In March of 2021, the activity group KOSTOVITE compromised a renewable energy operator. Dragos deployed a team of investigators to analyze the intrusion and determined that the organization was not an opportunistic target. This narrative is the background behind the investigation and successful remediation and recovery following the purposefully executed intrusion by the activity group Dragos now tracks as KOSTOVITE.
The Dragos investigation for KOSTOVITE’s target showed that KOSTOVITE reached Stage 2 of ICS Kill Chain capabilities with confirmed access into the OT networks and devices. In March 2021, when KOSTOVITE compromised the perimeter of this ICS/OT network, it exploited a zero-day vulnerability in the popular remote access solution Ivanti Connect Secure, formerly known as Pulse Secure. KOSTOVITE is an adversary with significant tactics, techniques, and procedures (TTP) and technical overlaps with the threat group known as UNC2630. UNC2630 is a group with a history of access operations and data theft and is associated with the use of 12 malware families deployed exclusively on Ivanti VPN appliances.
KOSTOVITE used dedicated operational relay infrastructure against this target to obfuscate the origin of its activities and then stole and used legitimate account credentials for its intrusion. KOSTOVITE then used the stolen account information to move laterally and gain access to the OT environments of multiple facilities on two continents from the one single ingress location. Once past the perimeter ingress, KOSTOVITE used only what is referred to as the target’s organic infrastructure, meaning no tools or code from outside the target’s network, to move laterally across target infrastructure. This adversary then accessed servers used by the target for monitoring and control. In the course of the investigation, the Dragos analysts determined the adversary had been undetected and active in the OT networks for at least a month.
The KOSTOVITE intrusion highlights the risks of interconnectivity between organizations. It is commonly understood that many ICS operations begin in an IT network. However, what is not as well understood by the community is that those operations do not need to begin in the target company’s IT networks. The IT networks of many integrators, suppliers, and maintenance firms directly connect to OT networks of other companies. It is imperative for organizations to have visibility into their OT networks as simply protecting their IT networks is often only one of many points of entry available to adversaries.
Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide.
Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’ approach to categorizing threat activity and attribution.
Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on KOSTOVITE and other group tools, techniques, procedures, and infrastructure is available to network defenders via Dragos WorldView.