ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Covellite

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Covellite

NamesCovellite (Dragos)
CTG-2460 (SecureWorks)
Nickel Academy (SecureWorks)
Black Artemis (PWC)
CountryNorth Korea North Korea
MotivationInformation theft and espionage
First seen2017
Description(Dragos) Covellite compromises networks associated with civilian electric energy worldwide and gathers intelligence on intellectual property and internal industrial operations. Covellite lacks an industrial control system (ICS) specific capability at this time.

Covellite operates globally with targets primarily in Europe, East Asia, and North America. US targets emerged in September 2017 with a small, targeted phishing campaign directed at select U.S. electric companies. The phishing emails contained a malicious Microsoft Word document and infected computers with malware.

The malicious emails discovered in the fall masqueraded as resumes or invitations. They delivered a remote access tool (RAT) payload which was used to conduct reconnaissance and enable persistent, covert access to victims’ machines.

Covellite’s infrastructure and malware are similar to the hacking organization known as Lazarus Group, Hidden Cobra, Labyrinth Chollima by Novetta and Hidden Cobra by the U.S. Department of Homeland Security.

Lazarus Group is responsible for attacks ranging from the 2014 attack on Sony Pictures to a number of Bitcoin heists in 2017. Technical analysis of Covellite malware indicates an evolution from known Lazarus toolkits. However, aside from technical overlap, it is not known how the capabilities and operations between Covellite and Lazarus are related.

Covellite remains active but appears to have abandoned North American targets, with indications of activity in Europe and East Asia. Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry.
ObservedSectors: Energy.
Countries: USA and Europe and East Asia.
Tools used

Last change to this card: 07 January 2021

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]