{ "id": "551355dd-3a77-4d85-9d16-211042ff4fb7", "created_at": "2026-04-06T00:14:08.567605Z", "updated_at": "2026-04-10T03:36:24.669577Z", "deleted_at": null, "sha1_hash": "4bd0778aea2c9268cd7ffba520223691878b2ef8", "title": "Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 262876, "plain_text": "Tactics, Techniques, and Procedures of Indicted State-Sponsored\r\nRussian Cyber Actors Targeting the Energy Sector | CISA\r\nPublished: 2022-03-24 · Archived: 2026-04-05 23:08:39 UTC\r\nSummary\r\nActions to Take Today to Protect Energy Sector Networks:\r\n• Implement and ensure robust network segmentation between IT and ICS networks.\r\n• Enforce MFA to authenticate to a system.\r\n• Manage the creation of, modification of, use of—and permissions associated with—privileged accounts.\r\nThis joint Cybersecurity Advisory (CSA)—coauthored by the Cybersecurity and Infrastructure Security Agency\r\n(CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information\r\non multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and\r\ntargeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these\r\ncampaigns with appropriate action in and around the time that they occurred. CISA, the FBI, and DOE are sharing\r\nthis information in order to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to\r\ntarget U.S. and international Energy Sector organizations.\r\nOn March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security\r\nService (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics\r\n(TsNIIKhM) employee for their involvement in the following intrusion campaigns against U.S. and international\r\noil refineries, nuclear facilities, and energy companies.[1]\r\nGlobal Energy Sector Intrusion Campaign, 2011 to 2018: the FSB conducted a multi-stage campaign in\r\nwhich they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused\r\nmalware, and collected and exfiltrated enterprise and ICS-related data.\r\nOne of the indicted FSB officers was involved in campaign activity that involved deploying Havex\r\nmalware to victim networks.\r\nThe other two indicted FSB officers were involved in activity targeting U.S. Energy Sector\r\nnetworks from 2016 through 2018.\r\nCompromise of Middle East-based Energy Sector organization with TRITON Malware, 2017:\r\nRussian cyber actors with ties to the TsNIIKhM gained access to and leveraged TRITON (also known as\r\nHatMan) malware to manipulate a foreign oil refinery’s ICS controllers. TRITON was designed to\r\nspecifically target Schneider Electric’s Triconex Tricon safety systems and is capable of disrupting those\r\nsystems. Schneider Electric has issued a patch to mitigate the risk of the TRITON malware’s attack vector;\r\nhowever, network defenders should install the patch and remain vigilant against these threat actors’ TTPs.\r\nThe indicted TsNIIKhM cyber actor is charged with attempt to access U.S. protected computer\r\nnetworks and to cause damage to an energy facility.\r\nThe indicted TsNIIKhM cyber actor was a co-conspirator in the deployment of the TRITON\r\nmalware in 2017.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 1 of 30\n\nThis CSA provides the TTPs used by indicted FSB and TsNIIKhM actors in cyber operations against the global\r\nEnergy Sector. Specifically, this advisory maps TTPs used in the global Energy Sector campaign and the\r\ncompromise of the Middle East-based Energy Sector organization to the MITRE ATT\u0026CK for Enterprise and\r\nATT\u0026CK for ICS frameworks.\r\nCISA, the FBI, and DOE assess that state-sponsored Russian cyber operations continue to pose a threat to U.S.\r\nEnergy Sector networks. CISA, the FBI, and DOE urge the Energy Sector and other critical infrastructure\r\norganizations to apply the recommendations listed in the Mitigations section of this advisory and Appendix A to\r\nreduce the risk of compromise. \r\nFor more information on Russian state-sponsored malicious cyber activity, see CISA's Russia Cyber Threat\r\nOverview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious\r\ncyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA\r\nUnderstanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA's\r\nShields Up Technical Guidance webpage. \r\nRewards for Justice Program\r\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact\r\nthe Department of State’s (DOS) Rewards for Justice program. You may be eligible for a reward of up to $10\r\nmillion, which DOS is offering for information leading to the identification or location of any person who, while\r\nacting under the direction or control of a foreign government, participates in malicious cyber activity against U.S.\r\ncritical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on\r\nWhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located\r\non the Dark Web. For more details refer to rewardsforjustice.net .\r\nClick here for a PDF version of this report. \r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 10, and the ATT\u0026CK for ICSs\r\nframework. See the ATT\u0026CK for Enterprise and ATT\u0026CK for ICS frameworks for all referenced threat actor\r\ntactics and techniques.\r\nGlobal Energy Sector Intrusion Campaign, 2011 to 2018\r\nFrom at least 2011 through 2018, the FSB (also known as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly,\r\nHavex, Crouching Yeti, and Koala) conducted an intrusion campaign against international and U.S. Energy Sector\r\norganizations. The threat actor gained remote access to and deployed malware designed to collect ICS-related\r\ninformation on compromised Energy Sector networks, and exfiltrated enterprise and ICS data.\r\nBeginning in 2013 and continuing through 2014, the threat actor leveraged Havex malware on Energy Sector\r\nnetworks. The threat actor gained access to these victim networks via spearphishing emails, redirects to\r\ncompromised websites, and malicious versions of legitimate software updates on multiple ICS vendor websites.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 2 of 30\n\nThe new software updates contained installations of Havex malware, which infected systems of users who\r\ndownloaded the compromised updates.\r\nHavex is a remote access Trojan (RAT) that communicates with a command and control (C2) server. The C2\r\nserver deploys payloads that enumerate all collected network resources and uses the Open Platform\r\nCommunications (OPC) standard to gather information about connected control systems devices and resources\r\nwithin the network. Havex allowed the actor to install additional malware and extract data, including system\r\ninformation, lists of files and installed programs, e-mail address books, and virtual private network (VPN)\r\nconfiguration files. The Havex payload can cause common OPC platforms to crash, which could cause a denial-of-service condition on applications that rely on OPC communications. Note: for additional information on\r\nHavex, see to CISA ICS Advisory ICS Focused Malware and CISA ICS Alert ICS Focused Malware (Update A).