STIBNITE

Compromises IT networks via insecure VPNs to conduct reconnaissance activities.

Threat Group: Stibnite
THREAT DESCRIPTION
STIBNITE targeted wind generation organizations and government entities in Azerbaijan from late 2019 through 2020.

STIBNITE leverages spearphishing to drop a custom malware known as PoetRAT. Dragos analysis of PoetRAT saw evolution, over STIBNITE’s campaigns, to evade detections and to include a more simplistic core functionality. Dragos also discovered network infrastructure overlap between STIBNITE campaigns. PoetRAT is part of a complete Stage 1 operation as defined by ICS Cyber Kill Chain.

Date: Since 2019

ADVERSARY

  • No associations with known activity

CAPABILITIES

  • Malicious document files; credential theft websites; LaZagne; PoetRAT framework

VICTIM

  • Wind Generation
  • Azerbaijan

INFRASTRUCTURE

  • Spoofed domains for government, technology entities
  • Adversary-owned & operated infrastructure; Extensive use of dynamic DNS providers

ICS IMPACT

  • Access development, information gathering, further operations within the electric sector
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.