Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 15:31:37 UTC
 APT group: TEMP.Veles
Names
TEMP.Veles (FireEye)
Xenotime (Dragos)
ATK 91 (Thales)
G0088 (MITRE)
Country Russia
Sponsor State-sponsored, Central Scientific Research Institute of Chemistry and Mechanics
Motivation Sabotage and destruction
First seen 2014
Description
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The
group has been observed utilizing TRITON, a malware framework designed to
manipulate industrial safety systems.
Observed
Sectors: Critical infrastructure, Energy, Manufacturing, Oil and gas.
Countries: Saudi Arabia, USA and others.
Tools used Cryptcat, Mimikatz, NetExec, PsExec, SecHack, Triton, Wii.
Operations performed
2014
TRISIS malware
2017
TRITON malware
Feb 2019 The most dangerous threat to ICS has new targets in its sights. Dragos
identified the Xenotime activity group expanded its targeting beyond oil
and gas to the electric utility sector. This expansion to a new vertical
illustrates a trend that will likely continue for other ICS-targeting
adversaries.

cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/>
Counter operations
Oct 2020
US Treasury sanctions Russian research institute behind Triton malware
Mar 2022
DOJ unseals indictments of four Russian gov’t officials for cyberattacks
on energy companies
Information
MITRE ATT&CK Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea108a02-eb3a-4e08-be7b-bd164fc5c220
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea108a02-eb3a-4e08-be7b-bd164fc5c220
Page 2 of 2