JUST RELEASED: ATT&CK for Industrial Control Systems


TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]

ID: G0088
Associated Groups: XENOTIME
Version: 1.0
Created: 16 April 2019
Last Modified: 29 April 2019

Associated Group Descriptions

Name Description
XENOTIME The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.[4][5][1][6]

Techniques Used

Domain ID Name Use
PRE-ATT&CK T1329 Acquire and/or use 3rd party infrastructure services

TEMP.Veles has used Virtual Private Server (VPS) infrastructure.[1]

PRE-ATT&CK T1311 Dynamic DNS

TEMP.Veles has used dynamic DNS.[1]

Enterprise T1043 Commonly Used Port

TEMP.Veles has used port 443 for C2.[1]

Enterprise T1003 Credential Dumping

TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials.[1]

Enterprise T1074 Data Staged

TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.[1]

Enterprise T1133 External Remote Services

TEMP.Veles has used a VPN to persist in the victim environment.[1]

Enterprise T1107 File Deletion

TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.[1]

Enterprise T1183 Image File Execution Options Injection

TEMP.Veles has modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.

Enterprise T1066 Indicator Removal from Tools

TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.[2]

Enterprise T1036 Masquerading

TEMP.Veles has performed a variety of methods to look like valid users, including renaming files and mimicking legitimate administrator activities.[1]

Enterprise T1086 PowerShell

TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant. The group has also used PowerShell to perform Timestomping.[2][1]

Enterprise T1076 Remote Desktop Protocol

TEMP.Veles utilized RDP throughout an operation. [1]

Enterprise T1021 Remote Services

TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[1]

Enterprise T1053 Scheduled Task

TEMP.Veles has used scheduled task XML triggers.[1]

Enterprise T1099 Timestomp

TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.[1]

Enterprise T1065 Uncommonly Used Port

TEMP.Veles has used ports 4444, 8531, and 50501 for C2.[1]

Enterprise T1078 Valid Accounts

TEMP.Veles has used compromised VPN accounts. [1]

Enterprise T1100 Web Shell

TEMP.Veles has planted webshells on Outlook Exchange servers.[1]


ID Name References Techniques
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029 PsExec [1] [4] Service Execution, Windows Admin Shares