TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]
Associated Group Descriptions
| Name | Description |
|---|---|
| XENOTIME |
The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.[4][5][1][2] |
Campaigns
| ID | Name | First Seen | Last Seen | References | Techniques |
|---|---|---|---|---|---|
| C0032 | C0032 | October 2014 [1] | January 2017 [1] | 事件触发执行: Image File Execution Options Injection, 伪装: Match Legitimate Name or Location, 协议隧道, 命令与脚本解释器: PowerShell, 外部远程服务, 操作系统凭证转储: LSASS Memory, 数据分段: Local Data Staging, 有效账户, 服务器软件组件: Web Shell, 移除指标: File Deletion, 移除指标: Timestomp, 获取基础设施: Virtual Private Server, 获取能力: Tool, 远程服务: SSH, 远程服务: Remote Desktop Protocol, 非标准端口, 预定任务/作业: Scheduled Task | |
| C0030 | Triton Safety Instrumented System Attack | June 2017 [6] | August 2017 [6] | Adversary-in-the-Middle, Command-Line Interface, Indicator Removal on Host, Lateral Tool Transfer, Loss of Productivity and Revenue, Program Download, Remote Services, Scripting, Unauthorized Command Message, Valid Accounts, 主动扫描, 伪装: Match Legitimate Name or Location, 加密通道, 命令与脚本解释器: PowerShell, 开发能力: Malware, 操作系统凭证转储: LSASS Memory, 混淆文件或信息: Indicator Removal from Tools, 获取能力: Tool, 输入捕获: Web Portal Capture, 预定任务/作业: Scheduled Task |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1595 | 主动扫描 |
In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest.[2] |
|
| Enterprise | T1546 | .012 | 事件触发执行: Image File Execution Options Injection |
During the C0032 campaign, TEMP.Veles modified and added entries within |
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
In the Triton Safety Instrumented System Attack, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files. During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[1] |
| Enterprise | T1573 | 加密通道 |
In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic.[2] |
|
| Enterprise | T1572 | 协议隧道 |
During the C0032 campaign, TEMP.Veles used encrypted SSH-based PLINK tunnels to transfer tools and enable RDP connections throughout the environment.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.[2] During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping.[1] |
| Enterprise | T1133 | 外部远程服务 |
During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment.[1] |
|
| Enterprise | T1587 | .001 | 开发能力: Malware |
In the Triton Safety Instrumented System Attack, TEMP.Veles developed, prior to the attack, malware capabilities that would require access to specific and specialized hardware and software.[7] |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
In the Triton Safety Instrumented System Attack, TEMP.Veles used Mimikatz.[8] During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
During the C0032 campaign, TEMP.Veles used staging folders that are infrequently used by legitimate users or processes to store data for exfiltration and tool deployment.[1] |
| Enterprise | T1078 | 有效账户 |
During the C0032 campaign, TEMP.Veles used compromised VPN accounts.[1] |
|
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
During the C0032 campaign, TEMP.Veles planted Web shells on Outlook Exchange servers.[1] |
| Enterprise | T1027 | .005 | 混淆文件或信息: Indicator Removal from Tools |
In the Triton Safety Instrumented System Attack, TEMP.Veles modified files based on the open-source project cryptcat in an apparent attempt to decrease anti-virus detection rates.[2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
During the C0032 campaign, TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.[1] |
| .006 | 移除指标: Timestomp |
During the C0032 campaign, TEMP.Veles used timestomping to modify the |
||
| Enterprise | T1583 | .003 | 获取基础设施: Virtual Private Server |
During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastructure.[1] |
| Enterprise | T1588 | .002 | 获取能力: Tool |
In the Triton Safety Instrumented System Attack, TEMP.Veles used tools such as Mimikatz and other open-source software.[2] During the C0032 campaign, TEMP.Veles obtained and used tools such as Mimikatz and PsExec.[1] |
| Enterprise | T1056 | .003 | 输入捕获: Web Portal Capture |
In the Triton Safety Instrumented System Attack, TEMP.Veles captured credentials as they were being changed by redirecting text-based login codes to websites they controlled.[6] |
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation.[1] |
| .004 | 远程服务: SSH |
During the C0032 campaign, TEMP.Veles relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[1] |
||
| Enterprise | T1571 | 非标准端口 |
During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
In the Triton Safety Instrumented System Attack, TEMP.Veles installed scheduled tasks defined in XML files.[2] During the C0032 campaign, TEMP.Veles used scheduled task XML triggers.[1] |
| ICS | T0830 | Adversary-in-the-Middle |
In the Triton Safety Instrumented System Attack, TEMP.Veles changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.[6] |
|
| ICS | T0807 | Command-Line Interface |
In the Triton Safety Instrumented System Attack, TEMP.Veles’ tool took one option from the command line, which was a single IP address of the target Triconex device.[7] |
|
| ICS | T0817 | Drive-by Compromise |
TEMP.Veles utilizes watering hole websites to target industrial employees. [9] |
|
| ICS | T0872 | Indicator Removal on Host |
In the Triton Safety Instrumented System Attack, TEMP.Veles would programmatically return the controller to a normal running state if the Triton malware failed. If the controller could not recover in a defined time window, TEMP.Veles programmatically overwrote their malicious program with invalid data.[7] |
|
| ICS | T0867 | Lateral Tool Transfer |
In the Triton Safety Instrumented System Attack, TEMP.Veles made attempts on multiple victim machines to transfer and execute the WMImplant tool.[2] |
|
| ICS | T0828 | Loss of Productivity and Revenue |
In the Triton Safety Instrumented System Attack, TEMP.Veles tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.[7] |
|
| ICS | T0843 | Program Download |
In the Triton Safety Instrumented System Attack, TEMP.Veles downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.[7] |
|
| ICS | T0886 | Remote Services |
In the Triton Safety Instrumented System Attack, TEMP.Veles utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls [6], along with other traditional malware backdoors, to move into the ICS environment.[8][6] |
|
| ICS | T0853 | Scripting |
In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.[2] |
|
| ICS | T0862 | Supply Chain Compromise |
TEMP.Veles targeted several ICS vendors and manufacturers. [10] |
|
| ICS | T0855 | Unauthorized Command Message |
In the Triton Safety Instrumented System Attack, TEMP.Veles leveraged Triton to send unauthorized command messages to the Triconex safety controllers.[8] |
|
| ICS | T0859 | Valid Accounts |
In the Triton Safety Instrumented System Attack, TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment.[8] |
|
Software
References
- Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
- FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
- Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
- Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.
- Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.
- Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024.
- Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.
- Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.
- Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03
- Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03