THREAT DESCRIPTION
BENTONITE is a new ICS Threat Group increasingly and opportunistically targeting maritime oil and natural gas (ONG), governments, and the manufacturing sectors since 2021.
While BENTONITE does not exhibit the breakthrough capabilities of CHERNOVITE, the group was found last year to be actively attacking industrial organizations. BENTONITE’s operations have impacted North American ONG maritime support organizations and state, local, tribal, and territorial (SLTT) governments. BENTONITE compromised these organizations by exploiting vulnerabilities on internet-facing assets through Log4j and VMWare Horizons vulnerabilities. Once BENTONITE gains access to a victim’s environment, BENTONITE is very tenacious in its persistence to retain its access by performing lateral movement to other hosts, collecting credentials, and establishing long-term persistence to re-enable access to the adversary operator through scheduled tasks in combination with malware implants.
While BENTONITE does not exhibit the breakthrough capabilities of CHERNOVITE, the group was found last year to be actively attacking industrial organizations. BENTONITE’s operations have impacted North American ONG maritime support organizations and state, local, tribal, and territorial (SLTT) governments. BENTONITE compromised these organizations by exploiting vulnerabilities on internet-facing assets through Log4j and VMWare Horizons vulnerabilities. Once BENTONITE gains access to a victim’s environment, BENTONITE is very tenacious in its persistence to retain its access by performing lateral movement to other hosts, collecting credentials, and establishing long-term persistence to re-enable access to the adversary operator through scheduled tasks in combination with malware implants.
Date: Since 2021
ADVERSARY
- Associated with PHOSPHORUS
- Able to run multiple, concurrent operations
CAPABILITIES
- Multi-stage downloaders, victim enumeration, reconnaissance and C2 capabilities
- Vulnerability exploitation
- Heavy use of Powershell to facilitate compromise
- Disruptive Capabilities
VICTIM
- Highly Opportunistic
- U.S. Oil and Gas, Manufacturing
- State, Local, Tribal and Territorial organizations
INFRASTRUCTURE
- Credential harvesting
- Separate domains for phishing and C2
- Utilizes Github for delivery, SSH and HTTP for C2
ICS IMPACT
- Espionage, Data Exfiltration & IT Compromise
- Disruptive Effects Possible
