TALONITE
Spearphishing with malicious documents or executables for initial access compromise.

TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware using legitimate binaries maliciously or modifying such binaries to include additional functionality, and a combination of owned and compromised network infrastructure.
TALONITE activity is difficult to track and contain given the group’s propensity to blend techniques and tactics to ensure a successful intrusion. Although there is behavioral overlap between TALONITE and the Chinese state-sponsored group, APT10, Dragos cannot definitively link these two groups.
Date: Since 2019
ADVERSARY
- Behavioral overlaps with APT10
CAPABILITIES
- Phishing with malicious attachments
- Custom malware leveraging LookBack, FlowCloud
VICTIM
- Electric Utilities
- US, Japan, Taiwan
INFRASTRUCTURE
- Combinations of adversary-owned & compromised infrastructure
- Almost exclusively based in East Asia
ICS IMPACT
- Operations focus on U.S. electric utilities, initial access, information gathering, further operations within the electric sector