1. Home
  2. Groups
  3. TEMP.Veles

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]

ID: G0088
Associated Groups: XENOTIME
Contributors: Dragos Threat Intelligence
Version: 1.4
Created: 16 April 2019
Last Modified: 17 April 2024
Version Permalink

Associated Group Descriptions

Name Description
XENOTIME

The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.[4][5][1][2]

Campaigns

ID Name First Seen Last Seen References Techniques
C0032 C0032 October 2014 [1] January 2017 [1]

[1]

 Acquire Infrastructure: Virtual Private Server, Command and Scripting Interpreter: PowerShell, Data Staged: Local Data Staging, Event Triggered Execution: Image File Execution Options Injection, External Remote Services, Indicator Removal: File Deletion, Indicator Removal: Timestomp, Masquerading: Match Legitimate Name or Location, Non-Standard Port, Obtain Capabilities: Tool, OS Credential Dumping: LSASS Memory, Protocol Tunneling, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Server Software Component: Web Shell, Valid Accounts
C0030 Triton Safety Instrumented System Attack June 2017 [6] August 2017 [6]

[2][7]

 Active Scanning, Adversary-in-the-Middle, Command and Scripting Interpreter: PowerShell, Command-Line Interface, Develop Capabilities: Malware, Encrypted Channel, Indicator Removal on Host, Input Capture: Web Portal Capture, Lateral Tool Transfer, Loss of Productivity and Revenue, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Indicator Removal from Tools, Obtain Capabilities: Tool, OS Credential Dumping: LSASS Memory, Program Download, Remote Services, Scheduled Task/Job: Scheduled Task, Scripting, Unauthorized Command Message, Valid Accounts
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastructure.[1]
Enterprise T1595 Active Scanning

In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.[2]

During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

During the C0032 campaign, TEMP.Veles used staging folders that are infrequently used by legitimate users or processes to store data for exfiltration and tool deployment.[1]
Enterprise T1587 .001 Develop Capabilities: Malware

In the Triton Safety Instrumented System Attack, TEMP.Veles developed, prior to the attack, malware capabilities that would require access to specific and specialized hardware and software.[7]
Enterprise T1573 Encrypted Channel

In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic.[2]
Enterprise T1546 .012 Event Triggered Execution: Image File Execution Options Injection

During the C0032 campaign, TEMP.Veles modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.[1]
Enterprise T1133 External Remote Services

During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

During the C0032 campaign, TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.[1]
.006 Indicator Removal: Timestomp

During the C0032 campaign, TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.[1]
Enterprise T1056 .003 Input Capture: Web Portal Capture

In the Triton Safety Instrumented System Attack, TEMP.Veles captured credentials as they were being changed by redirecting text-based login codes to websites they controlled.[6]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

In the Triton Safety Instrumented System Attack, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.

During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[1]
Enterprise T1571 Non-Standard Port

During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.[1]
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

In the Triton Safety Instrumented System Attack, TEMP.Veles modified files based on the open-source project cryptcat in an apparent attempt to decrease anti-virus detection rates.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

In the Triton Safety Instrumented System Attack, TEMP.Veles used tools such as Mimikatz and other open-source software.[2]

During the C0032 campaign, TEMP.Veles obtained and used tools such as Mimikatz and PsExec.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

In the Triton Safety Instrumented System Attack, TEMP.Veles used Mimikatz.[8]

During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials.[1]
Enterprise T1572 Protocol Tunneling

During the C0032 campaign, TEMP.Veles used encrypted SSH-based PLINK tunnels to transfer tools and enable RDP connections throughout the environment.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation.[1]
.004 Remote Services: SSH

During the C0032 campaign, TEMP.Veles relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

In the Triton Safety Instrumented System Attack, TEMP.Veles installed scheduled tasks defined in XML files.[2]

During the C0032 campaign, TEMP.Veles used scheduled task XML triggers.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

During the C0032 campaign, TEMP.Veles planted Web shells on Outlook Exchange servers.[1]
Enterprise T1078 Valid Accounts

During the C0032 campaign, TEMP.Veles used compromised VPN accounts.[1]
ICS T0830 Adversary-in-the-Middle

In the Triton Safety Instrumented System Attack, TEMP.Veles changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.[6]
ICS T0807 Command-Line Interface

In the Triton Safety Instrumented System Attack, TEMP.Veles’ tool took one option from the command line, which was a single IP address of the target Triconex device.[7]
ICS T0817 Drive-by Compromise

TEMP.Veles utilizes watering hole websites to target industrial employees. [9]
ICS T0872 Indicator Removal on Host

In the Triton Safety Instrumented System Attack, TEMP.Veles would programmatically return the controller to a normal running state if the Triton malware failed. If the controller could not recover in a defined time window, TEMP.Veles programmatically overwrote their malicious program with invalid data.[7]
ICS T0867 Lateral Tool Transfer

In the Triton Safety Instrumented System Attack, TEMP.Veles made attempts on multiple victim machines to transfer and execute the WMImplant tool.[2]
ICS T0828 Loss of Productivity and Revenue

In the Triton Safety Instrumented System Attack, TEMP.Veles tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.[7]
ICS T0843 Program Download

In the Triton Safety Instrumented System Attack, TEMP.Veles downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.[7]
ICS T0886 Remote Services

In the Triton Safety Instrumented System Attack, TEMP.Veles utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls [6], along with other traditional malware backdoors, to move into the ICS environment.[8][6]
ICS T0853 Scripting

In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.[2]
ICS T0862 Supply Chain Compromise

TEMP.Veles targeted several ICS vendors and manufacturers. [10]
ICS T0855 Unauthorized Command Message

In the Triton Safety Instrumented System Attack, TEMP.Veles leveraged Triton to send unauthorized command messages to the Triconex safety controllers.[8]
ICS T0859 Valid Accounts

In the Triton Safety Instrumented System Attack, TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment.[8]

Software

ID Name References Techniques
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [1][4] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S1009 Triton [4] Change Operating Mode, Commonly Used Port, Detect Operating Mode, Execution through API, Exploitation for Evasion, Exploitation for Privilege Escalation, Hooking, Indicator Removal on Host, Loss of Safety, Masquerading, Modify Controller Tasking, Native API, Program Download, Program Upload, Remote System Discovery, Scripting, Standard Application Layer Protocol, System Firmware

References

  1. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  2. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
  3. Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
  4. Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.
  5. Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.
  1. Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024.
  2. Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.
  3. Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.
  4. Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03
  5. Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03