BENTONITE

Employs LOTL tactics to establish persistent access to victim environments.

Threat Group Tile Bentonite
THREAT DESCRIPTION
BENTONITE is a new ICS Threat Group increasingly and opportunistically targeting maritime oil and natural gas (ONG), governments, and the manufacturing sectors since 2021.

While BENTONITE does not exhibit the breakthrough capabilities of CHERNOVITE, the group was found last year to be actively attacking industrial organizations. BENTONITE’s operations have impacted North American ONG maritime support organizations and state, local, tribal, and territorial (SLTT) governments. BENTONITE compromised these organizations by exploiting vulnerabilities on internet-facing assets through Log4j and VMWare Horizons vulnerabilities. Once BENTONITE gains access to a victim’s environment, BENTONITE is very tenacious in its persistence to retain its access by performing lateral movement to other hosts, collecting credentials, and establishing long-term persistence to re-enable access to the adversary operator through scheduled tasks in combination with malware implants.

Date: Since 2021

ADVERSARY

  • Associated with PHOSPHORUS
  • Able to run multiple, concurrent operations

CAPABILITIES

  • Multi-stage downloaders, victim enumeration, reconnaissance and C2 capabilities
  • Vulnerability exploitation
  • Heavy use of Powershell to facilitate compromise
  • Disruptive Capabilities

VICTIM

  • Highly Opportunistic
  • U.S. Oil and Gas, Manufacturing
  • State, Local, Tribal and Territorial organizations

INFRASTRUCTURE

  • Credential harvesting
  • Separate domains for phishing and C2
  • Utilizes Github for delivery, SSH and HTTP for C2

ICS IMPACT

  • Espionage, Data Exfiltration & IT Compromise
  • Disruptive Effects Possible
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.