# ALLANITE | Dragos **dragos.com/blog/20180510Allanite.html** Threat Activity Group ## ALLANITE Since 2017 May 30, 2020 ALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities. ----- ALLANITE operations continue and intelligence indicates activity since at least May 2017. [ALLANITE activity closely resembles Palmetto Fusion described by the US Department of](https://www.washingtonpost.com/world/national-security/us-officials-say-russian-government-hackers-have-penetrated-energy-and-nuclear-company-business-networks/2017/07/08/bbfde9a2-638b-11e7-8adc-fea80e32bf47_story.html?noredirect=on&utm_term=.cd1d17d6a118) [Homeland Security (DHS). In October 2017, a DHS advisory documented ALLANITE](https://www.us-cert.gov/ncas/alerts/TA17-293A) technical operations combined with activity with a group Symantec calls Dragonfly (which Dragos associates with DYMALLOY). ALLANITE’s targeting and techniques are similar to other activity groups, including Dragonfly, and activity Dragos labels DYMALLOY. However, ALLANITE’s technical capabilities are significantly different from Dragonfly and DYMALLOY. ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities. ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system. ----- Public disclosure by third-parties, including the DHS, associate ALLANITE operations with Russian strategic interests. However, Dragos does not corroborate the attribution of others. US officials told the media in July 2017 these adversaries gained access to business and administrative systems, not operations networks. Since then, third-party reporting indicates ALLANITE has gathered information directly from ICS networks, which Dragos can independently confirm. _Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and_ _other sources to provide comprehensive insight into threats affecting industrial control_ _security and safety worldwide. Dragos does not corroborate nor conduct political attribution_ _to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and_ _response._ _[Read more about Dragos’ approach to categorizing threat activity and attribution.](https://www.dragos.com/blog/industry-news/threat-analytics-and-activity-groups/)_ _Dragos does not publicly describe ICS activity group technical details except in_ _extraordinary circumstances in order to limit tradecraft proliferation. However, full details on_ _ALLANITE and other group tools, techniques, procedures, and infrastructure is available to_ _[network defenders via Dragos WorldView.](https://www.dragos.com/worldview)_ ### Contact Us For a Demo [Contact Us](https://dragos.com/contact) -----