KOSTOVITE
Uses perimeter device compromise and LOTL techniques for reconnaissance and exfiltration.
THREAT DESCRIPTION
In March of 2021, the activity group KOSTOVITE compromised a renewable energy operator. Dragos deployed a team of investigators to analyze the intrusion and determined that the organization was not an opportunistic target. This narrative is the background behind the investigation and successful remediation and recovery following the purposefully executed intrusion by the activity group Dragos now tracks as KOSTOVITE.
The Dragos investigation for KOSTOVITE’s target showed that KOSTOVITE reached Stage 2 of ICS Kill Chain capabilities with confirmed access into the OT networks and devices. In March 2021, when KOSTOVITE compromised the perimeter of this ICS/OT network, it exploited a zero-day vulnerability in the popular remote access solution Ivanti Connect Secure, formerly known as Pulse Secure. KOSTOVITE is an adversary with significant tactics, techniques, and procedures (TTP) and technical overlaps with the threat group known as UNC2630. UNC2630 is a group with a history of access operations and data theft and is associated with the use of 12 malware families deployed exclusively on Ivanti VPN appliances.
KOSTOVITE used dedicated operational relay infrastructure against this target to obfuscate the origin of its activities and then stole and used legitimate account credentials for its intrusion. KOSTOVITE then used the stolen account information to move laterally and gain access to the OT environments of multiple facilities on two continents from the one single ingress location. Once past the perimeter ingress, KOSTOVITE used only what is referred to as the target’s organic infrastructure, meaning no tools or code from outside the target’s network, to move laterally across target infrastructure. This adversary then accessed servers used by the target for monitoring and control. In the course of the investigation, the Dragos analysts determined the adversary had been undetected and active in the OT networks for at least a month.
The KOSTOVITE intrusion highlights the risks of interconnectivity between organizations. It is commonly understood that many ICS operations begin in an IT network. However, what is not as well understood by the community is that those operations do not need to begin in the target company’s IT networks. The IT networks of many integrators, suppliers, and maintenance firms directly connect to OT networks of other companies. It is imperative for organizations to have visibility into their OT networks as simply protecting their IT networks is often only one of many points of entry available to adversaries.
The Dragos investigation for KOSTOVITE’s target showed that KOSTOVITE reached Stage 2 of ICS Kill Chain capabilities with confirmed access into the OT networks and devices. In March 2021, when KOSTOVITE compromised the perimeter of this ICS/OT network, it exploited a zero-day vulnerability in the popular remote access solution Ivanti Connect Secure, formerly known as Pulse Secure. KOSTOVITE is an adversary with significant tactics, techniques, and procedures (TTP) and technical overlaps with the threat group known as UNC2630. UNC2630 is a group with a history of access operations and data theft and is associated with the use of 12 malware families deployed exclusively on Ivanti VPN appliances.
KOSTOVITE used dedicated operational relay infrastructure against this target to obfuscate the origin of its activities and then stole and used legitimate account credentials for its intrusion. KOSTOVITE then used the stolen account information to move laterally and gain access to the OT environments of multiple facilities on two continents from the one single ingress location. Once past the perimeter ingress, KOSTOVITE used only what is referred to as the target’s organic infrastructure, meaning no tools or code from outside the target’s network, to move laterally across target infrastructure. This adversary then accessed servers used by the target for monitoring and control. In the course of the investigation, the Dragos analysts determined the adversary had been undetected and active in the OT networks for at least a month.
The KOSTOVITE intrusion highlights the risks of interconnectivity between organizations. It is commonly understood that many ICS operations begin in an IT network. However, what is not as well understood by the community is that those operations do not need to begin in the target company’s IT networks. The IT networks of many integrators, suppliers, and maintenance firms directly connect to OT networks of other companies. It is imperative for organizations to have visibility into their OT networks as simply protecting their IT networks is often only one of many points of entry available to adversaries.
Date: Since 2021
ADVERSARY
- High level of operational discipline & network device knowledge
- Lives off land with stolen sys/net-admin creds
CAPABILITIES
- Zero-day exploits
- Pulse Secure PCS
- QNAP
VICTIM
- Global renewable energy company
INFRASTRUCTURE
- Dedicated per target
- Compromised home and small business QNAP NAS devices exposed to internet
- Commercial Ivanti VPN appliances
ICS IMPACT
- Stage 2 of ICS Kill Chain
- Intrusion into OT networks and devices
