COVELLITE compromises networks associated with civilian electric energy worldwide and gathers intelligence on intellectual property and internal industrial operations. COVELLITE lacks an industrial control system (ICS) specific capability at this time.
COVELLITE operates globally with targets primarily in Europe, East Asia, and North America. US targets emerged in September 2017 with a small, targeted phishing campaign directed at select U.S. electric companies. The phishing emails contained a malicious Microsoft Word document and infected computers with malware.
The malicious emails discovered in the fall masqueraded as resumes or invitations. They delivered a remote access tool (RAT) payload which was used to conduct reconnaissance and enable persistent, covert access to victims’ machines.
COVELLITE’s infrastructure and malware are similar to the hacking organization known as LAZARUS GROUP by Novetta and HIDDEN COBRA by the U.S. Department of Homeland Security.
LAZARUS GROUP is responsible for attacks ranging from the 2014 attack on Sony Pictures to a number of Bitcoin heists in 2017. Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits. However, aside from technical overlap, it is not known how the capabilities and operations between COVELLITE and LAZARUS are related.
COVELLITE remains active but appears to have abandoned North American targets, with indications of activity in Europe and East Asia. Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry.
Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’ approach to categorizing threat activity and attribution.
Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on COVELLITE and other group tools, techniques, procedures, and infrastructure is available to network defenders via Dragos WorldView.