Dragos is currently tracking a new stage 1 ICS Cyber Kill Chain adversary identified as PETROVITE. PETROVITE demonstrates Stage 1 of the ICS Kill Chain capabilities and targets mining and energy operations in Kazakhstan.

PETROVITE Threat Group Operations

The overlaps with other AGs and consistent capability development could lead to more targeted ICS incidents beyond general system reconnaissance and collection. While Dragos cannot connect PETROVITE to any known, disruptive event, the group remains active and continues to display an interest in collection on ICS/OT systems and networks.

Dragos is aware of targeted operations that started during the third quarter of 2019 and have intermittently continued throughout 2021. Campaigns during 2019 used compromised legitimate infrastructure in Kazakhstan, whereas campaigns during 2021 focused on compromising legitimate infrastructure in other parts of the world.

About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide.

Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’ approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on PETROVITE and other group tools, techniques, procedures, and infrastructure is available to network defenders via Dragos WorldView.