ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > TEMP.Veles

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: TEMP.Veles

NamesTEMP.Veles (FireEye)
Xenotime (Dragos)
ATK 91 (Thales)
CountryRussia Russia
SponsorState-sponsored, Central Scientific Research Institute of Chemistry and Mechanics
MotivationSabotage and destruction
First seen2014
DescriptionTEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.
ObservedSectors: Critical infrastructure, Energy, Manufacturing, Oil and gas.
Countries: Saudi Arabia, USA and others.
Tools usedCryptcat, Mimikatz, NetExec, PsExec, SecHack, Triton, Wii.
Operations performed2014TRISIS malware
<https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/>
2017TRITON malware
<https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html>
<https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html>
Feb 2019The most dangerous threat to ICS has new targets in its sights. Dragos identified the Xenotime activity group expanded its targeting beyond oil and gas to the electric utility sector. This expansion to a new vertical illustrates a trend that will likely continue for other ICS-targeting adversaries.
<https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/>
Counter operationsOct 2020US Treasury sanctions Russian research institute behind Triton malware
<https://www.zdnet.com/article/us-treasury-sanctions-russian-research-institute-behind-triton-malware/>
Mar 2022DOJ unseals indictments of four Russian gov’t officials for cyberattacks on energy companies
<https://therecord.media/doj-unseals-indictments-of-four-russian-govt-officials-for-cyberattacks-on-energy-companies/>
Information<https://dragos.com/resource/xenotime/>
<https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html>
<https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf>
<https://www.cisa.gov/uscert/ncas/alerts/aa22-083a>
MITRE ATT&CK<https://attack.mitre.org/groups/G0088/>

Last change to this card: 04 April 2022

Download this actor card in PDF or JSON format

Previous: Tempting Cedar Spyware
Next: Terbium

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]