MAGNALLIUM
Relies on phishing campaigns, password sprating, and malware delivery for reconnaissance.
THREAT DESCRIPTION
The MAGNALLIUM activity group has targeted petrochemical manufacturers and other industrial organizations since 2013. While initial media coverage treated MAGNALLIUM as a significant threat to critical infrastructure, Dragos analysis suggests that the group lacks ICS-specific capabilities and focuses exclusively on information gathering at this time.
MAGNALLIUM initially had a narrow focus, including Saudi Arabian energy firms and an aircraft holding company. In 2018, MAGNALLIUM’s victimology expanded to additional targets, including entities in Europe and North America. As a result of operations against these Saudi-linked firms, MAGNALLIUM operations touched other entities in joint-ventures or similar arrangements outside the region, such as an aerospace company in the United States and petrochemical firms in South Korea.
MAGNALLIUM used phishing emails to gain access to victims’ machines. The lures were created from publicly-available job postings to produce targeted career-related spears. Publicly-available phishing kits were used to construct the emails’ contents, and the group leveraged variants of the StoneDrill wiper and TURNEDUP malware family. The group has transitioned to PowerShell based post-exploitation tools in 2018.
The group remains focused on preliminary information gathering and access operations that can be used for a future attack against ICS-related organizations. Though concerning, Dragos primarily identifies MAGNALLIUM activity focusing on the Gulf region with little indication of operations outside this area. Activity in this group overlaps with APT33 recently labeled by FireEye.
MAGNALLIUM initially had a narrow focus, including Saudi Arabian energy firms and an aircraft holding company. In 2018, MAGNALLIUM’s victimology expanded to additional targets, including entities in Europe and North America. As a result of operations against these Saudi-linked firms, MAGNALLIUM operations touched other entities in joint-ventures or similar arrangements outside the region, such as an aerospace company in the United States and petrochemical firms in South Korea.
MAGNALLIUM used phishing emails to gain access to victims’ machines. The lures were created from publicly-available job postings to produce targeted career-related spears. Publicly-available phishing kits were used to construct the emails’ contents, and the group leveraged variants of the StoneDrill wiper and TURNEDUP malware family. The group has transitioned to PowerShell based post-exploitation tools in 2018.
The group remains focused on preliminary information gathering and access operations that can be used for a future attack against ICS-related organizations. Though concerning, Dragos primarily identifies MAGNALLIUM activity focusing on the Gulf region with little indication of operations outside this area. Activity in this group overlaps with APT33 recently labeled by FireEye.
Date: Since 2017
ADVERSARY
- Espionage group with ICS industry focus.
- Links to APT 33
CAPABILITIES
- Nondestructive variant of StoneDrill malware. Shifted to PowerShell for post-exploitation in 2018.
VICTIM
- Petrochemical, Oil & Gas, Aerospace, Electric
- Saudi Arabia, Europe, North America, South Korea
INFRASTRUCTURE
- Registers own infrastructure
- Spoofs victim organizations and generic IT themes
ICS IMPACT
- Destructive wiper malware use in IT environments could be used in control system networks, likely developing tools for operations environments
