ELECTRUM and Beyond: ICS Activity Groups over the Last Year

Main Stage

In addition to providing information on ELECTRUM – the group’s background, and activity observed since 2016 – Dragos will discuss two other topics: the first in-depth reporting on COVELLITE, a grid-focused group that targeted operators in North America during the summer of 2017; and an overview of DYMALLOY and the PALMETTO FUSION phishing campaign, detailing the nuances of activity attribution and its significance for ICS defenders. Aside from providing details on how these groups operate – and how defenders can get ahead of their operations – we will also utilize the discussion to elaborate on the overall ICS threat environment, and what we expect in 2018.

2016 closed with another Ukrainian power grid event. Further analysis of the event indicated a defined set of behaviors, tactics, and procedures combined with specificity of victim to identify the event as activity group ELECTRUM. Activity groups follow the Diamond Model of intrusion analysis to frame events as a combination of adversary, victim, capability, and infrastructure. Focusing on this level of analysis as opposed to traditional actor attribution enables Dragos and defenders more generally to develop behavioral identifiers to categorize, sort, and respond to known attack types. While ELECTRUM is arguably the most famous and prominent ICS activity group for the past year, Dragos has since identified several others carrying out operations in this time period.

Attacks and Attackers