{ "id": "7fe45c2c-0a4a-4ba6-a086-89199967c9bb", "created_at": "2026-04-06T00:11:11.87456Z", "updated_at": "2026-04-12T02:20:58.452453Z", "deleted_at": null, "sha1_hash": "19c155f77fecf7c161dc5015757976da8adb5c4a", "title": "Oil-and-Gas APT Pivots to U.S. Power Plants", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63984, "plain_text": "Oil-and-Gas APT Pivots to U.S. Power Plants\r\nBy Tara Seals\r\nPublished: 2020-01-10 · Archived: 2026-04-05 13:43:59 UTC\r\nResearchers say that physically disruptive attacks aren’t imminent, but an increased focus on U.S. electrical-grid\r\noperators doesn’t bode well.\r\nA known APT group with ties to the Iran-linked APT33, dubbed Magnallium, has expanded its targeting from the\r\nglobal oil-and-gas industry to specifically include electric companies in North America.\r\nThat’s according to a report from Dragos, released Thursday, which noted that the discovery is part of a broader\r\ntrend in which cybercriminals focused on critical infrastructure are branching out from a single-vertical operation\r\nto multiple industrial sectors. While that reality doesn’t necessarily threaten a physically disruptive attack, it also\r\ncertainly doesn’t rule it out, the firm said.\r\n“Attacks on electric systems – like attacks on other critical infrastructure sectors – can further an adversary’s\r\ncriminal, political or economic goals,” according to the report. “As adversaries and their sponsors invest more\r\neffort and money into developing effects-based operational outcomes, the risk of a disruptive or destructive attack\r\non the electric sector – including in North America – significantly increases.”\r\nIn the same report, Dragos said that Xenotime (a.k.a. the group behind the 2017 Trisis attack, which did have\r\nphysical consequences) has ramped up its activities in North America.\r\nMagnallium Comes to America\r\nDragos initially identified Magnallium’s expansion into targeting North American electric entities because of\r\nactivity from a group called Parisite that cropped up in its telemetry. That group was seen targeting known VPN\r\nvulnerabilities at electric targets in the U.S.\r\nParasite, according to Dragos profiling, targets utilities, aerospace, and oil-and-gas entities. It uses open-source\r\ntools to compromise infrastructure and leverages known vulnerabilities for initial access.\r\n“This group has operated since at least 2017 based on infrastructure Dragos identified,” the report explained.\r\n“Parisite serves as the initial access group and enables further operations for Magnallium.”\r\nMagnallium, for its part, has targeted energy and aerospace entities since at least 2013, Dragos said, when it was\r\nseen targeting an aircraft holding company and oil-and-gas firms based in Saudi Arabia. Like the broader APT33\r\ngroup, its main focus is on information-gathering rather than disrupting ICS equipment, researchers wrote in the\r\nreport.\r\nhttps://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/\r\nPage 1 of 3\n\n“In the fall of 2019, following increasing tensions in the Middle East, Dragos identified Magnallium expanding its\r\ntargeting to include electric utilities in the U.S.,” according to the analysis. “Magnallium appears to still lack an\r\nICS-specific capability…The group remains focused on preliminary information-gathering and access operations\r\nthat can be used for a future attack against ICS-related organizations.”\r\nMagnallium uses phishing emails to gain access to victims’ machines; recent campaigns involved lures crafted\r\nfrom publicly available job postings, the report noted. Commercial phishing kits were then used to construct the\r\nemails’ contents, usually career-related messages. The messages delivered variants of the StoneDrill wiper and\r\nTurnedUp malware family, used to steal data, along with PowerShell-based post-exploitation tools.\r\nMore Time for Xenotime\r\nMeanwhile, Xenotime has been seen continuing to target supply chains related to electric entities in North\r\nAmerica, Dragos said.\r\nXenotime is the firm’s name for the group behind the 2017 Trisis (aka TRITON or HatMan) malware attack on a\r\nSaudi Arabian petrochemical facility. That attack targeted safety systems and was designed to cause loss of life or\r\nphysical damage.\r\nThe malware directly interacted with and controlled Triconex safety instrumented system (SIS) controllers, which\r\nare sold by Schneider Electric. SISes are the last line of automated safety defense for industrial facilities, designed\r\nto prevent equipment failure and catastrophic incidents such as explosions or fire. The malware managed to cause\r\nthis fail-safe system to shut down (though a final-stage destructive attack never came).\r\nTRISIS lives on in memory because to date, only a handful of malware, such as the infamous\r\nStuxnet and Industroyer/Crash Override strains, has had the ability to impact the physical process of an ICS\r\ninstallation. TRISIS has not appeared elsewhere since 2017, but it’s worth noting that the same malware\r\nframework showed up in a second incident last year, according to FireEye researchers.\r\nA previous analysis from Dragos found that the group had pivoted to North American targets. That activity has\r\nonly continued, with the group branching out to develop expertise in hacking devices beyond Triconex controllers.\r\nThis group has now compromised several ICS vendors and manufacturers, providing a potential supply-chain\r\nthreat, the report noted.\r\n“Adversaries are increasingly utilizing third-party compromise as a method for affecting intended targets,”\r\naccording to the report. “This attack vector enables an adversary to utilize the implicit trust between companies,\r\nsuppliers or supporting entities. Dragos has observed [Xenotime] leveraging trusted relationships to infiltrate\r\ntarget networks. This includes compromising vendor networks as well as strategic web compromises.”\r\nOverall, the developments show that threats to one industrial entity are potential threats to other industrial\r\nverticals, the report concluded, with adversaries targeting multiple verticals with purposes including espionage,\r\ninformation gathering and potentially disruptive events.\r\n“This trend is driven by multiple variables, including an increasing investment to develop offensive capabilities\r\nspecifically for ICS-targeting operations,” according to Dragos. “Attackers are obtaining the skills necessary for a\r\ncyber-physical event as greater attention is paid to ICS in general and as open-source information on industrial\r\nhttps://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/\r\nPage 2 of 3\n\nnetworks, protocols and devices becomes more widely available. Additionally, the spread of commodity IT\r\nhardware and software into operational technology networks increases the attack surface, providing ingress\r\nopportunities via techniques familiar to the adversary.”\r\nConcerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile\r\nApp Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and\r\nlegal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at\r\na time. Click here to register.\r\nSource: https://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/\r\nhttps://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/" ], "report_names": [ "151699" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-12T02:00:04.52603Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-12T02:00:03.63037Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-12T02:00:04.841451Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-12T02:00:04.810049Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-12T02:00:03.261351Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-12T02:00:04.517639Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-12T02:00:03.50286Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-12T02:00:03.074848Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Refined Kitten", "COBALT TRINITY", "G0064", "Peach Sandstorm", "TA451", "MAGNALLIUM", "HOLMIUM", "ATK35", "APT 33", "Elfin" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-12T02:00:03.313794Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "PIONEER KITTEN", "PARISITE", "UNC757", "Lemon Sandstorm", "RUBIDIUM" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-12T02:00:04.370893Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-12T02:00:04.46888Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-12T02:00:04.908365Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434271, "ts_updated_at": 1775960458, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/19c155f77fecf7c161dc5015757976da8adb5c4a.pdf", "text": "https://archive.orkl.eu/19c155f77fecf7c161dc5015757976da8adb5c4a.txt", "img": "https://archive.orkl.eu/19c155f77fecf7c161dc5015757976da8adb5c4a.jpg" } }