Skip to main content
Threat Groups

Your first line of defense against adversaries

Powered by human intelligence, Dragos’ main threat detection method is based on analytics codified by our Threat Intelligence team. Our experts track adversary behaviors and extract their tactics, techniques, and procedures (TTP), which are then characterized into threat analytics we use to power the Dragos Platform’s accurate threat detection capabilities.

Request a Demo
Dragos ot Cybersecurity threat groups

What goes into tracking the world’s top Industrial Threat Groups?

Dragos collects and analyzes information on cyber intrusions and attempts to compromise ICS networks
We create profiles of known groups targeting ICS environments so we can focus on how they operate
Finally, we establish robust analytics with comprehensive data around actions, capabilities, and intentions

Threat Groups We’re Tracking

The Threat Group reports below are compiled by our expert practitioners to provide awareness about your threat landscape and evolving threats, so you can create defensive plans to protect your ICS environments.

BAUXITE
since 2023
Ability to compromise PLCs, modify ladder logic, and deploy custom backdoors on OT devices.
GRAPHITE
since 2023
Spearphising and credential theft for reconnaissance and espionage targeting industrial sectors.
bentonite threat group token
BENTONITE
since 2021
Employs LOTL tactics to establish persistent access to victim environments.
LAURIONITE threat group token
LAURIONITE
since 2023
Targets Oracle e-Business Suite iSupplier web services and assets across multiple industrial sectors.
GANANITE threat group token
GANANITE
since 2022
Impersonates victims, exploits vulnerabilities, targets internet-exposed endpoints, and exfiltrates data.
VOLTZITE threat group token
VOLTZITE
since 2023
Uses LOTL techniques for reconnaissance, enumeration, lateral movement, and long-term persistent access.
a token from CHERNOVITE has the capability to disrupt, degrade, and potentially destroy industrial environments and physical processes in industrial environments.
CHERNOVITE
since 2021
Development of ICS malware to disrupt, degrade, and destroy industrial environments and processes.
KOSTOVITE adversary group PETROVITE trading card from Dragos
KOSTOVITE
since 2021
Uses perimeter device compromise and LOTL techniques for reconnaissance and exfiltration.
adversary group PETROVITE trading card from Dragos
PETROVITE
since 2019
Employs spearphishing and backdoor capabilities for initial access, reconnaissance, C2.
TALONITE
TALONITE
since 2019
Spearphishing with malicious documents or executables for initial access compromise.
KAMACITE
KAMACITE
since 2014
Spearphishing, exploiting SOHO routers, and leveraging custom capabilities to enable ELECTRUM operations.
STIBNITE
STIBNITE
since 2019
Compromises IT networks via insecure VPNs to conduct reconnaissance activities.
Vanadinite adversary group trading card from Dragos
VANADINITE
since 2019
Targets vulnerable external-facing network appliances to access IT networks and establish foothold.
Xenotime logo
XENOTIME
since 2014
Development of ICS malware for physical disruption causing unsafe conditions and long-term persistence.
Electrum Icon
ELECTRUM
since 2016
Electric grid disruption and long-term persistence using LOTL tactics and custom ICS malware.
dymalloy logo
DYMALLOY
since 2016
Deep ICS environment information gathering, including operator credentials and industrial processes.
Magnallium logo
MAGNALLIUM
since 2017
Relies on phishing campaigns, password spraying, and malware delivery for reconnaissance.
Raspite logo
RASPITE
since 2017
Credential capture and LOTL techniques employed for initial access, reconnaissance, C2.
hexane logo
HEXANE
since 2018
Uses third-party connections from telecom providers for network access to industrial organizations.
Parisite logo
PARISITE
since 2017
Exploits known VPN vulnerabilities and open-source pentesting tools for reconnaissance, initial access, C2.
wassonite logo
WASSONITE
since 2018
Employs known malware for remote access, credential capture, and lateral movement.
Allanite icon
ALLANITE
since 2017
Watering-hole and phishing attacks leading to ICS reconnaissance and screenshot collection.
Chrysene logo
CHRYSENE
since 2017
Watering-hole attacks, malware, and covert communication for reconnaissance.

Dragos Threat Intelligence

Want more in-depth visibility of adversaries, vulnerabilities and threats? Full reports detailing the tactics, techniques, and procedures (TTP) and Dragos’ research is available to our Threat Intelligence subscribers. Request a free 30-day trial today.

View Threat Intelligence

Related Threat Activity Resources

View More
Press Releases
Threat Groups Threat Intelligence Year In Review
Dragos Reports OT/ICS Cyber Threats Escalate Amid Geopolitical Conflicts and Increasing…
Calendar Icon
Read More
Reports
Europe European Union Threat Groups Threat Hunting Threat Intelligence
Understanding the Evolution & Growth of the European OT Threat Landscape
Read More
View More