Dragos first disclosed four new threat activity groups targeting ICS/OT in the ICS Cybersecurity 2020 Year in Review report. In this blog post, we will provide more information on one of the new groups: TALONITE. The fundamental assessment of threats tracked by Dragos is that they are explicitly attempting to gain access to ICS networks and operations or are successful in achieving access, not simply trying to gain access to an industrial organization. To learn more about ICS threat activity groups and how they’re created, we invite you to read our blog post “Uncovering ICS Threat Activity Groups.”
Activity Group: a set of intrusion events related with varying degrees of confidence by similarities in their features or processes used to answer analytic questions and develop broad mitigation strategies that achieve effects beyond the immediate threat.
TALONITE Activity Group Overview
Dragos began tracking the TALONITE activity group in July 2019 with operations focusing on initial access compromises in the United States (U.S.) electric sector. The group uses phishing techniques with either malicious documents or executables. TALONITE uses two custom malware families that both feature multiple components known as LookBack and FlowCloud.
TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to include additional functionality , and a combination of owned and compromised network infrastructure. This activity is difficult to track and contain given the group’s propensity to blend techniques and tactics in order to ensure a successful intrusion. There is behavioral and tooling overlap be ..
Support the originator by clicking the read the rest link below.
