STIBNITE targeted wind generation organizations and government entities in Azerbaijan from late 2019 through 2020.

STIBNITE Threat Group Operations

STIBNITE leverages spearphishing to drop a custom malware known as PoetRAT. Dragos analysis of PoetRAT saw evolution, over STIBNITE’s campaigns, to evade detections and to include a more simplistic core functionality. Dragos also discovered network infrastructure overlap between STIBNITE campaigns. PoetRAT is part of a complete Stage 1 operation as defined by ICS Cyber Kill Chain.

About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our Professional Services team, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’ approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on STIBNITE and other group tools, techniques, procedures, and infrastructure is available to network defenders via Dragos WorldView.