\r\nBeginning in 2016, the threat actor began widely targeting U.S. Energy Sector networks. The actor conducted\r\nthese attacks in two stages: first targeting third-party commercial organizations (such as vendors, integrators, and\r\nsuppliers) and then targeting Energy Sector organizations. The threat actor used the compromised third-party\r\ninfrastructure to conduct spearphishing, watering hole, and supply chain attacks to harvest Energy Sector\r\ncredentials and to pivot to Energy Sector enterprise networks. After obtaining access to the U.S. Energy Sector\r\nnetworks, the actor conducted network discovery, moved laterally, gained persistence, then collected and\r\nexfiltrated information pertaining to ICS from the enterprise, and possibly operational technology (OT),\r\nenvironments. Exfiltrated information included: vendor information, reference documents, ICS architecture, and\r\nlayout diagrams.\r\nFor more detailed information on FSB targeting of U.S. Energy Sector networks, See CISA Alert Russian\r\nGovernment Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors.  \r\nRefer to Appendix A for TTPs of Havex malware and TTPs used by the actor in the 2016 to 2018 targeting of U.S.\r\nEnergy Sector networks, as well as associated mitigations.\r\nCompromise of Middle East-based Energy Sector Organization with TRITON Malware, 2017\r\nIn 2017, Russian cyber actors with ties to TsNIIKhM gained access to and manipulated a foreign oil refinery’s\r\nsafety devices. TsNIIKhM actors used TRITON malware on the ICS controllers, which resulted in the refinery\r\nshutting down for several days. \r\nTRITON is a custom-built, sophisticated, multi-stage malware affecting Schneider Electric’s Triconex Tricon, a\r\nsafety programmable logic controller (PLC) (also referred to as a safety instrumented system [SIS]), which\r\nmonitors industrial processes to prevent hazardous conditions. TRITON is capable of directly interacting with,\r\nremotely controlling, and compromising these safety systems. As these systems are used in a large number of\r\nenvironments, the capacity to disable, inhibit, or modify the ability of a process to fail safely could result in\r\nphysical consequences. Note: for additional information on affected products, see to CISA ICS\r\nAdvisory Schneider Electric Triconex Tricon (Update B).\r\nTRITON malware affects Triconex Tricon PLCs by modifying in-memory firmware to add additional\r\nprogramming. The extra functionality allows an attacker to read/modify memory contents and execute custom\r\ncode, disabling the safety system. \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 3 of 30\n\nTRITON malware has multiple components, including a custom Python script, four Python modules, and\r\nmalicious shellcode that contains an injector and a payload. For detailed information on TRITON’s components,\r\nrefer to CISA Malware Analysis Report (MAR): HatMan: Safety System Targeted Malware (Update B).\r\nNote: the indicted TsNIIKhM cyber actor was also involved in activity targeting U.S. Energy Sector companies in\r\n2018, and other TsNIIKhM-associated actors have targeted a U.S.-based company’s facilities in an attempt to\r\naccess the company’s OT systems. To date, CISA, FBI, and DOE have no information to indicate these actors\r\nhave intentionally disrupted any U.S. Energy Sector infrastructure. \r\nRefer to Appendix A for TTPs used by TRITON as well as associated mitigations. \r\nMitigations\r\nEnterprise Environment\r\nCISA, the FBI, and DOE recommend Energy Sector and other critical infrastructure organizations implement the\r\nfollowing mitigations to harden their corporate enterprise network. These mitigations are tailored to combat\r\nmultiple enterprise techniques observed in these campaigns (refer to Appendix A for observed TTPs and additional\r\nmitigations).\r\nPrivileged Account Management \r\nManage the creation of, modification of, use of—and permissions associated with—privileged accounts,\r\nincluding SYSTEM and root.\r\nPassword Policies\r\nSet and enforce secure password policies for accounts.\r\nDisable or Remove Features or Programs\r\nRemove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.\r\nAudit \r\nPerform audits or scans of systems, permissions, insecure software, insecure configurations, etc., to\r\nidentify potential weaknesses.\r\nOperating System Configuration \r\nMake configuration changes related to the operating system or a common feature of the operating system\r\nthat result in system hardening against techniques.\r\nMultifactor Authentication\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 4 of 30\n\nEnforce multifactor authentication (MFA) by requiring users to provide two or more pieces of information\r\n(such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate\r\nto a system.\r\nFilter Network Traffic    \r\nUse network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure\r\nsoftware on endpoints to filter network traffic.\r\nNetwork Segmentation\r\nArchitect sections of the network to isolate critical systems, functions, or resources. Use physical and\r\nlogical segmentation to prevent access to potentially sensitive systems and information. Use a demilitarized\r\nzone (DMZ) to contain any internet-facing services that should not be exposed from the internal network.\r\nLimit Access to Resources over the Network\r\nPrevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit\r\naccess may include use of network concentrators, Remote Desktop Protocol (RDP) gateways, etc.\r\nExecution Prevention\r\nBlock execution of code on a system through application control, and/or script blocking.\r\nIndustrial Control System Environment\r\nCISA, the FBI, and DOE recommend Energy Sector and other critical infrastructure organizations implement the\r\nfollowing mitigations to harden their ICS/OT environment.\r\nNetwork Segmentation\r\nImplement and ensure robust network segmentation between IT and ICS networks to limit the ability of\r\ncyber threat actors to move laterally to ICS networks if the IT network is compromised.\r\nImplement a network topology for ICS that has multiple layers, with the most critical\r\ncommunications occurring in the most secure and reliable layer. For more information refer to\r\nNational Institute of Standard and Technology Special Publication 800-82: Guide to Industrial\r\nControl Systems (ICS) Security. Further segmentation should be applied to portions of the network\r\nthat are reliant on one another by functionality. Figure 5 on page 26 of the CISA ICS Defense in\r\nDepth Strategy document describes this architecture.\r\nUse one-way communication diodes to prevent external access, whenever possible.\r\nSet up DMZs to create a physical and logical subnetwork that acts as an intermediary for connected\r\nsecurity devices to avoid exposure.\r\nEmploy reliable network security protocols and services where feasible.\r\nConsider using virtual local area networks (VLANs) for additional network segmentation, for example, by\r\nplacing all printers in separate, dedicated VLANs and restricting users’ direct printer access. This same\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 5 of 30\n\nprinciple can be applied to segmentation of portions of the process for which devices are used. As an\r\nexample, systems that are only involved in the creation of one component within an assembly line that is\r\nnot directly related to another component can be on separate VLANs, which allows for identification of\r\nany unexpected communication, as well as segmentation against potential risk exposure on a larger scale.\r\nImplement perimeter security between network segments to limit the ability of cyber threat actors to move\r\nlaterally.