STIBNITE
Compromises IT networks via insecure VPNs to conduct reconnaissance activities.

STIBNITE leverages spearphishing to drop a custom malware known as PoetRAT. Dragos analysis of PoetRAT saw evolution, over STIBNITE’s campaigns, to evade detections and to include a more simplistic core functionality. Dragos also discovered network infrastructure overlap between STIBNITE campaigns. PoetRAT is part of a complete Stage 1 operation as defined by ICS Cyber Kill Chain.
Date: Since 2019
ADVERSARY
- No associations with known activity
CAPABILITIES
- Malicious document files; credential theft websites; LaZagne; PoetRAT framework
VICTIM
- Wind Generation
- Azerbaijan
INFRASTRUCTURE
- Spoofed domains for government, technology entities
- Adversary-owned & operated infrastructure; Extensive use of dynamic DNS providers
ICS IMPACT
- Access development, information gathering, further operations within the electric sector