STIBNITE
Compromises IT networks via insecure VPNs to conduct reconnaissance activities.
THREAT DESCRIPTION
STIBNITE targeted wind generation organizations and government entities in Azerbaijan from late 2019 through 2020.
STIBNITE leverages spearphishing to drop a custom malware known as PoetRAT. Dragos analysis of PoetRAT saw evolution, over STIBNITE’s campaigns, to evade detections and to include a more simplistic core functionality. Dragos also discovered network infrastructure overlap between STIBNITE campaigns. PoetRAT is part of a complete Stage 1 operation as defined by ICS Cyber Kill Chain.
STIBNITE leverages spearphishing to drop a custom malware known as PoetRAT. Dragos analysis of PoetRAT saw evolution, over STIBNITE’s campaigns, to evade detections and to include a more simplistic core functionality. Dragos also discovered network infrastructure overlap between STIBNITE campaigns. PoetRAT is part of a complete Stage 1 operation as defined by ICS Cyber Kill Chain.
Date: Since 2019
- No associations with known activity
- Malicious document files; credential theft websites; LaZagne; PoetRAT framework
- Wind Generation
- Azerbaijan
- Spoofed domains for government, technology entities
- Adversary-owned & operated infrastructure; Extensive use of dynamic DNS providers
- Access development, information gathering, further operations within the electric sector
