{ "id": "5ad9b48b-97c6-4312-9dfd-faa1d2584d4e", "created_at": "2026-04-06T02:12:59.176554Z", "updated_at": "2026-04-10T13:12:39.521687Z", "deleted_at": null, "sha1_hash": "52d03ce75c2366b0e57d064f58d72054b3709a27", "title": "A XENOTIME to Remember: Veles in the Wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55572, "plain_text": "A XENOTIME to Remember: Veles in the Wild\r\nPublished: 2019-04-12 · Archived: 2026-04-06 02:06:30 UTC\r\n“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean—\r\nneither more nor less.” – Through the Looking Glass, Lewis Carroll\r\nFireEye recently published a blog covering the tactics, techniques, and procedures (TTPs) for the “TRITON actor”\r\nwhen preparing to deploy the TRITON/TRISIS malware framework in 2017. Overall, the post does a\r\ncommendable job in making public findings previously only privately shared (presumably by FireEye, and in\r\nseveral reports I authored for my employer, Dragos) to threat intelligence customers. As such, the blog continues\r\nto push forward the narrative of how ICS attacks are enabled through prepositioning and initial intrusion\r\noperations – an item I have discussed at length.\r\nYet one point of confusion in the blog comes at the very start: referring to the entity responsible for TRITON as\r\nthe “TRITON actor”. This seems confusing as FireEye earlier publicly declared the “TRITON actor” as a discrete\r\nentity, linked to a Russian research institution, and christened it as “TEMP.Veles”. In the 2018 public posting\r\nannouncing TEMP.Veles, FireEye researchers noted that the institute in question at least supported TEMP.Veles\r\nactivity in deploying TRITON, with subsequent public presentations at Cyberwarcon and the Kaspersky Lab-sponsored Security Analyst Summit essentially linking TRITON and the research institute (and therefore\r\nTEMP.Veles) as one in the same. Yet the most-recent posting covering TTPs from initial access through\r\nprerequisites to enable final delivery of effects on target (deploying TRITON/TRISIS) avoids the use of the\r\nTEMP.Veles term entirely. In subsequent discussion, FireEye personnel indicate that there was not “an avalanche\r\nof evidence to substantiate” anything more than “TRITON actor” – summing matters by indicating this term “is\r\nthe best we’ve got for the public for now”.*\r\nMeanwhile, parallel work at Dragos (my employer, where I have performed significant work on the activity\r\ndescribed above) uncovered similar conclusions concerning TTPs and behaviors, for both the 2017 event and\r\nsubsequent activity in other industrial sectors. Utilizing Diamond Model methodology for characterizing activity\r\nby behaviors attached to victims, we began tracking TRITON/TRISIS and immediate enabling activity as a\r\ndistinct activity group (collection of behaviors, infrastructure, and victimology) designated XENOTIME. Based\r\non information gained from discussion with the initial TRITON/TRISIS responders and subsequent work on\r\nfollow-on activity by this entity, Dragos developed a comprehensive (public) picture of adversary activity roughly\r\nmatching FireEye’s analysis published in April 2019, described in various media.\r\nAt this stage, we have two similar, parallel constructions of events – the how behind the immediate deployment\r\nand execution of TRITON/TRISIS – yet dramatically different responses in terms of attribution and labeling.\r\nSince late 2018, based upon the most-recent posting, FireEye appears to have “walked back” the previously-used\r\nterminology of TEMP.Veles and instead refers rather cryptically to the “TRITON actor”, while Dragos leveraged\r\nidentified behaviors to consistently refer to an activity group, XENOTIME. Given that both organizations appear\r\nto describe similar (if not identical) activity, any reasonable person could (and should) ask – why the inconsistency\r\nin naming and identification?\r\nhttps://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/\r\nPage 1 of 3\n\nAside from the competitive vendor naming landscape (which I am not a fan of in cases on direct overlap, but\r\nwhich has more to say for itself when different methodologies are employed around similar observations), the\r\ndistinction between FireEye and Dragos’ approaches with respect to the “TRITON actor” comes down to\r\nfundamental philosophical differences in methodology. As wonderfully described in a recent public posting,\r\nFireEye adheres to a naming convention based upon extensive data collection and activity comparison, designed\r\nto yield the identification of a discrete, identifiable entity responsible for a given collection of activity. This\r\ntechnique is precise and praiseworthy – yet at the same time, appears so rigorous as to impose limitations on the\r\nability to dynamically adjust and adapt to emerging adversary activity. (Or for that matter, even categorize\r\notherwise well-known historical actors operating to the present day, such as Turla.)\r\nFireEye’s methodology may have particular limitations in instances where adversaries (such as XENOTIME and\r\npresumably TEMP.Veles) rely upon extensive use of publicly-available, commonly-used tools with limited\r\namounts of customization. In such cases, utilizing purely technical approaches for differentiation (an issue I\r\nlightly touched on in a recent post) becomes problematic, especially when trying to define attribution to specific,\r\n“who-based” entities (such as a Russian research institute). My understanding is FireEye labels entities where\r\ndefinitive attribution is not yet possible with the “TEMP” moniker (hence, TEMP.Veles) – yet in this case FireEye\r\ndeveloped and deployed the label, then appeared to move away from it in subsequent reporting. Based on the\r\npublic blog post – which also indicated that FireEye is responding to an intrusion at a second facility featuring the\r\nsame or similar observations – this is presumably not for lack of evidence, yet the “downgrade” occurs all the\r\nsame.