1. Home
  2. Groups
  3. TEMP.Veles

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]

ID: G0088
Associated Groups: XENOTIME
Version: 1.3
Created: 16 April 2019
Last Modified: 17 October 2021

Associated Group Descriptions

Name Description
XENOTIME

The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON .[4][5][1][6]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

TEMP.Veles has used Virtual Private Server (VPS) infrastructure.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.[2] The group has also used PowerShell to perform Timestomping.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.[1]
Enterprise T1546 .012 Event Triggered Execution: Image File Execution Options Injection

TEMP.Veles has modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.[1]

Enterprise T1133 External Remote Services

TEMP.Veles has used a VPN to persist in the victim environment.[1]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.[1]
.006 Indicator Removal on Host: Timestomp

TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[1]
Enterprise T1571 Non-Standard Port

TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.[1]
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials. [1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

TEMP.Veles utilized RDP throughout an operation.[1]

.004 Remote Services: SSH

TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TEMP.Veles has used scheduled task XML triggers.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

TEMP.Veles has planted Web shells on Outlook Exchange servers.[1]
Enterprise T1078 Valid Accounts

TEMP.Veles has used compromised VPN accounts.[1]

Software

ID Name References Techniques
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [1][4] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0609 TRITON [2] Command and Scripting Interpreter: Python, Masquerading, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Remote System Discovery

References

  1. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  2. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
  3. Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
  1. Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.
  2. Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.
  3. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.