GRAPHITE
Spearphishing and credential theft for reconnaissance and espionage targeting industrial sectors.

The group initially relied on compromised Ubiquiti Edge Routers networks to distribute malware and maintain command-and-control (C2) operations. However, after a U.S.-led takedown of their botnet in early 2024, GRAPHITE shifted to using legitimate internet services, such as API endpoint testing platforms and GitHub, to stage their attacks.
GRAPHITE is capable of Stage 1 of the ICS Cyber Kill Chain. While they have not yet demonstrated disruptive ICS capabilities, their intelligence-gathering efforts suggest they could enable future cyber operations against industrial targets. Organizations involved in energy production and infrastructure, especially those linked to Ukraine, should remain vigilant against this group.
US officials told the media in July 2017 these adversaries gained access to business and administrative systems, not operations networks. Since then, third-party reporting indicates ALLANITE has gathered information directly from ICS networks, which Dragos can independently confirm.
Date: Since 2023
ADVERSARY
- Overlaps with APT28
CAPABILITIES
- Exploitation of multiple zero-day vulnerabilities
- OCEANMAP, HEADLACE, MASEPIE, STEELHOOK
VICTIM
- Critical infrastructure (Energy, Oil & Natural Gas, Logistics)
- Eastern Europe (Ukraine)
- West Asia
INFRASTRUCTURE
- Use of Compromised SOHO routers, primarily Ubiquiti Edge routers
- Use of LIS, VPN, VPS
ICS IMPACT
- ICS Cyber Kill Chain Stage 1
- Emphasis on Credential Capture Operations