\r\nIn comparison, XENOTIME was defined based on principles of infrastructure (compromised third-party\r\ninfrastructure and various networks associated with several Russian research institutions), capabilities (publicly-and commercially-available tools with varying levels of customization) and targeting (an issue not meant for\r\ndiscussion in this blog). In personally responding to several incidents across multiple industry sectors since early\r\n2018 matching TTPs from the TRITON/TRISIS event, these items proved consistent and supported the creation of\r\nthe XENOTIME activity group. This naming decision was founded upon the underlying methodology described in\r\nthe Diamond Model of intrusion analysis. As such, this decision does not necessarily refer to a specific institution,\r\nbut rather a collection of observations and behaviors observed across multiple, similarly-situated victims. Of note,\r\nthis methodology of naming abstracts away the “who” element – XENOTIME may represent a single discrete\r\nentity (such as a Russian research institution) or several entities working in coordination in a roughly repeatable,\r\nsimilar manner across multiple events. Ultimately, the epistemic foundation of the behavior-based naming\r\napproach makes this irrelevant for tracking (and labeling for convenience sake) observations.\r\nMuch like the observers watching the shadows of objects cast upon the wall of the cave, these two definitions\r\n(XENOTIME and TEMP.Veles, both presumably referring to “the TRITON actor”) describe the same phenomena,\r\nyet at the same time appear different. This question of perception and accuracy rests upon the underlying\r\nepistemic framework and the goal conceived for that framework in defining an adversary: FireEye’s methodology\r\nfollows a deductive approach requiring the collection of significant evidence over time to yield a conclusion that\r\nwill be necessary given the premises (the totality of evidence suggests APTxx); the Dragos approach instead seeks\r\nan inductive approach, where premises may all be true but the conclusion need not necessarily follow from them\r\ngiven changes in premises over time or other observations not contained within the set (thus, identified behaviors\r\nstrongly suggests an activity group, defined as X).\r\nhttps://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/\r\nPage 2 of 3\n\nFrom an external analysts’ point of view, the wonder is, which is superior to the other? And my answer for this is:\r\nneither is perfect, but both are useful – depending upon your goals and objectives. But rather than trying to pursue\r\nsome comparison between the two for identification of superiority (an approach that will result in unproductive\r\nargument and social media warring), the point of this post is to highlight the distinctions between these approaches\r\nand how – in the case of “the TRITON actor” – they result in noticeably different conclusions from similar\r\ndatasets.\r\nOne reason for the distinction may be differences in evidence, as FireEye’s public reporting notes two distinct\r\nevents of which they are aware of and have responded to related to “the TRITON actor” while Dragos has been\r\nengaged several instances – thus, Dragos would possess more evidence to cement the definition of an activity\r\ngroup, while FireEye’s data collection-centric approach would require far more observations to yield an “APT”.\r\nYet irrespective of this, it is confusing why the previously-declared “TEMP” category was walked back as this has\r\nled to not small amount of confusion – in both technical and non-technical audiences – as to just what FireEye’s\r\nblog post refers.\r\nThus respected journalists (at least by me) conflate the “TRITON actor is active at another site” with “TRITON\r\nmalware was identified at another site”. In this case, we’re seeing a definite problem with the overly-conservative\r\nnaming approach used as it engenders confusion in a significant subset of the intended audience. While some may\r\ndismiss adversary or activity naming as so much marketing, having a distinct label for something allows for\r\nclearer communication and more accurate discussion. Furthermore, conflating adversaries with tools, since tools\r\ncan be repurposed or used by other entities than those first observed deploying them, leads to further potential\r\nconfusion as the “X actor” is quickly compressed in the minds of some to refer to any and all instantiations of tool\r\n“X”.\r\nOverall, the discussion above may appear so much splitting of hairs or determining how many angels can dance\r\non the head of a pin – yet given the communicative impacts behind different naming and labeling conventions,\r\nthis exploration seems not merely useful but necessary. Understanding the “how” and “why” behind different\r\nentity classifications of similar (or even the same) activity allows us to move beyond the dismissive approach of\r\n“everyone has their names for marketing purposes” to a more productive mindset that grasps the fundamental\r\nmethodologies that (should) drive these decisions.\r\n*Note: Following publication, John Hultquist, director of FireEye iSight, provided clarification on use of “TEMP”\r\nnaming criteria in FireEye public reporting via Twitter.\r\nSource: https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/\r\nhttps://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" ], "report_names": [ "a-xenotime-to-remember-veles-in-the-wild" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null }, { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441579, "ts_updated_at": 1775826759, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/52d03ce75c2366b0e57d064f58d72054b3709a27.pdf", "text": "https://archive.orkl.eu/52d03ce75c2366b0e57d064f58d72054b3709a27.txt", "img": "https://archive.orkl.eu/52d03ce75c2366b0e57d064f58d72054b3709a27.jpg" } }