VANADINITE conducted extensive initial access campaigns largely focused on industrial entities in 2019. Linked to groups known as Winnti, APT41, and LEAD, VANADINITE exploited vulnerabilities in external-facing network and security devices to gain access to victim networks. Indictments published by the United States (U.S.) Department of Justice associate activities linked to VANADINITE with operators working on behalf of the People’s Republic of China (PRC).

VANADINITE Threat Group Operations

VANADINITE targets energy, manufacturing, and government and educational organizations. Its targeting is geographically broad and includes activity in North America, Europe, and possibly Asia and Australia.

VANADINITE has some overlap with a group called Winnti. However, Winnti activity is expansive and poorly defined in open-source reporting. The group has considerable overlap with the group Microsoft calls LEAD, a subset of Winnti activity.

VANADINITE activity is limited to Stage 1, initial access, and is not observed to have ICS-specific capabilities.

About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’ approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on VANADINITE and other group tools, techniques, procedures, and infrastructure is available to network defenders via Dragos WorldView.