TEMP.Veles

XENOTIME, also tracked as TEMP.Veles, is a Russia-linked threat actor associated with the Triton malware, also known as TRISIS and HatMan, used in the 2017 attack on a Middle Eastern oil and gas facility targeting Schneider Electric Triconex safety instrumented systems. The content states that the U.S. Treasury sanctioned the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) for connections to Triton, and that reporting linked TEMP.Veles and the TRITON intrusion to this Russian government-owned research institute. XENOTIME has been described as a highly capable and dangerous ICS-focused activity group. The group is known for targeting industrial environments. Beyond the 2017 Triton attack, Dragos reported reconnaissance and potential initial access activity against North American and APAC electric utility networks in early 2019, including activity against at least 20 U.S. electric utilities. Reported activity included reconnaissance, network scanning, vulnerability scanning, credential stuffing, and enumeration of remote login portals. The content also states that XENOTIME compromised several ICS vendors and manufacturers, creating a potential supply chain threat. Observed tradecraft attributed to TEMP.Veles/XENOTIME in campaign C0032 and the Triton Safety Instrumented System Attack includes use of PowerShell, including WMImplant and PowerShell-based timestomping; modification of NTFS $STANDARD_INFORMATION timestamps on tools; use of Mimikatz, PsExec, and a custom credential-harvesting tool named SecHack; use of scheduled tasks defined in XML files and scheduled task XML triggers; use of RDP throughout operations; use of compromised VPN accounts and VPN access for persistence; use of VPS infrastructure; use of encrypted SSH-based tunnels for tool transfer and remote command execution; use of cryptcat binaries to encrypt traffic; deletion of tools, logs, and other files for cleanup; and command-and-control port/protocol mismatches on ports 443, 4444, 8531, and 50501.