BAUXITE

Ability to comprimise PLCs, modify ladder logic, and deploy custom backdoors on OT Devices.

Threat Group: Bauxite
THREAT DESCRIPTION
Dragos-designated threat group BAUXITE was implicated in multiple global campaigns targeting OT/ICS entities and specific devices. Based on capabilities and network infrastructure, this group shares substantial technical overlaps with the pro-Iranian hacktivist persona CyberAv3ngers.

BAUXITE is capable of Stage 2 ICS Cyber Kill Chain and has demonstrated the ability to compromise PLCs and deploy custom backdoors on OT devices. The group is active on OT/ICS-focused forums and extensively monitors security advisories from OEMs and ICS protocols, likely documenting and cataloging known vulnerabilities to target in future campaigns.

BAUXITE’s targeting strategies and operational focus evolved under state-sponsored directives or geopolitical pressures. Through 2025, BAUXITE is expected to enhance its capabilities and attempt to conduct disruptive operations against OT/ICS entities globally.

Date: Since 2017

ADVERSARY

  • Overlaps with CyberAv3ngers

CAPABILITIES

  • Uses publicly known exploits
  • Consumes Security Advisories from OT/ICS OEMs
  • Leverages tools built into Kali Linux
  • Linux Backdoor with C2 over MQTT

VICTIM

  • Global impact, victims in the U.S., Australia, U.K., and Israel

INFRASTRUCTURE

  • Use/reuse of bulletproof hosting providers & owned infrastructure
  • Different infrastructure for CNA/CNE, Scanning & Research

ICS IMPACT

  • ICS Cyber Kill Chain Stage 2
  • Denial of Control, Loss of Availability, Loss of Control, Loss of Productivity and Revenue, Loss of View
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.