LAURIONITE uses open-source offensive security tooling with public proof of concepts to aid in exploiting common vulnerabilities, targeting industrial organizations including manufacturing.

LAURIONITE was first discovered actively targeting and exploiting Oracle E-Business Suite iSupplier web services and assets across several industries, including aviation, automotive, manufacturing, and government. LAURIONITE utilizes a combination of open-source offensive security tooling and public proof of concepts to aid in their exploitation of common vulnerabilities.  

Oracle E-Business Suite is one of the most widely used enterprise solutions for integrated business processes. By utilizing compromised infrastructure, LAURIONITE can remain undetected or overlooked due to its origin being from trusted or known organizations.  

LAURIONITE has demonstrated the ability to conduct the complete attack cycle of offensive cyber operations that achieve Stage 1 of the ICS Cyber Kill Chain from Reconnaissance to Actions on the Objective. The adversary operators show expertise in various offensive cyber operation skills in navigating target systems, exploiting vulnerabilities, maintaining persistence, conducting lateral movement, internal reconnaissance, defense evasion, and exfiltration. 

About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.  

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on LAURIONITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.