\r\nControl traffic between network segments by using firewalls, intrusion detection systems (IDSs),\r\nand rules for filtering traffic on routers and switches.\r\nImplement network monitoring at key chokepoints—including egress points to the internet, between\r\nnetwork segments, core switch locations—and at key assets or services (e.g., remote access\r\nservices).\r\nConfigure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a\r\nbaseline of normal operations and network traffic).\r\nConfigure security incident and event monitoring to monitor, analyze, and correlate event logs from\r\nacross the ICS network to identify intrusion attempts.\r\nICS Best Practices\r\nUpdate all software. Use a risk-based assessment strategy to determine which ICS networks, assets, and\r\nzones should participate in the patch management program.\r\nTest all patches in out-of-band testing environments before implementation into production environments.\r\nImplement application allow listing on human machine interfaces and engineering workstations.\r\nHarden software configuration on field devices, including tablets and smartphones.\r\nReplace all end-of-life software and hardware devices.\r\nDisable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).\r\nRestrict and manage remote access software. Enforce MFA for remote access to ICS networks.\r\nConfigure encryption and security for network protocols within the ICS environment.\r\nDo not allow vendors to connect their devices to the ICS network. Use of a compromised device could\r\nintroduce malware.\r\nDisallow any devices that do not live solely on the ICS environment from communicating on the platform.\r\n‘Transient devices’ provide risk exposure to the ICS environment from malicious activity in the IT or other\r\nenvironments to which they connect.\r\nMaintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies.\r\nMaintain robust host logging on critical devices within the ICS environment, such as jump boxes, domain\r\ncontrollers, repository servers, etc. These logs should be aggregated into a centralized log server for review.\r\nEnsure robust physical security is in place to prevent unauthorized personal from accessing controlled\r\nspaces that house ICS equipment.\r\nRegularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be\r\ntaken offline.\r\nContact Information\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 6 of 30\n\nOrganizations can also report anomalous cyber activity and/or cyber incidents 24/7 to SayCISA@cisa.dhs.gov\r\n or by calling 1-844-Say-CISA (1-844-729-2472). and/or to the FBI via your local FBI field office or the FBI’s\r\n24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov .\r\nReferences\r\n[1] https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical\r\n[2] https://collaborate.mitre.org/attackics/index.php/Software/S0003 \r\n[3] https://collaborate.mitre.org/attackics/index.php/Software/S0003\r\n[4] https://collaborate.mitre.org/attackics/index.php/Software/S0013 \r\nAPPENDIX A: CAMPAIGN AND MALWARE TACTICS, TECHNIQUES, AND PROCEDURES\r\nGlobal Energy Sector Campaign: Havex Malware \r\nTable 1 maps Havex’s capabilities to the ATT\u0026CK for Enterprise framework, and table 2 maps Havex’s\r\ncapabilities to the ATT\u0026CK for ICS framework. Table 1 also provides associated mitigations. For additional\r\nmitigations, refer to the Mitigations section of this advisory.\r\nTable 1: Enterprise Domain Tactics and Techniques for Havex [2]\r\nTactic Technique Use Detection/Mitigations\r\nPersistence\r\n[TA0003 ]\r\nBoot or Logon\r\nAutostart\r\nExecution:\r\nRegistry Run Keys\r\n/ Startup Folder\r\n[T1547.001 ]\r\nHavex adds Registry\r\nRun keys to achieve\r\npersistence.\r\nMonitor: monitor Registry for changes to\r\nrun keys that do not correlate with known\r\nsoftware, patch cycles, etc. Monitor the start\r\nfolder for additions or changes. Tools such\r\nas Sysinternals Autoruns may also be\r\nused to detect system changes that could be\r\nattempts at persistence, including listing the\r\nrun keys' Registry locations and startup\r\nfolders. Suspicious program execution as\r\nstartup programs may show up as outlier\r\nprocesses that have not been seen before\r\nwhen compared against historical data.\r\nPrivilege\r\nEscalation\r\n[TA0004 ]\r\nProcess Injection\r\n[T1055 ]\r\nNote: this\r\ntechnique also\r\napplies to:\r\nHavex injects itself\r\ninto explorer.exe .\r\nBehavior Prevention on End Point: use\r\ncapabilities to prevent suspicious behavior\r\npatterns from occurring on endpoint\r\nsystems. This could include suspicious\r\nprocess, file, Application Programming\r\nInterface (API) call, etc., behavior.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 7 of 30\n\nTactic:\r\nDefense\r\nEvasion\r\n[TA0005\r\n]\r\nPrivileged Account Management: manage\r\nthe creation of, modification of, use of, and\r\npermissions associated with privileged\r\naccounts, including SYSTEM and root.\r\nDefense\r\nEvasion\r\n[TA0005 ]\r\nIndicator Removal\r\non Host: File\r\nDeletion\r\n[T1070.004 ]\r\nHavex contains a\r\ncleanup module that\r\nremoves traces of\r\nitself from victim\r\nnetworks.\r\nMonitor: monitoring for command-line\r\ndeletion functions to correlate with binaries\r\nor other files that an adversary may drop and\r\nremove may lead to detection of malicious\r\nactivity. Another good practice is monitoring\r\nfor known deletion and secure deletion tools\r\nthat are not already on systems within an\r\nenterprise network, which an adversary\r\ncould introduce. Some monitoring tools may\r\ncollect command-line arguments but may\r\nnot capture DEL commands since DEL is\r\na native function within cmd.exe .\r\nCredential\r\nAccess\r\n[TA0006 ]\r\nCredentials from\r\nPassword Stores:\r\nCredentials from\r\nWeb Browsers\r\n[T1555.003 ]\r\nHavex may contain a\r\npublicly available web\r\nbrowser password\r\nrecovery tool.\r\nPassword Policies: set and enforce secure\r\npassword policies for accounts.\r\nDiscovery\r\n[TA0007 ]\r\nAccount\r\nDiscovery: Email\r\nAccount\r\n[T1087.003 ]\r\nHavex collects\r\naddress book\r\ninformation from\r\nOutlook\r\nMonitor: monitor processes and command-line arguments for actions that could be\r\ntaken to gather system and network\r\ninformation. Remote access tools with built-in features may interact directly with the\r\nWindows API to gather information.\r\nInformation may also be acquired through\r\nWindows system management tools such as\r\nWindows Management Instrumentation\r\n(WMI) and PowerShell.\r\nFile and Directory\r\nDiscovery [T1083\r\n]\r\nHavex collects\r\ninformation about\r\navailable drives,\r\ndefault browser,\r\ndesktop file list, My\r\nDocuments, internet\r\nhistory, program files,\r\nMonitor: monitor processes and command-line arguments for actions that could be\r\ntaken to gather system and network\r\ninformation. Remote access tools with built-in features may interact directly with the\r\nWindows API to gather information.\r\nInformation may also be acquired through\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 8 of 30\n\nand root of available\r\ndrives.\r\nWindows system management tools such as\r\nWMI and PowerShell.\r\nProcess Discovery\r\n[T1057 ]\r\nHavex collects\r\ninformation about\r\nrunning processes.\r\nMonitor: normal, benign system and\r\nnetwork events that look like process\r\ndiscovery may be uncommon, depending on\r\nthe environment and how they are used.