VANADINITE – New ICS Threat Activity Group Potentially Linked to Use of Ransomware Against Industrial Organizations

In its recent ICS Cybersecurity 2020 Year in Review Report (shared in the Security & Resilience Update for February 25, 2021) Dragos revealed four new ICS threat activity groups, KAMACITE, VANADINITE, STIBNITE, and TALONITE, and has been featuring them in follow up blog posts, starting with KAMACITE – an activity group linked to BLACKENERGY and the Ukraine power events. Next up is VANADINITE, another threat activity group with a focus on electric utilities, along with oil and gas, manufacturing, telecommunications, and transportation with targets primarily in North America and Europe.

Thus far, VANADINITE has largely gained initial access into victim infrastructure by exploiting external-facing network and security devices using publicly available exploits. While most of VANADINITE’s operations has been limited to initial access and conducting information-gathering, Dragos has observed activity regarding ColdLock ransomware that they suspect may be attributable to VANADINITE. Dragos assesses that VANADINITE may continue to use ransomware in future operations targeting industrial entities. Additionally, Dragos assesses with high confidence that VANADINITE will continue to leverage exploiting recently disclosed vulnerabilities for initial access because of the success obtained using this method. Most importantly, asset owners and operators should treat vulnerabilities in external-facing network appliances as a serious issue, as multiple ICS-targeting adversaries successfully use this technique. For more details, including how to detect and mitigate VANADINITE network exploitation, visit Dragos.