GRAPHITE

Spearphishing and credential theft for reconnaissance and espionage targeting industrial sectors.

Threat group Graphite Tile
THREAT DESCRIPTION
GRAPHITE is focused on energy and industrial organizations in Eastern Europe and the Middle East, particularly those involved in the military conflict in Ukraine. Since 2022, the group has conducted spear-phishing campaigns to steal credentials, often exploiting vulnerabilities like a no-click flaw in Microsoft Outlook.

The group initially relied on compromised Ubiquiti Edge Routers networks to distribute malware and maintain command-and-control (C2) operations. However, after a U.S.-led takedown of their botnet in early 2024, GRAPHITE shifted to using legitimate internet services, such as API endpoint testing platforms and GitHub, to stage their attacks.

GRAPHITE is capable of Stage 1 of the ICS Cyber Kill Chain. While they have not yet demonstrated disruptive ICS capabilities, their intelligence-gathering efforts suggest they could enable future cyber operations against industrial targets. Organizations involved in energy production and infrastructure, especially those linked to Ukraine, should remain vigilant against this group.

US officials told the media in July 2017 these adversaries gained access to business and administrative systems, not operations networks. Since then, third-party reporting indicates ALLANITE has gathered information directly from ICS networks, which Dragos can independently confirm.

Date: Since 2023

ADVERSARY

  • Overlaps with APT28

CAPABILITIES

  • Exploitation of multiple zero-day vulnerabilities
  • OCEANMAP, HEADLACE, MASEPIE, STEELHOOK

VICTIM

  • Critical infrastructure (Energy, Oil & Natural Gas, Logistics)
  • Eastern Europe (Ukraine)
  • West Asia

INFRASTRUCTURE

  • Use of Compromised SOHO routers, primarily Ubiquiti Edge routers
  • Use of LIS, VPN, VPS

ICS IMPACT

  • ICS Cyber Kill Chain Stage 1
  • Emphasis on Credential Capture Operations
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.