TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.
The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.
|Enterprise||T1583||.003||Acquire Infrastructure: Virtual Private Server||
TEMP.Veles has used Virtual Private Server (VPS) infrastructure.
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell||
TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant. The group has also used PowerShell to perform Timestomping.
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.
|Enterprise||T1546||.012||Event Triggered Execution: Image File Execution Options Injection||
TEMP.Veles has modified and added entries within
|Enterprise||T1133||External Remote Services||
TEMP.Veles has used a VPN to persist in the victim environment.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.
|.006||Indicator Removal: Timestomp||
TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location||
TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.
TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.
|Enterprise||T1027||.005||Obfuscated Files or Information: Indicator Removal from Tools||
TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.
|Enterprise||T1588||.002||Obtain Capabilities: Tool||
TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.
|Enterprise||T1003||.001||OS Credential Dumping: LSASS Memory||
TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials. 
|Enterprise||T1021||.001||Remote Services: Remote Desktop Protocol||
TEMP.Veles utilized RDP throughout an operation.
|.004||Remote Services: SSH||
TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
TEMP.Veles has used scheduled task XML triggers.
|Enterprise||T1505||.003||Server Software Component: Web Shell||
TEMP.Veles has planted Web shells on Outlook Exchange servers.
TEMP.Veles has used compromised VPN accounts.
TEMP.Veles utilizes watering hole websites to target industrial employees. 
TEMP.Veles utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. 
|ICS||T0862||Supply Chain Compromise||
TEMP.Veles targeted several ICS vendors and manufacturers. 
TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment. 
|S0002||Mimikatz||||Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Ticket, Use Alternate Authentication Material: Pass the Hash|
|S0029||PsExec||||Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution|
|S1009||Triton||||Change Operating Mode, Commonly Used Port, Detect Operating Mode, Execution through API, Exploitation for Evasion, Exploitation for Privilege Escalation, Hooking, Indicator Removal on Host, Loss of Safety, Masquerading, Modify Controller Tasking, Native API, Program Download, Program Upload, Remote System Discovery, Scripting, Standard Application Layer Protocol, System Firmware|