KAMACITE
Spearphishing, exploiting SOHO routers, and leveraging custom capabilities to enable ELECTRUM operations.
THREAT DESCRIPTION
KAMACITE represents a long-running set of related behaviors targeting critical infrastructure and industrial verticals since at least 2014. KAMACITE facilitated ICS-specific operations including the BLACKENERGY2 campaign and the 2015 and 2016 Ukraine power events.
While the group has evolved over time, many aspects of its operations and tradecraft have remained remarkably similar over the past six years as of this writing. Although KAMACITE has not directly caused an ICS disruptive event according to Dragos analysis, the group is responsible for enabling other entities – such as ELECTRUM – to be in a position to deliver ICS-specific attacks.
While the group has evolved over time, many aspects of its operations and tradecraft have remained remarkably similar over the past six years as of this writing. Although KAMACITE has not directly caused an ICS disruptive event according to Dragos analysis, the group is responsible for enabling other entities – such as ELECTRUM – to be in a position to deliver ICS-specific attacks.
Date: Since 2014
ADVERSARY
- Overlap with SANDWORM activity
CAPABILITIES
- Phishing & credential replay for initial access
- Custom malware development & deployment; also known to modify 3rd party criminal malware
VICTIM
- Ukraine, Europe, US
INFRASTRUCTURE
- Primary focus on compromised infrastructure in Europe
- Spoofs legitimate technology & social media services
ICS IMPACT
- Operations linked to five ICS targeting events, proven operations leading to disruption, facilitated the 2015 and 2016 Ukraine power events
