KOSTOVITE, KAMACITE & XENOTIME – 2022 update
KOSTOVITE is an Active Threat identified by Dragos in 2021.
Although KOSTOVITE lacks specific tools or resources for disrupting industrial control systems (ICS), it has demonstrated the ability to move laterally and gain initial access to ICS/OT environments and SCADA assets. Its target was a global energy company based in the USA.
KOSTOVITE’s primary strategy involves compromising and manipulating internet-facing remote access devices as a means of infiltrating OT targets and maintaining persistence during device upgrades. In addition, KOSTOVITE employs third-party Internet of Things (IoT) devices, belonging to home an small businesses, to obscure the source of its activities. Notably, KOSTOVITE exhibits a high degree of effort by using an allocated group of compromised IoT devices for each target followed by removing all signs of its activities once completed.
KOSTOVITE possesses a high level of operational discipline and network device knowledge and has achieved the ICS Kill Chain Stage 2 capability.
Should KOSTOVITE target ICS and OT systems again, asset owners and operators must be prepared with strong detection, defense, and mitigation measures for the vulnerable ICS and OT enclaves within their enterprise perimeter. This will ensure that any attempts by KOSTOVITE to exploit these systems are swiftly identified and mitigated.
Since 2014, KAMACITE has been actively targeting industrial infrastructure verticals. The threat group has been linked to several industrial infrastructure intrusion events, including those that enabled the Ukraine power events in 2015 and 2016. While KAMACITE has demonstrated its own industrial control system (ICS)-specific capabilities, it has also facilitated ICS disruptive events carried out by other threat groups, including ELECTRUM.
In February 2022, a newly discovered malware capability known as CYCLOPS BLINK has been reported. The report indicates that this malware primarily targets small office/home office (SOHO) routers and network-attached storage (NAS) devices from WatchGuard and ASUS, infecting them and incorporating them into a botnet to be used for command and control (C2) purposes. Industries targeted were electric, natural gas and food & agriculture.
In March 2022 further, CYCLOPS BLINK instances were identified in the wild. On this occasion CYCLOP BLINKS’ target were companies from the rail, aerospace, food & beverage, and automotive industries as well as some US Government agencies.
The most recent recorded activity of KAMACITE dates to June 2022 when its framework was reportedly communicating with a regional power distribution entity in Ukraine which was the same as the one attacked in 2015 causing a massive power outage in the west of Ukraine.
Considering its previous actions and renewed activities in 2022, there is a fair possibility that KAMACITE will persist in carrying out reconnaissance and command and control (C2) activities.
XENOTIME is among the four publicly known threat groups (which include CHERNOVITE, ELECTRUM, and KAMACITE) that possess the determination, incentive, and potential to target and disrupt or destroy critical infrastructure, with a particular focus on the ONG (Oil, Natural Gas) sector.
XENOTIME is the sole threat group that has shown the capability to breach and disturb industrial safety instrumented systems (SIS), potentially causing environmental harm, containment breaches, operational control loss, and loss of human life.
During 2022 XENOTIME carried out extensive research activities, targeting LNG compressor train processes, offshore production sites, LNG terminal ports, and emergency response organizations within the ONG industry, as well as onshore production sites connected to shale gas and midstream organisations.