XENOTIME

XENOTIME is a threat actor group that has been active since late 2018, gaining notoriety for its malicious cyber activities. The group was initially referred to as TEMP.Veles by FireEye, but this terminology was later replaced with the more cryptic "TRITON actor". Meanwhile, cybersecurity firm Dragos consistently refers to the group as XENOTIME, based on identified behaviors. Using the Diamond Model methodology for characterizing activity by behaviors attached to victims, Dragos began tracking TRITON/TRISIS and related activities as a distinct group named XENOTIME. This characterization was based on information from initial TRITON/TRISIS responders and subsequent work on follow-on activity by this entity. XENOTIME, along with other Industrial Control Systems (ICS) hacking groups like Chernovite, Kamocite, and Electrum, spent 2022 conducting reconnaissance, building capacity, and engaging in initial access activity targeting across industrial sectors. The naming methodology abstracts away the "who" element, meaning XENOTIME could represent a single entity or several entities working in coordination. Despite different names, both XENOTIME and TEMP.Veles refer to the same phenomena, describing the same threat actor but appearing different due to the perspective of observation. The exploitation of flaw CVE-2023-3595 by XENOTIME bears similarity to their previous use of a zero-day issue in the TRISIS attack. The type of access provided by CVE-2023-3595 is comparable to that granted by XENOTIME’s zero-day in the TRISIS attack. This has caused concern among security firms, with Dragos comparing this vulnerability to the zero-day employed by XENOTIME in the Trisis/Triton attack. In several incidents across multiple industry sectors since early 2018, consistent Tactics, Techniques, and Procedures (TTPs) from the TRITON/TRISIS event supported the creation of the XENOTIME activity group.