BENTONITE

BENTONITE is a new ICS Threat Group increasingly and opportunistically targeting maritime oil and natural gas (ONG), governments, and the manufacturing sectors since 2021.

While BENTONITE does not exhibit the breakthrough capabilities of CHERNOVITE, the group was found last year to be actively attacking industrial organizations. BENTONITE’s operations have impacted North American ONG maritime support organizations and state, local, tribal, and territorial (SLTT) governments. BENTONITE compromised these organizations by exploiting vulnerabilities on internet-facing assets through Log4j and VMWare Horizons vulnerabilities. Once BENTONITE gains access to a victim’s environment, BENTONITE is very tenacious in its persistence to retain its access by performing lateral movement to other hosts, collecting credentials, and establishing long-term persistence to re-enable access to the adversary operator through scheduled tasks in combination with malware implants.

About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.  

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on LAURIONITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.