Dragos' Adversary Groups

Read the latest details about threat groups the Dragos Intel Team tracks


At Dragos, we track a number of Activity Groups. By collecting and analyzing cyber intrusions or attempts to compromise ICS networks, we have created profiles of the known groups targeting ICS environments. Dragos does not attribute behaviors to individuals or nation-states. Instead, we focus not on who but on how they operate. This allows Dragos to create robust analytics that provide comprehensive data around actions, capabilities, and intentions which defenders can use in creating defensive plans.


With this project, Dragos is putting our Activity Groups in one place. Here, you will find high-level information compiled by the Threat Intelligence team, outlining the descriptions, associations, capabilities, and victimology of each Activity Group. Full reports detailing the TTPs and Dragos’ research is available to our WorldView subscribers.

Read the Blog

ALLANITE Activity Group
ALLANITE
Since 2017
Mode of Operation

Watering-hole and phishing leading to ICS recon and screenshot collection

Capabilities

Powershell scripts, THC Hydra, SecreetsDump, Inveigh, PSExec

Victimology

Electric utilities, US & UK

Links

Palmetto Fusion

CHRYSENE Activity Group
CHRYSENE
Since 2017
Mode of Operation

IT compromise, information gathering and recon against industrial orgs

Capabilities

Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR

Victimology

Oil & Gas, Manufacturing, Europe, MENA, N. America

Links

OilRig, Greenbug

COVELLITE Activity Group
COVELLITE
Since 2017
Mode of Operation

IT compromise with hardened anti-analysis malware against industrial orgs

Capabilities

Encoded binaries in documents, evasion techniques

Victimology

Electric Utilities, US

Links

Lazarus, Hidden Cobra

DYMALLOY Activity Group
DYMALLOY
Since 2017
Mode of Operation

Deep ICS environment information gathering, operator credentials, industrial process details

Capabilities

GOODOR, DORSHEL, KARAGANY, Mimikatz

Victimology

Turkey, Europe, US

Links

Dragonfly2, Berserker Bear

ELECTRUM Activity Group
ELECTRUM
Since 2017
Mode of Operation

Electric grid disruption and long-term persistence

Capabilities

CRASHOVERRIDE

Victimology

Ukraine, Electric Utilities

Links

Sandworm

MAGNALLIUM Activity Group
MAGNALLIUM
Since 2017
Mode of Operation

IT network limited, information gathering against industrial orgs

Capabilities

STONEDRILL wiper, variants of TURNEDUP malware

Victimology

Petrochemical, Aerospace, Saudi Arabia

Links

APT33

XENOTIME Activity Group
XENOTIME
Since 2014
Mode of Operation

Focused on physical destruction and long-term persistence

Capabilities

TRISIS, custom credential harvesting

Victimology

Oil & Gas, Middle East

Links

None

To learn more about these threat activity groups or sign up for a 45-day trial of our WorldView subscription, contact info@dragos or visit our WorldView page.
Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.


 

Interested in Learning More?

We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.