and analyzed two variants of the Appleseed backdoor. It can also upload, download, and execute follow-on commands from the C2 server. Dragos analyzed the network communication function of Appleseed and identified an associated IP address hardcoded C2 domain. Dragos then pivoted on network telemetry to discover multiple victims in three ICS industries communicating with the WASSONITE C2 server associated with Appleseed infections.
Dragos assess with moderate confidence that the Appleseed backdoor infected five ICS verticals. Dragos previously discovered WASSONITE tools and behavior targeting multiple ICS entities, including electric generation, nuclear energy, manufacturing, and organizations involved in space-centric research.
In July, the Cybersecurity & Infrastructure Security Agency (CISA) and FBI released an Alert regarding a People’s Republic of China (PRC) state-sponsored campaign targeting United States oil and natural gas companies between 2011 and 2013. The U.S. Department of Justice published indictments that associate activities that link to VANADINITE, with operators working on behalf of the People’s Republic of China (PRC). Dragos hunters have seen more recent activity in this AG, but it is not specified at the time of this writing as investigations continue with this activity.