TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]

ID: G0088
Version: 1.0

Associated Group Descriptions

XENOTIMEThe activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.[4][5][1][6]

Techniques Used

PRE-ATT&CKT1329Acquire and/or use 3rd party infrastructure servicesTEMP.Veles has used Virtual Private Server (VPS) infrastructure.[1]
PRE-ATT&CKT1311Dynamic DNSTEMP.Veles has used dynamic DNS.[1]
EnterpriseT1043Commonly Used PortTEMP.Veles has used port 443 for C2.[1]
EnterpriseT1003Credential DumpingTEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials.[1]
EnterpriseT1074Data StagedTEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.[1]
EnterpriseT1133External Remote ServicesTEMP.Veles has used a VPN to persist in the victim environment.[1]
EnterpriseT1107File DeletionTEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.[1]
EnterpriseT1183Image File Execution Options InjectionTEMP.Veles has modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence. [1]
EnterpriseT1066Indicator Removal from ToolsTEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.[2]
EnterpriseT1036MasqueradingTEMP.Veles has performed a variety of methods to look like valid users, including renaming files and mimicking legitimate administrator activities. [1]
EnterpriseT1086PowerShellTEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant. The group has also used PowerShell to perform Timestomping.[2][1]
EnterpriseT1076Remote Desktop ProtocolTEMP.Veles utilized RDP throughout an operation. [1]
EnterpriseT1021Remote ServicesTEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[1]
EnterpriseT1053Scheduled TaskTEMP.Veles has used scheduled task XML triggers.[1]
EnterpriseT1099TimestompTEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.[1]
EnterpriseT1065Uncommonly Used PortTEMP.Veles has used ports 4444, 8531, and 50501 for C2.[1]
EnterpriseT1078Valid AccountsTEMP.Veles has used compromised VPN accounts. [1]
EnterpriseT1100Web ShellTEMP.Veles has planted webshells on Outlook Exchange servers.[1]


S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029PsExec[1][4]Service Execution, Windows Admin Shares