\r\nMonitor processes and command-line\r\narguments for actions that could be taken to\r\ngather system and network information.\r\nRemote access tools with built-in features\r\nmay interact directly with the Windows API\r\nto gather information. Information may also\r\nbe acquired through Windows system\r\nmanagement tools such as WMI and\r\nPowerShell.\r\nSystem\r\nInformation\r\nDiscovery [T1082\r\n]\r\nHavex collects\r\ninformation about the\r\nOS and computer\r\nname.\r\nMonitor: monitor processes and command-line arguments for actions that could be\r\ntaken to gather system and network\r\ninformation. Remote access tools with built-in features may interact directly with the\r\nWindows API to gather information.\r\nInformation may also be acquired through\r\nWindows system management tools such as\r\nWMI and PowerShell.\r\nIn cloud-based systems, native logging can\r\nbe used to identify access to certain APIs\r\nand dashboards that may contain system\r\ninformation. Depending on how the\r\nenvironment is used, that data alone may not\r\nbe useful due to benign use during normal\r\noperations.\r\nSystem Network\r\nConfiguration\r\nDiscovery [T1016\r\n]\r\nHavex collects\r\ninformation about the\r\ninternet adapter\r\nconfiguration.\r\nMonitor: monitor processes and command-line arguments for actions that could be\r\ntaken to gather system and network\r\ninformation. Remote access tools with built-in features may interact directly with the\r\nWindows API to gather information.\r\nInformation may also be acquired through\r\nSystem\r\nOwner/User\r\nHavex collects\r\nusernames.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 9 of 30\n\nWindows system management tools such as\r\nWMI and PowerShell.\r\nDiscovery [T1033\r\n]\r\nCollection\r\n[TA0009 ]\r\nArchive Collected\r\nData [T1560 ]\r\nHavex writes\r\ncollected data to a\r\ntemporary file in an\r\nencrypted form before\r\nexfiltration to a C2\r\nserver.\r\nAudit: audit or scan systems, permissions,\r\ninsecure software, insecure configurations,\r\netc., to identify potential weaknesses.\r\nCommand\r\nand Control\r\n[TA0011 ]\r\nData Encoding:\r\nStandard Encoding\r\n[T1132.001 ]\r\nHavex uses standard\r\nBase64 + bzip2 or\r\nstandard Base64 +\r\nreverse XOR + RSA-2048 to decrypt data\r\nreceived from C2\r\nservers.\r\nDetect: analyze network data for uncommon\r\ndata flows (e.g., a client sending\r\nsignificantly more data than it receives from\r\na server). Processes using the network that\r\ndo not normally have network\r\ncommunication or have never been seen\r\nbefore are suspicious. Analyze packet\r\ncontents to detect communications that do\r\nnot follow the expected protocol behavior\r\nfor the port that is being used.\r\nTable 2: ICS Domain Tactics and Techniques for Havex [3]\r\nTactic Technique Use\r\nInitial Access\r\nSpearphishing Attachment\r\n[T0865]\r\nHavex is distributed through a Trojanized installer\r\nattached to emails.\r\nSupply Chain Compromise\r\n[T0862]\r\nNote: this activity also applies\r\nto Tactic: Drive by\r\nCompromise [T0817]\r\nHavex is distributed through Trojanized installers\r\nplanted on compromised vendor websites.\r\nExecution User Execution [T0863]\r\nExecution of Havex relies on a user opening a\r\nTrojanized installer attached to an email.\r\nDiscovery\r\nRemote System Discovery\r\n[T0846]\r\nHavex uses Windows networking (WNet) to discover all\r\nthe servers, including OPC servers that are reachable by\r\nthe compromised machine over the network.\r\nRemote System Information\r\nDiscovery [T0888]\r\nHavex gathers server information, including CLSID,\r\nserver name, Program ID, OPC version, vendor\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 10 of 30\n\ninformation, running state, group count, and server\r\nbandwidth.\r\nCollection\r\nAutomated Collection [T0802]\r\nHavex gathers information about connected control\r\nsystems devices.\r\nPoint \u0026 Tag Identification\r\n[T0861]\r\nHavex can enumerate OPC tags; specifically tag name,\r\ntype, access, and ID.\r\nInhibit\r\nResponse\r\nFunction\r\nDenial of Service [T0814]\r\nHavex has caused multiple common OPC platforms to\r\nintermittently crash. \r\nImpact Denial of Control [T0813]\r\nHavex can cause PLCs inability to control connected\r\nsystems.\r\nGlobal Energy Sector Campaign: 2016 to 2018 U.S. Energy Sector Targeting\r\nTable 3 maps the 2016 to 2018 U.S. Energy Sector targeting activity to the MITRE ATT\u0026CK Enterprise\r\nframework. Mitigations for techniques are also provided in table. For additional mitigations, refer to the\r\nMitigations section of this advisory.\r\nTable 3: Energy Sector Campaign, 2016 to 2018 targeting U.S. Energy Sector: Observed MITRE ATT\u0026CK\r\nEnterprise Tactics and Techniques\r\nTactic Technique Use  Detection/Mitigations\r\nReconnaissance\r\n[TA0043 ]\r\nGather Victim\r\nIdentity\r\nInformation:\r\nCredentials\r\n[T1589.001]\r\nThe threat actor harvested\r\ncredentials of third-party\r\ncommercial organizations by\r\nsending spearphishing emails that\r\ncontained a PDF attachment. The\r\nPDF attachment contained a\r\nshortened URL that, when clicked,\r\nled users to a website that\r\nprompted the user for their email\r\naddress and password.\r\nThe threat actor harvested\r\ncredentials of Energy Sector\r\ntargets by sending spearphishing\r\nemails with a malicious Microsoft\r\nWord document or links to the\r\nwatering holes created on\r\ncompromised third-party websites.\r\nSoftware Configuration:\r\nimplement configuration\r\nchanges to software (other than\r\nthe operating system) to\r\nmitigate security risks\r\nassociated to how the software\r\noperates.\r\nUser Training: train users to\r\nbe aware of access or\r\nmanipulation attempts by an\r\nadversary to reduce the risk of\r\nsuccessful spearphishing, social\r\nengineering, and other\r\ntechniques that involve user\r\ninteraction.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 11 of 30\n\nNote: this activity also applies to: \r\nTactic: Reconnaissance\r\n[TA0043 ], Technique:\r\nPhishing for Information\r\n[T1598 ]:\r\nSpearphishing\r\nAttachment\r\n[T1598.002 ]\r\nSpearphishing Link\r\n[T1598.003 ]\r\nResource\r\nDevelopment\r\n[TA0042 ]\r\nCompromise\r\nInfrastructure:\r\nServer\r\n[T1584.004 ]\r\nThe threat actor created watering\r\nholes on compromised third-party\r\norganizations’ domains.\r\nThis activity typically takes\r\nplace outside the visibility of\r\ntarget organizations, making\r\ndetection of this behavior\r\ndifficult. Ensure that users\r\nbrowse the internet securely.\r\nPrevent intentional and\r\nunintentional download of\r\nmalware or rootkits, and users\r\nfrom accessing infected or\r\nmalicious websites. Treat all\r\ntraffic as untrusted, even if it\r\ncomes from a partner website\r\nor popular domain.\r\nInitial Access\r\n[TA0001 ]\r\nValid Accounts\r\n[T1078 ]\r\nThe threat actor obtained access to\r\nEnergy Sector targets by\r\nleveraging compromised third-party infrastructure and previously\r\ncompromised Energy Sector\r\ncredentials against remote access\r\nservices and infrastructure—\r\nspecifically VPN, RDP, and\r\nOutlook Web Access—where MFA\r\nwas not enabled.