STIBNITE
Compromises IT networks via insecure VPNs to conduct reconnaissance activities.
THREAT DESCRIPTION
STIBNITE targeted wind generation organizations and government entities in Azerbaijan from late 2019 through 2020.
STIBNITE leverages spearphishing to drop a custom malware known as PoetRAT. Dragos analysis of PoetRAT saw evolution, over STIBNITE’s campaigns, to evade detections and to include a more simplistic core functionality. Dragos also discovered network infrastructure overlap between STIBNITE campaigns. PoetRAT is part of a complete Stage 1 operation as defined by ICS Cyber Kill Chain.
STIBNITE leverages spearphishing to drop a custom malware known as PoetRAT. Dragos analysis of PoetRAT saw evolution, over STIBNITE’s campaigns, to evade detections and to include a more simplistic core functionality. Dragos also discovered network infrastructure overlap between STIBNITE campaigns. PoetRAT is part of a complete Stage 1 operation as defined by ICS Cyber Kill Chain.
Date: Since 2019
ADVERSARY
- No associations with known activity
CAPABILITIES
- Malicious document files; credential theft websites; LaZagne; PoetRAT framework
VICTIM
- Wind Generation
- Azerbaijan
INFRASTRUCTURE
- Spoofed domains for government, technology entities
- Adversary-owned & operated infrastructure; Extensive use of dynamic DNS providers
ICS IMPACT
- Access development, information gathering, further operations within the electric sector
