XENOTIME

Threat Actor updated a month ago (2024-11-29T13:30:47.145Z)
Download STIX
Preview STIX
XENOTIME is a threat actor group that has been active since late 2018, gaining notoriety for its malicious cyber activities. The group was initially referred to as TEMP.Veles by FireEye, but this terminology was later replaced with the more cryptic "TRITON actor". Meanwhile, cybersecurity firm Dragos consistently refers to the group as XENOTIME, based on identified behaviors. Using the Diamond Model methodology for characterizing activity by behaviors attached to victims, Dragos began tracking TRITON/TRISIS and related activities as a distinct group named XENOTIME. This characterization was based on information from initial TRITON/TRISIS responders and subsequent work on follow-on activity by this entity. XENOTIME, along with other Industrial Control Systems (ICS) hacking groups like Chernovite, Kamocite, and Electrum, spent 2022 conducting reconnaissance, building capacity, and engaging in initial access activity targeting across industrial sectors. The naming methodology abstracts away the "who" element, meaning XENOTIME could represent a single entity or several entities working in coordination. Despite different names, both XENOTIME and TEMP.Veles refer to the same phenomena, describing the same threat actor but appearing different due to the perspective of observation. The exploitation of flaw CVE-2023-3595 by XENOTIME bears similarity to their previous use of a zero-day issue in the TRISIS attack. The type of access provided by CVE-2023-3595 is comparable to that granted by XENOTIME’s zero-day in the TRISIS attack. This has caused concern among security firms, with Dragos comparing this vulnerability to the zero-day employed by XENOTIME in the Trisis/Triton attack. In several incidents across multiple industry sectors since early 2018, consistent Tactics, Techniques, and Procedures (TTPs) from the TRITON/TRISIS event supported the creation of the XENOTIME activity group.
Description last updated: 2024-05-04T23:44:17.471Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Trisis is a possible alias for XENOTIME. TRISIS, also known as TRITON, is a particularly dangerous form of malware that targets safety instrumented systems (SIS) of industrial facilities. It was first identified in 2017 when it targeted a petrochemical facility in Saudi Arabia. The malware specifically attacked Triconex SIS controllers, wh
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Zero Day
Exploit
Ics
Malware
Dragos
Industrial
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2023-3595 is associated with XENOTIME. Unspecified
2
Source Document References
Information about the XENOTIME Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more