\r\nNetwork Segmentation:\r\narchitect sections of the\r\nnetwork to isolate critical\r\nsystems, functions, or\r\nresources. Use physical and\r\nlogical segmentation to prevent\r\naccess to potentially sensitive\r\nsystems and information. Use a\r\nDMZ to contain any internet-facing services that should not\r\nbe exposed from the internal\r\nnetwork.\r\nMFA: enforce use of two or\r\nmore pieces of evidence (such\r\nas username and password plus\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 12 of 30\n\na token, e.g., a physical smart\r\ncard or token generator) to\r\nauthenticate to a system.\r\nPrivileged Account\r\nManagement: manage the\r\ncreation of, modification of,\r\nuse of, and permissions\r\nassociated with privileged\r\naccounts, including SYSTEM\r\nand root.\r\nUpdate Software: perform\r\nregular software updates to\r\nmitigate exploitation risk.\r\nExploit Protection: use\r\ncapabilities to detect and block\r\nconditions that may lead to or\r\nbe indicative of a software\r\nexploit occurring.\r\nApplication Isolation and\r\nSandboxing: restrict execution\r\nof code to a virtual\r\nenvironment on or in transit to\r\nan endpoint system.\r\nExternal\r\nRemote\r\nServices\r\n[T1133 ]\r\nThe threat actor installed VPN\r\nclients on compromised third-party\r\ntargets to connect to Energy Sector\r\nnetworks.\r\nNetwork Segmentation:\r\narchitect sections of the\r\nnetwork to isolate critical\r\nsystems, functions, or\r\nresources. Use physical and\r\nlogical segmentation to prevent\r\naccess to potentially sensitive\r\nsystems and information. Use a\r\nDMZ to contain any internet-facing services that should not\r\nbe exposed from the internal\r\nnetwork.\r\nMFA: enforce use of two or\r\nmore pieces of evidence (such\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 13 of 30\n\nas username and password plus\r\na token, e.g., a physical smart\r\ncard or token generator) to\r\nauthenticate to a system.\r\nLimit Access to Resource\r\nOver Network: prevent access\r\nto file shares, remote access to\r\nsystems, and unnecessary\r\nservices. Mechanisms to limit\r\naccess may include use of\r\nnetwork concentrators, RDP\r\ngateways, etc.\r\nDisable or Remove Program:\r\nremove or deny access to\r\nunnecessary and potentially\r\nvulnerable software to prevent\r\nabuse by adversaries.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 14 of 30\n\nExecution \r\n[TA0002 ]\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\n[T1059.001 ]\r\nDuring an RDP session, the threat\r\nactor used a PowerShell Script to\r\ncreate an account within a victim’s\r\nMicrosoft Exchange Server. \r\nNote: this activity also applies to: \r\nTactic: Persistence [TA0003\r\n], Technique: Create\r\nAccount: Local Account\r\n[T1136.001 ] \r\nAntivirus/Antimalware: use\r\nsignatures or heuristics to\r\ndetect malicious software.\r\nCode Signing: enforce binary\r\nand application integrity with\r\ndigital signature verification to\r\nprevent untrusted code from\r\nexecuting.\r\nDisable or Remove Program:\r\nremove or deny access to\r\nunnecessary and potentially\r\nvulnerable software to prevent\r\nabuse by adversaries.\r\nPrivileged Account\r\nManagement: manage the\r\ncreation of, modification of,\r\nuse of, and permissions\r\nassociated with privileged\r\naccounts, including SYSTEM\r\nand root.\r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows\r\nCommand\r\nShell\r\n[T1059.003 ]\r\nThe threat actor used a JavaScript\r\nwith an embedded Command Shell\r\nscript to:\r\nCreate a local administrator\r\naccount;\r\nDisable the host-based\r\nfirewall;\r\nGlobally open port 3389 for\r\nRDP access; and\r\nAttempt to add the newly\r\ncreated account to the\r\nadministrators group to gain\r\nelevated privileges. \r\nNote: this activity also applies to: \r\nTactic: Credential Access\r\n[TA0006 ], Technique:\r\nExecution Prevention: block\r\nexecution of code on a system\r\nthrough application control,\r\nand/or script blocking.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 15 of 30\n\nInput Capture [T1056 ]\r\nTactic: Execution [TA0002\r\n], Technique: Command\r\nand Scripting Interpreter:\r\nJavaScript [T1059.007 ]\r\nTactic: Persistence [TA0003\r\n], Technique: Create\r\nAccount: Local Account\r\n[T1136.001 ]\r\nScheduled\r\nTask/Job:\r\nScheduled Task\r\n[T1053.005 ]\r\nThe threat actor created a\r\nScheduled Task to automatically\r\nlog out of a newly created account\r\nevery eight hours.\r\nAudit: audit or scan systems,\r\npermissions, insecure software,\r\ninsecure configurations, etc., to\r\nidentify potential weaknesses.\r\nHarden Operating System\r\nConfiguration: make\r\nconfiguration changes related\r\nto the operating system or a\r\ncommon feature of the\r\noperating system that result in\r\nsystem hardening against\r\ntechniques.\r\nPrivileged Account\r\nManagement: manage the\r\ncreation of, modification of,\r\nuse of, and permissions\r\nassociated with privileged\r\naccounts, including SYSTEM\r\nand root.\r\nUser Account Management:\r\nmanage the creation of,\r\nmodification of, use of, and\r\npermissions associated with\r\nuser accounts.\r\nPersistence\r\n[TA0003 ]\r\nCreate\r\nAccount: Local\r\nAccount\r\n[T1136.001 ] \r\nThe threat actor created local\r\nadministrator accounts on\r\npreviously compromised third-party organizations for\r\nMFA: enforce use of two or\r\nmore pieces of evidence (such\r\nas username and password plus\r\na token, e.g., a physical smart\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 16 of 30\n\nreconnaissance and to remotely\r\naccess Energy Sector targets.  \r\n MFA: enforce use of two or more\r\npieces of evidence (such as\r\nusername and password plus a\r\ntoken, e.g., a physical smart card\r\nor token generator) to authenticate\r\nto a system.\r\ncard or token generator) to\r\nauthenticate to a system.\r\nPrivileged Account\r\nManagement: manage the\r\ncreation of, modification of,\r\nuse of, and permissions\r\nassociated with privileged\r\naccounts, including SYSTEM\r\nand root.\r\nServer\r\nSoftware\r\nComponent:\r\nWeb Shell\r\n[T1505.003 ]\r\nThe threat actor created webshells\r\non Energy Sector targets’ publicly\r\naccessible email and web servers.\r\nDetect: the portion of the\r\nwebshell that is on the server\r\nmay be small and look\r\ninnocuous. Process monitoring\r\nmay be used to detect Web\r\nservers that perform suspicious\r\nactions such as running\r\ncmd.exe or accessing files that\r\nare not in the Web directory.\r\nFile monitoring may be used to\r\ndetect changes to files in the\r\nWeb directory of a Web server\r\nthat do not match with updates\r\nto the Web server's content and\r\nmay indicate implantation of a\r\nWeb shell script. Log\r\nauthentication attempts to the\r\nserver and any unusual traffic\r\npatterns to or from the server\r\nand internal network.\r\nDefense\r\nEvasion\r\n[TA0005 ]\r\nIndicator\r\nRemoval on\r\nHost: Clear\r\nWindows\r\nEvent Logs\r\n[T1070.001 ]\r\nThe threat actor created new\r\naccounts on victim networks to\r\nperform cleanup operations. The\r\naccounts created were used to clear\r\nthe following Windows event logs:\r\nSystem, Security, Terminal\r\nServices, Remote Services, and\r\nAudit. \r\nThe threat actor also removed\r\napplications they installed while\r\nEncrypt Sensitive\r\nInformation: protect sensitive\r\ninformation with strong\r\nencryption.