PETROVITE
Employs spearphishing and backdoor capabilities for initial access, reconnaissance, C2.

The overlaps with other AGs and consistent capability development could lead to more targeted ICS incidents beyond general system reconnaissance and collection. While Dragos cannot connect PETROVITE to any known, disruptive event, the group remains active and continues to display an interest in collection on ICS/OT systems and networks.
Dragos is aware of targeted operations that started during the third quarter of 2019 and have intermittently continued throughout 2021. Campaigns during 2019 used compromised legitimate infrastructure in Kazakhstan, whereas campaigns during 2021 focused on compromising legitimate infrastructure in other parts of the world.
Date: Since 2019
ADVERSARY
- Overlaps with KAMACITE and FANCY BEAR activity
CAPABILITIES
- Tailored spearphishing documents
- ZEBROCY - backdoor system recon and collection capability
VICTIM
- Eurasian Resources Group business units located in Kazakhstan;
- Mining and Energy operations, Critical Manufacturing in Kazakhstan and Central Asia;
- Interest in collection on ICS/OT systems & networks
INFRASTRUCTURE
- Legitimate, compromised third-party infrastructure;
- Often WordPress servers;
- Has compromised servers in victim country of Kazakhstan;
ICS IMPACT
- Stage 1 of ICS Kill Chain
- Delivery, Installation, Command and Control, Action on Objectives