TEMP.Veles

Also known as: ATK91, G0088, TEMP.Veles, TRISIS, Triton, XENOTIME, Xenotime

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems. FireEye TRITON 2019 FireEye TEMP.Veles 2018 FireEye TEMP.Veles JSON April 2019

🌍 Country Russia
📅 Activity 2017 — 2017
🧭 ATT&CK G0088
2017
2017

Introduction

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems. FireEye TRITON 2019 FireEye TEMP.Veles 2018 FireEye TEMP.Veles JSON April 2019

Activities and Tactics

Country of Origin: 🇷🇺 Russia

First Seen: 2017

Last Activity: 2017

Notable Campaigns

  • Triton Safety Instrumented System Attack (C0030): Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)

  • C0032 (C0032): C0032 was an extended campaign suspected to involve the Triton adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the Triton Safety Instrumented System Attack.(Citation: FireEye TRITON 2019)

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 2 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

  • Triton:

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] Dragos Xenotime 2018 Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019. [4] FireEye TEMP.Veles 2018 FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. [5] FireEye TRITON 2019 Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. [6] FireEye TEMP.Veles JSON April 2019 Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. [7] Pylos Xenotime 2019 Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.