\r\nRemote Data Storage: use\r\nremote security log and\r\nsensitive file storage where\r\naccess can be controlled better\r\nto prevent exposure of intrusion\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 17 of 30\n\nthey were in the network along\r\nwith any logs produced. For\r\nexample, the VPN client installed\r\nat one third-party commercial\r\nfacility was deleted along with the\r\nlogs that were produced from its\r\nuse. Finally, data generated by\r\nother accounts used on the systems\r\naccessed were deleted.\r\nNote: this activity also applies to:\r\nTactic: Persistence [TA0003\r\n], Technique: Create\r\nAccount: Local Account\r\n[T1136.001 ]\r\ndetection log data or sensitive\r\ninformation.\r\nRestrict File and Directory\r\nPermissions: restrict access by\r\nsetting directory and file\r\npermissions that are not\r\nspecific to users or privileged\r\naccounts.\r\nIndicator\r\nRemoval on\r\nHost: File\r\nDeletion\r\n[T1070.004 ]\r\nThe threat actor cleaned up target\r\nnetworks by deleting created\r\nscreenshots and specific registry\r\nkeys. \r\nThe threat actor also deleted all\r\nbatch scripts, output text\r\ndocuments, and any tools they\r\nbrought into the environment, such\r\nas scr.exe .\r\nNote: this activity also applies to:\r\nTechnique: Modify Registry\r\n[T1112 ]\r\nMonitor: monitoring for\r\ncommand-line deletion\r\nfunctions to correlate with\r\nbinaries or other files that an\r\nadversary may drop and\r\nremove may lead to detection\r\nof malicious activity. Another\r\ngood practice is monitoring for\r\nknown deletion and secure\r\ndeletion tools that are not\r\nalready on systems within an\r\nenterprise network that an\r\nadversary could introduce.\r\nSome monitoring tools may\r\ncollect command-line\r\narguments, but may not capture\r\nDEL commands since DEL is\r\na native function within\r\ncmd.exe .\r\n \r\nTechnique:\r\nMasquerading\r\n[T1036 ]\r\nAfter downloading tools from a\r\nremote server, the threat actor\r\nrenamed the extensions.\r\nRestrict File and Directory\r\nPermissions: restrict access by\r\nsetting directory and file\r\npermissions that are not\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 18 of 30\n\nspecific to users or privileged\r\naccounts.\r\nCode Signing: enforce binary\r\nand application integrity with\r\ndigital signature verification to\r\nprevent untrusted code from\r\nexecuting.\r\nExecution Prevention: block\r\nexecution of code on a system\r\nthrough application control,\r\nand/or script blocking.\r\nCredential\r\nAccess\r\n[TA0006 ]\r\nBrute Force:\r\nPassword\r\nCracking\r\n[T1110.002 ]\r\nThe threat actor used password-cracking techniques to obtain the\r\nplaintext passwords from obtained\r\ncredential hashes.\r\nThe threat actor dropped and\r\nexecuted open-source and free\r\npassword cracking tools such as\r\nHydra, SecretsDump, and\r\nCrackMapExec, and Python.\r\nMFA: enforce use of two or\r\nmore pieces of evidence (such\r\nas username and password plus\r\na token, e.g., a physical smart\r\ncard or token generator) to\r\nauthenticate to a system.\r\nPassword Policies: set and\r\nenforce secure password\r\npolicies for accounts.\r\nForced\r\nAuthentication\r\n[T1187 ]\r\nMicrosoft Word attachments sent\r\nvia spearphishing emails leveraged\r\nlegitimate Microsoft Office\r\nfunctions for retrieving a document\r\nfrom a remote server over Server\r\nMessage Block (SMB) using\r\nTransmission Control Protocol\r\nports 445 or 139. As a part of the\r\nstandard processes executed by\r\nMicrosoft Word, this request\r\nauthenticates the client with the\r\nserver, sending the user’s\r\ncredential hash to the remote\r\nserver before retrieving the\r\nrequested file. (Note: transfer of\r\ncredentials can occur even if the\r\nfile is not retrieved.)\r\nPassword Policies: set and\r\nenforce secure password\r\npolicies for accounts.\r\nFilter Network Traffic: use\r\nnetwork appliances to filter\r\ningress or egress traffic and\r\nperform protocol-based\r\nfiltering. Configure software on\r\nendpoints to filter network\r\ntraffic.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 19 of 30\n\nThe threat actor’s watering hole\r\nsites contained altered JavaScript\r\nand PHP files that requested a file\r\nicon using SMB from an IP\r\naddress controlled by the threat\r\nactors.\r\nThe threat actor manipulated LNK\r\nfiles to repeatedly gather user\r\ncredentials. Default Windows\r\nfunctionality enables icons to be\r\nloaded from a local or remote\r\nWindows repository. The threat\r\nactor exploited this built-in\r\nWindows functionality by setting\r\nthe icon path to a remote server\r\ncontroller by the actors. When the\r\nuser browses to the directory,\r\nWindows attempts to load the icon\r\nand initiate an SMB authentication\r\nsession. During this process, the\r\nactive user’s credentials are passed\r\nthrough the attempted SMB\r\nconnection.\r\n \r\nNote: this activity also applies to:\r\nTactic: Persistence [TA0003\r\n], Technique: Boot or\r\nLogon Autostart Execution:\r\nShortcut Modification\r\n[T1547.009 ]\r\nOS Credential\r\nDumping:\r\nLocal Security\r\nAuthority\r\nSubsystem\r\nService\r\n(LSASS)\r\nThe threat actor used an\r\nAdministrator PowerShell prompt\r\nto enable the WDigest\r\nauthentication protocol to store\r\nplaintext passwords in the LSASS\r\nmemory. With this enabled,\r\ncredential harvesting tools can\r\nOperating System\r\nConfiguration: make\r\nconfiguration changes related\r\nto the operating system or a\r\ncommon feature of the\r\noperating system that result in\r\nsystem hardening against\r\ntechniques.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 20 of 30\n\nMemory\r\n[T1003.001 ]\r\ndump passwords from this\r\nprocess’s memory.\r\nPassword Policies: set and\r\nenforce secure password\r\npolicies for accounts.\r\nPrivileged Account\r\nManagement: manage the\r\ncreation of, modification of,\r\nuse of, and permissions\r\nassociated with privileged\r\naccounts, including SYSTEM\r\nand root.\r\nPrivileged Process Integrity:\r\nprotect processes with high\r\nprivileges that can be used to\r\ninteract with critical system\r\ncomponents through use of\r\nprotected process light, anti-process injection defenses, or\r\nother process integrity\r\nenforcement measures.\r\nUser Training: train users to\r\nbe aware of access or\r\nmanipulation attempts by an\r\nadversary to reduce the risk of\r\nsuccessful spearphishing, social\r\nengineering, and other\r\ntechniques that involve user\r\ninteraction.\r\nCredential Access Protection:\r\nuse capabilities to prevent\r\nsuccessful credential access by\r\nadversaries; including blocking\r\nforms of credential dumping.\r\nOS Credential\r\nDumping:\r\nNTDS\r\n[T1003.003 ]\r\nThe threat actor collected the files\r\nntds.dit . The file ntds.dit is\r\nthe Active Directory (AD)\r\ndatabase that contains all\r\ninformation related to the AD,\r\nMonitor: monitor processes\r\nand command-line arguments\r\nfor program execution that may\r\nbe indicative of credential\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 21 of 30\n\nincluding encrypted user\r\npasswords.\r\ndumping, especially attempts to\r\naccess or copy the NTDS.dit .\r\nPrivileged Account\r\nManagement: manage the\r\ncreation of, modification of, se\r\nof, and permissions associated\r\nwith privileged accounts,\r\nincluding SYSTEM and root.\r\nUser Training: train users to\r\nbe aware of access or\r\nmanipulation attempts by an\r\nadversary to reduce the risk of\r\nsuccessful spearphishing, social\r\nengineering, and other\r\ntechniques that involve user\r\ninteraction.