VANADINITE

Targets vulnerable external-facing network appliances to access IT networks and establish foothold.

Threat Group: Vanadinite
THREAT DESCRIPTION
VANADINITE conducted extensive initial access campaigns largely focused on industrial entities in 2019. Linked to groups known as Winnti, APT41, and LEAD, VANADINITE exploited vulnerabilities in external-facing network and security devices to gain access to victim networks. Indictments published by the United States (U.S.) Department of Justice associate activities linked to VANADINITE with operators working on behalf of the People’s Republic of China (PRC).

VANADINITE targets energy, manufacturing, and government and educational organizations. Its targeting is geographically broad and includes activity in North America, Europe, and possibly Asia and Australia.

VANADINITE has some overlap with a group called Winnti. However, Winnti activity is expansive and poorly defined in open-source reporting. The group has considerable overlap with the group Microsoft calls LEAD, a subset of Winnti activity.

VANADINITE activity is limited to Stage 1, initial access, and is not observed to have ICS-specific capabilities.

Date: Since 2019

ADVERSARY

  • Linked to broader Winnti-related activity
  • Associated with People’s Republic of China by U.S. government

CAPABILITIES

  • Use of publicly-available exploits
  • Metasploit and Cobalt Strike use in Windows environments
  • Non-public malware, linked to other Winnti entities in Linux and other environments

VICTIM

  • Activity targeting manufacturing, energy, and various government and educational institutions
  • Observed actions in North America, Europe, and possibly Australia and Asia

INFRASTRUCTURE

  • Mixed infrastructure largely relying on Virtual Private Server (VPS) hosting in Asia and North America
  • Extensive use of Choopa/Vultr Holdings hosting services

ICS IMPACT

  • Target and access development against electric, oil and gas, manufacturing, telecommunications, transportation
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.