(Dragos) Allanite accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that Allanite operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities. Allanite uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. Allanite operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities. Allanite conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Actor: Allanite
Names: Allanite, Palmetto Fusion
Country: [Unknown]
Motivation: Information theft and espionage
First-seen: 2017
Description: (Dragos) Allanite accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that Allanite operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities. Allanite uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. Allanite operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities. Allanite conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.
Observed-sectors: Energy
Observed-countries: UK
Observed-countries: USA
Tools: Inveigh
Tools: PsExec
Tools: SecreetsDump
Tools: THC Hydra
Tools: Powershell scripts
Information: https://dragos.com/resource/allanite/
Mitre-attack: https://attack.mitre.org/groups/G1000/
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |