SYLVANITE
Operates at scale to compromise internet-facing industrial systems and hand off access to Stage 2 threat groups,including VOLTZITE.
THREAT DESCRIPTION
SYLVANITE is a Dragos-tracked initial access threat group that operates at scale against emerging POCs on widely used network edge devices across both IT and ICS across electric, water, oil and gas, and manufacturing sectors. The group monitors vulnerability research closely and weaponizes newly disclosed exploits rapidly, in several cases compromising targets before the affected vendor had issued a patch. Once inside, SYLVANITE harvests credentials from backend systems, deploys memory-resident web shells to maintain persistence, and uses tunneling tools to move laterally while evading detection.
SYLVANITE’s primary role is access development. The group does not pursue OT disruption directly, but instead hands established footholds to more capable Stage 2 adversaries. Dragos has directly observed SYLVANITE transferring access to VOLTZITE, a group with a demonstrated history of stealing OT data and manipulating industrial systems. Defenders should treat a SYLVANITE compromise as the leading edge of a more capable intrusion. The handoff can occur within days of initial access, making rapid detection and containment at the perimeter the most effective defensive posture.
SYLVANITE’s primary role is access development. The group does not pursue OT disruption directly, but instead hands established footholds to more capable Stage 2 adversaries. Dragos has directly observed SYLVANITE transferring access to VOLTZITE, a group with a demonstrated history of stealing OT data and manipulating industrial systems. Defenders should treat a SYLVANITE compromise as the leading edge of a more capable intrusion. The handoff can occur within days of initial access, making rapid detection and containment at the perimeter the most effective defensive posture.
Date: Since 2023
- Overlaps with UNC5221, UNC5174, UNC5291, UNC3236, HOUKEN, Red Dev 61, CL-STA-0048, UTA0178
- Multiple entities assessed to work under the same overarching direction
- Assessed intent is initial access and credential theft passed to other threat groups, including VOLTZITE
- N-day exploitation of internet-facing products from F5, Ivanti, SAP, and ConnectWise
- Web shells: Godzilla, LIGHTWIRE, WIREFIRE
- Cobalt Strike, Sliver, Supershell C2 frameworks; Fast Reverse Proxy (FRP) tunneling
- Credential harvesting from backend databases (LDAP data, Office 365 tokens)
- Extracts data from compromised devices and hands off to more capable Stage 2 adversaries, including VOLTZITE
- Targets electric power generation, transmission and distribution; water and wastewater; oil and gas; manufacturing; and public administration
- Regional focus: North America, United Kingdom, Europe, Japan, South Korea, Guam, the Philippines, and Saudi Arabia
- Virtual Private Servers (VPS) and compromised SOHO routers
- Favors Vultr, Linode, Kaopu Cloud, Forewin Telecom Group, and BGP Network Ltd providers
- Large-scale initial access operations enabling credential theft and VPN exploitation
- Sustained access handed to Stage 2 adversaries for follow-on ICS-focused campaigns
- Port scanning activity can cause denial-of-service conditions on OT devices
