PETROVITE

Employs spearphishing and backdoor capabilities for initial access, reconnaissance, C2.

Threat Group: Petrovite
THREAT DESCRIPTION
Dragos is currently tracking a new stage 1 ICS Cyber Kill Chain adversary identified as PETROVITE. PETROVITE demonstrates Stage 1 of the ICS Kill Chain capabilities and targets mining and energy operations in Kazakhstan.

The overlaps with other AGs and consistent capability development could lead to more targeted ICS incidents beyond general system reconnaissance and collection. While Dragos cannot connect PETROVITE to any known, disruptive event, the group remains active and continues to display an interest in collection on ICS/OT systems and networks.

Dragos is aware of targeted operations that started during the third quarter of 2019 and have intermittently continued throughout 2021. Campaigns during 2019 used compromised legitimate infrastructure in Kazakhstan, whereas campaigns during 2021 focused on compromising legitimate infrastructure in other parts of the world.

Date: Since 2019

ADVERSARY

  • Overlaps with KAMACITE and FANCY BEAR activity

CAPABILITIES

  • Tailored spearphishing documents
  • ZEBROCY - backdoor system recon and collection capability

VICTIM

  • Eurasian Resources Group business units located in Kazakhstan;
  • Mining and Energy operations, Critical Manufacturing in Kazakhstan and Central Asia;
  • Interest in collection on ICS/OT systems & networks

INFRASTRUCTURE

  • Legitimate, compromised third-party infrastructure;
  • Often WordPress servers;
  • Has compromised servers in victim country of Kazakhstan;

ICS IMPACT

  • Stage 1 of ICS Kill Chain
  • Delivery, Installation, Command and Control, Action on Objectives
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.