VANADINITE
Targets vulnerable external-facing network appliances to access IT networks and establish foothold.

VANADINITE targets energy, manufacturing, and government and educational organizations. Its targeting is geographically broad and includes activity in North America, Europe, and possibly Asia and Australia.
VANADINITE has some overlap with a group called Winnti. However, Winnti activity is expansive and poorly defined in open-source reporting. The group has considerable overlap with the group Microsoft calls LEAD, a subset of Winnti activity.
VANADINITE activity is limited to Stage 1, initial access, and is not observed to have ICS-specific capabilities.
Date: Since 2019
ADVERSARY
- Linked to broader Winnti-related activity
- Associated with People’s Republic of China by U.S. government
CAPABILITIES
- Use of publicly-available exploits
- Metasploit and Cobalt Strike use in Windows environments
- Non-public malware, linked to other Winnti entities in Linux and other environments
VICTIM
- Activity targeting manufacturing, energy, and various government and educational institutions
- Observed actions in North America, Europe, and possibly Australia and Asia
INFRASTRUCTURE
- Mixed infrastructure largely relying on Virtual Private Server (VPS) hosting in Asia and North America
- Extensive use of Choopa/Vultr Holdings hosting services
ICS IMPACT
- Target and access development against electric, oil and gas, manufacturing, telecommunications, transportation