\r\nDiscovery\r\n[TA0007 ]\r\nRemote System\r\nDiscovery\r\n[T1018 ]\r\nThe threat actor used privileged\r\ncredentials to access the Energy\r\nSector victim’s domain controller.\r\nOnce on the domain controller, the\r\nthreat actors used batch scripts\r\ndc.ba t and dit.bat to\r\nenumerate hosts, users, and\r\nadditional information about the\r\nenvironment. \r\nNote: this activity also applies to: \r\nTactic: Persistence [TA0003\r\n], Technique: Valid\r\nAccounts: Domain\r\nAccounts [T1078.002 ]\r\nTactic: Discovery [TA0007\r\n], Technique: System\r\nOwner/User Discovery\r\n[T1033 ]\r\nMonitor: normal, benign\r\nsystem and network events\r\nrelated to legitimate remote\r\nsystem discovery may be\r\nuncommon, depending on the\r\nenvironment and how they are\r\nused.\r\nMonitor processes and\r\ncommand-line arguments for\r\nactions that could be taken to\r\ngather system and network\r\ninformation.\r\nMonitor for processes that can\r\nbe used to discover remote\r\nsystems, such as ping.exe\r\nand tracert.exe , especially\r\nwhen executed in quick\r\nsuccession.\r\nThe threat actor accessed\r\nworkstations and servers on\r\ncorporate networks that contained\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 22 of 30\n\ndata output from control systems\r\nwithin energy generation facilities.\r\nThe threat actors accessed files\r\npertaining to ICS or supervisory\r\ncontrol and data acquisition\r\n(SCADA) systems. \r\nThe actor targeted and copied\r\nprofile and configuration\r\ninformation for accessing ICS\r\nsystems on the network. The threat\r\nactor copied Virtual Network\r\nConnection (VNC) profiles that\r\ncontained configuration\r\ninformation on accessing ICS\r\nsystems and took screenshots of a\r\nHuman Machine Interface (HMI).\r\nNote: this activity also applies to\r\nTactic: Discovery [TA0007\r\n], Technique File and\r\nDirectory Discovery\r\n[T1083 ]\r\nTactic: [TA0009 ],\r\nTechnique: Screen Capture\r\n[T1113 ]\r\nFile and\r\nDirectory\r\nDiscovery\r\n[T1083 ]\r\nThe actor used dirsb.bat to\r\ngather folder and file names from\r\nhosts on the network.\r\nNote: this activity also applies to: \r\nTactic: Execution [TA0002\r\n], Command and\r\nScripting Interpreter:\r\nWindows Command Shell\r\n[T1059.003 ]\r\nThis type of attack technique\r\ncannot be easily mitigated with\r\npreventive controls since it is\r\nbased on the abuse of system\r\nfeatures. Monitor processes and\r\ncommand-line arguments for\r\nactions that could be taken to\r\ngather system and network\r\ninformation. Remote access\r\ntools with built-in features may\r\ninteract directly with the\r\nWindows API to gather\r\nThe threat actor conducted information.\r\nreconnaissance operations within\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 23 of 30\n\nthe network. The threat actor\r\nfocused on identifying and\r\nbrowsing file servers within the\r\nintended victim’s network.\r\nLateral\r\nMovement\r\n[TA0008 ]\r\nLateral Tool\r\nTransfer\r\n[T1570 ]\r\nThe threat actor moved laterally\r\nvia PsExec , batch scripts, RDP,\r\nVNC, and admin shares.\r\nNote: this activity also applies to:\r\nTactic: Lateral Movement\r\n[TA0008 ], Techniques:\r\nRemote Services:\r\nRemote Desktop\r\nProtocol [T1021.001\r\n]\r\nRemote Services:\r\nSMB/Windows\r\nAdmin Shares\r\n[T1021.002 ]\r\nRemote Services:\r\nVNC [T1021.005 ]\r\nNetwork Intrusion\r\nPrevention: use intrusion\r\ndetection signatures to block\r\ntraffic at network boundaries.\r\nNetwork Segmentation:\r\narchitect sections of the\r\nnetwork to isolate critical\r\nsystems, functions, or\r\nresources. Use physical and\r\nlogical segmentation to prevent\r\naccess to potentially sensitive\r\nsystems and information. Use a\r\nDMZ to contain any internet-facing services that should not\r\nbe exposed from the internal\r\nnetwork.\r\nOperating System\r\nConfiguration: make\r\nconfiguration changes related\r\nto the operating system or a\r\ncommon feature of the\r\noperating system that result in\r\nsystem hardening against\r\ntechniques.\r\nPrivileged Account\r\nManagement: manage the\r\ncreation of, modification of,\r\nuse of, and permissions\r\nassociated with privileged\r\naccounts, including SYSTEM\r\nand root.\r\nUser Account Management:\r\nmanage the creation of,\r\nmodification o, se of, and\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 24 of 30\n\npermissions associated with\r\nuser accounts.\r\nDisable or Remove Feature or\r\nProgram: remove or deny\r\naccess to unnecessary and\r\npotentially vulnerable software\r\nto prevent abuse by adversaries.\r\nAudit: audit or scan systems,\r\npermissions, insecure software,\r\ninsecure configurations, etc. to\r\nidentify potential weaknesses.\r\nMFA: enforce use of two or\r\nmore pieces of evidence (such\r\nas username and password plus\r\na token, e.g., a physical smart\r\ncard or token generator) to\r\nauthenticate to a system.\r\nLimit Access to Resource\r\nOver Network: prevent access\r\nto file shares, remote access to\r\nsystems, and unnecessary\r\nservices. Mechanisms to limit\r\naccess may include use of\r\nnetwork concentrators, RDP\r\ngateways, etc.\r\nFilter Network Traffic: use\r\nnetwork appliances to filter\r\ningress or egress traffic and\r\nperform protocol-based\r\nfiltering. Configure software on\r\nendpoints to filter network\r\ntraffic.\r\nLimit Software Installation:\r\nblock users or groups from\r\ninstalling unapproved software.\r\nCollection\r\n[TA0009 ]\r\nData from\r\nLocal System\r\nThe threat actor collected the\r\nWindows SYSTEM registry hive Monitor: monitor processes\r\nand command-line arguments\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 25 of 30\n\n[T1005 ]  file, which contains host\r\nconfiguration information.\r\nfor actions that could be taken\r\nto collect files from a system.\r\nRemote access tools with built-in features may interact directly\r\nwith the Windows API to\r\ngather data.\r\nData may also be acquired\r\nthrough Windows system\r\nmanagement tools such as\r\nWMI and PowerShell.\r\nArchive\r\nCollected Data:\r\nArchive via\r\nUtility\r\n[T1560.001 ]\r\nThe threat actor compressed the\r\nntds.dit file and the SYSTEM\r\nregistry hive they had collected\r\ninto archives named SYSTEM.zip\r\nand comps.zip .\r\nAudit: audit or scan systems,\r\npermissions, insecure software,\r\ninsecure configurations, etc. to\r\nidentify potential weaknesses.\r\nScreen Capture\r\n[T1113 ]\r\nThe threat actor used Windows’\r\nScheduled Tasks and batch scripts,\r\nto execute scr.exe and collect\r\nadditional information from hosts\r\non the network. The tool scr.exe\r\nis a screenshot utility that the\r\nthreat actor used to capture the\r\nscreen of systems across the\r\nnetwork.\r\nNote: this activity also applies to: \r\nTactic: Execution [TA0002\r\n], Techniques:\r\nCommand and\r\nScripting Interpreter:\r\nWindows Command\r\nShell [T1059.003 ]\r\nScheduled Task/Job:\r\nScheduled Task\r\n[T1053.005 ]\r\nNetwork Segmentation:\r\narchitect sections of the\r\nnetwork to isolate critical\r\nsystems, functions, or\r\nresources. Use physical and\r\nlogical segmentation to prevent\r\naccess to potentially sensitive\r\nsystems and information. Use a\r\nDMZ to contain any internet-facing services that should not\r\nbe exposed from the internal\r\nnetwork.