AZURITE
Targets OT engineering workstations to exfiltrate operational data and enable future offensive operations.
THREAT DESCRIPTION
AZURITE is a Dragos-tracked threat group that targets operational technology (OT) engineering workstations across manufacturing, electric, oil and gas, defense industrial base, and government sectors. The group gains initial access by exploiting vulnerabilities in internet-facing devices including VPNs, firewalls, and remote access gateways, and uses compromised SOHO routers incorporated into adversary-controlled relay networks to obscure its operations.
Once inside, AZURITE moves laterally to engineering workstations where it conducts interactive operations to identify and exfiltrate alarm data, PLC configurations, HMI data, and process information. This is not conventional data theft. The specific focus on how industrial processes operate, what triggers alarms, and how control loops are structured indicates that the group is building the knowledge base required to develop OT-specific disruptive capabilities. Defenders should treat any AZURITE presence in an OT environment as active prepositioning for future destructive operations, not opportunistic intrusion.
Once inside, AZURITE moves laterally to engineering workstations where it conducts interactive operations to identify and exfiltrate alarm data, PLC configurations, HMI data, and process information. This is not conventional data theft. The specific focus on how industrial processes operate, what triggers alarms, and how control loops are structured indicates that the group is building the knowledge base required to develop OT-specific disruptive capabilities. Defenders should treat any AZURITE presence in an OT environment as active prepositioning for future destructive operations, not opportunistic intrusion.
Date: Since 2021
- Overlap with Flax Typhoon, Ethereal Panda, UNC5923, Raptor Train, Red Dev 54
- Assessed to share tasking and targeting objectives with VOLTZITE
- Heavy use of LOTL techniques and strong operational security practices
- Exploits internet-facing Ivanti, Fortinet, Cisco, GIS, and F5 assets
- Multiple web shells including Chopper, AntSword, SuperShell, and Godzilla
- SOCKS/SOCKS5 tunneling for C2; RDP access to engineering workstations
- Slow and steady reconnaissance to evade internal detection
- Targets manufacturing, automotive, electric, oil and gas, pharmaceutical, defense industrial base, and government organizations
- Regional focus: United States, Taiwan, Europe, Japan, South Korea, and Australia
- Compromised SOHO routers and NAS devices incorporated into adversary ORB networks
- Multi-tiered architecture of controller nodes, proxy/relay nodes, and infector nodes
- Purpose-built VPS infrastructure for C2 and exfiltration
- Loss of Confidentiality and theft of operational information
- Long-term access and offensive operations enablement
- Capability development support for future OT-specific tooling or malware
