GANANITE

Impersonates victims, exploits vulnerabilities, targets internet-exposed endpoints, and exfiltrates data.

Threat Group: Gananite
THREAT DESCRIPTION
GANANITE targets critical infrastructure and government entities in the Commonwealth of Independent States and Central Asian nations, focusing on espionage and data theft.

GANANITE targets critical infrastructure and government entities in the Commonwealth of Independent States and Central Asian nations, focusing on espionage and data theft with the possibility of handing off initial access to other threat groups.

Although GANANITE has not yet shown evidence of moving into OT networks or an elevated capability resembling Stage 2 actions, their assessed capabilities show efficient use of multiple phases across Stage 1 of the ICS Kill Chain.

Industrial organizations in Europe and Central Asia face a significant risk from GANANITE due to their initial intrusion capabilities, post-compromise espionage TTPs, and intellectual property theft, all of which can be used in follow-on attacks against the victim organizations.

Date: Since 2022

ADVERSARY

  • Overlap with YORO TROOPER, TOMIRIS, STURGEON PHISHER

CAPABILITIES

  • Uses multiple remote access trojans (RATs) & public proofs of concept exploits
  • Credential phishing via lookalike domains to obtain credentials

VICTIM

  • Targets Commonwealth of Independent States & Central Asia
  • Focus on Oil & Gas, Logistics, Transportation, and Government entities

INFRASTRUCTURE

  • Frequent use of VPNs and anonymizing infrastructure
  • Uses telegram bot for data exfiltration

ICS IMPACT

  • Loss of convention confidentiality, Theft of operations information
  • Espionage, exfiltration, initial access, data theft
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.