\r\nMFA: enforce use of two or\r\nmore pieces of evidence (such\r\nas username and password plus\r\na token, e.g., a physical smart\r\ncard or token generator) to\r\nauthenticate to a system.\r\nLimit Access to Resource\r\nOver Network: prevent access\r\nto file shares, remote access to\r\nsystems, and unnecessary\r\nservices. Mechanisms to limit\r\nThe actor used batch scripts\r\nlabeled pss.bat and psc.bat to\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 26 of 30\n\naccess may include use of\r\nnetwork concentrators, RDP\r\ngateways, etc.\r\nDisable or Remove Feature or\r\nProgram: remove or deny\r\naccess to unnecessary and\r\npotentially vulnerable software\r\nto prevent abuse by adversaries.\r\nrun the PsExec tool. PsExec was\r\nused to execute scr.exe across\r\nthe network and to collect\r\nscreenshots of systems in a text\r\nfile.\r\nNote: this activity also applies to: \r\nTactic: Execution [TA0002\r\n], Techniques:\r\nCommand and\r\nScripting Interpreter:\r\nWindows Command\r\nShell [T1059.003 ]\r\nSystem Services:\r\nService Execution\r\n[T1569.002 ]\r\nCommand and\r\nControl\r\n[TA0011 ]\r\nIngress Tool\r\nTransfer\r\n[T1105 ]\r\nThe threat actor downloaded tools\r\nfrom a remote server.     Monitor: monitor for file\r\ncreation and files transferred\r\ninto the network. Unusual\r\nprocesses with external\r\nnetwork connections creating\r\nfiles on-system may be\r\nsuspicious. Use of utilities,\r\nsuch as File Transfer Protocol,\r\nthat does not normally occur\r\nmay also be suspicious.\r\nAnalyze network data for\r\nuncommon data flows (e.g., a\r\nclient sending significantly\r\nmore data than it receives from\r\na server). Processes utilizing\r\nthe network that do not\r\nnormally have network\r\ncommunication or have never\r\nbeen seen before are\r\nsuspicious.\r\nAnalyze packet contents to\r\ndetect communications that do\r\nnot follow the expected\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 27 of 30\n\nprotocol behavior for the port\r\nthat is being used.\r\nUse intrusion detection\r\nsignatures to block traffic at\r\nnetwork boundaries.\r\nTRITON Malware\r\nTable 4 maps TRITON’s capabilities to the ATT\u0026CK for ICS framework. For mitigations to harden ICS/OT\r\nenvironments, refer to the Mitigations section of this advisory.\r\nTable 4: ICS Domain Tactics and Techniques for TRITON [4]\r\nInitial\r\nAccess\r\nEngineering\r\nWorkstation\r\nCompromise\r\n[T0818]\r\nTRITON compromises workstations within the safety network. \r\nExecution\r\nChange Operating\r\nMode [T0858]\r\nNote: this\r\ntechnique also\r\napplies to Evasion.\r\nTRITON can halt or run a program through the TriStation protocol.\r\n(Note: TriStation protocol is the protocol that Triconex System\r\nsoftware uses to communicate with the Tricon PLCs.) \r\nExecution through\r\nAPI [T0871]\r\nTRITON leverages a custom implementation of the TriStation\r\nprotocol, which triggers APIs related to program download, program\r\nallocation, and program changes.\r\nHooking [T0874]\r\nNote: this\r\ntechnique also\r\napplies to Tactic:\r\nPrivilege\r\nEscalation.\r\nTRITON's injector modifies the address of the handler for a Tristation\r\nprotocol command so that when the command is received, the payload\r\nmay be executed instead of normal processing.\r\nModify Controller\r\nTasking [T0821]\r\nSome TRITON components are added to the program table on the\r\nTricon so that they are executed by the firmware once each cycle.\r\nNative API\r\n[T0834]\r\nTRITON's payload takes commands from TsHi.ExplReadRam(Ex) ,\r\nTsHi.ExplWriteRam(Ex) , and TsHi.ExplExec functions to perform\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 28 of 30\n\noperations on controller memory and registers using syscalls\r\nwritten in PowerPC shellcode.\r\nScripting [T0853]\r\nTRITON communicates with Triconex Tricon PLCs using its custom\r\nPython script. This Python script communicates using four Python\r\nmodules that collectively implement the TriStation protocol via User\r\nDatagram Protocol (UDP) 1502.\r\nNote: this use also applies to:\r\nTactic: Command and Control │Technique: Commonly Used\r\nPort [T0885]\r\nPersistence \r\nSystem Firmware\r\n[T0857]\r\nNote: this\r\ntechnique also\r\napplies to Tactic:\r\nInhibit Response\r\nFunction.\r\nTRITON's injector injects the payload into the Tricon PLCs’ running\r\nfirmware. A threat actor can use the payload to read and write memory\r\non the PLC and execute code at an arbitrary address within the\r\nfirmware. If the memory address it writes to is within the firmware\r\nregion, the malicious payload disables address translation, writes the\r\ncode at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to change the\r\nrunning firmware.\r\nPrivilege\r\nEscalation\r\nExploitation for\r\nPrivilege\r\nEscalation [T0890]\r\nTRITON can gain supervisor-level access and control system states by\r\nexploiting a vulnerability.\r\nEvasion\r\nExploitation for\r\nEvasion [T0820]\r\nTRITON's injector exploits a vulnerability in the device firmware to\r\nescalate privileges and then it disables and (later patches) a firmware\r\nRAM/ROM consistency check. \r\nIndicator Removal\r\non Host [T0872]\r\nAfter running the malicious payload, TRITON's Python script\r\noverwrites the malicious payload with a “dummy” program.\r\nMasquerading\r\n[T0849]\r\nTRITON’s Python script masquerades as legitimate Triconex\r\nsoftware.\r\nTRITON’s injector masquerades as a standard compiled PowerPC\r\nprogram for the Triconex PLC.\r\nDiscovery\r\nRemote System\r\nDiscovery [T0846]\r\nTRITON’s Python script can autodetect Triconex PLCs on the\r\nnetwork by sending a UDP broadcast packet over port 1502.\r\nLateral\r\nMovement\r\nProgram\r\nDownload [T0843]\r\nTRITON leverages the TriStation protocol to download programs to\r\nthe Tricon PLCs.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 29 of 30\n\nCollection\r\nDetect Operating\r\nMode [T0868]\r\nA TRITON Python module provides string representations of different\r\nfeatures of the TriStation protocol, including message and error codes,\r\nkey position states, and other values returned by the status functions.\r\nProgram Upload\r\n[T0845]\r\nTRITON uploads its payload to the Tricon PLCs.\r\nImpair\r\nProcess\r\nControl\r\nUnauthorized\r\nCommand\r\nMessage [T0855]\r\nA threat actor can use TRITON to prevent the Tricon PLC from\r\nfunctioning appropriately.\r\nImpact\r\nLoss of Safety\r\n[T0880]\r\nTRITON can reprogram the safety PLC logic to allow unsafe\r\nconditions or state to persist.\r\nRevisions\r\nMarch 24, 2022: Initial Version\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-083a\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a" ], "report_names": [ "aa22-083a" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6", "created_at": "2023-01-06T13:46:38.408359Z", "updated_at": "2026-04-10T02:00:02.962242Z", "deleted_at": null, "main_name": "TeamSpy Crew", "aliases": [ "TeamSpy", "Team Bear", "Anger Bear", "IRON LYRIC" ], "source_name": "MISPGALAXY:TeamSpy Crew", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434448, "ts_updated_at": 1775792184, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4bd0778aea2c9268cd7ffba520223691878b2ef8.pdf", "text": "https://archive.orkl.eu/4bd0778aea2c9268cd7ffba520223691878b2ef8.txt", "img": "https://archive.orkl.eu/4bd0778aea2c9268cd7ffba520223691878b2ef8.jpg" } }