GRAPHITE
Since 2023
GRAPHITE is focused on energy and industrial organizations in Eastern Europe and the Middle East, particularly those involved in the military conflict in Ukraine. Since 2022, the group has conducted spear-phishing campaigns to steal credentials, often exploiting vulnerabilities like a no-click flaw in Microsoft Outlook.
The group initially relied on compromised Ubiquiti Edge Routers networks to distribute malware and maintain command-and-control (C2) operations. However, after a U.S.-led takedown of their botnet in early 2024, GRAPHITE shifted to using legitimate internet services, such as API endpoint testing platforms and GitHub, to stage their attacks.
GRAPHITE is capable of Stage 1 of the ICS Cyber Kill Chain. While they have not yet demonstrated disruptive ICS capabilities, their intelligence-gathering efforts suggest they could enable future cyber operations against industrial targets. Organizations involved in energy production and infrastructure, especially those linked to Ukraine, should remain vigilant against this group.
US officials told the media in July 2017 these adversaries gained access to business and administrative systems, not operations networks. Since then, third-party reporting indicates ALLANITE has gathered information directly from ICS networks, which Dragos can independently confirm.
About Dragos Threat Intelligence
Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.
Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on GRAPHITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.