ETDA ThaiCERT
Report
Search
Home > List all groups > TEMP.Veles

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: TEMP.Veles

NamesTEMP.Veles (FireEye)
Xenotime (Dragos)
ATK 91 (Thales)
CountryRussia Russia
SponsorState-sponsored, Central Scientific Research Institute of Chemistry and Mechanics
MotivationSabotage and destruction
First seen2014
DescriptionTEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.
ObservedSectors: Critical infrastructure, Energy, Manufacturing, Oil and gas.
Countries: Saudi Arabia, USA and others.
Tools usedCryptcat, Mimikatz, NetExec, PsExec, SecHack, Triton, Wii.
Operations performed2014TRISIS malware
<https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/>
2017TRITON malware
<https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html>
<https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html>
Feb 2019The most dangerous threat to ICS has new targets in its sights. Dragos identified the Xenotime activity group expanded its targeting beyond oil and gas to the electric utility sector. This expansion to a new vertical illustrates a trend that will likely continue for other ICS-targeting adversaries.
<https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/>
Information<https://dragos.com/resource/xenotime/>
<https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html>
<https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf>
MITRE ATT&CK<https://attack.mitre.org/groups/G0088/>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Previous: Tempting Cedar Spyware
Next: Terbium

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key