{"description": "ICS techniques used by TEMP.Veles, ATT&CK group G0088 (v1.4)", "name": "TEMP.Veles (G0088)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T0830", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.(Citation: Triton-EENews-2017)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0807", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088)\u2019 tool took one option from the command line, which was a single IP address of the target Triconex device.(Citation: FireEye TRITON Dec 2017)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0817", "comment": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0872", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) would programmatically return the controller to a normal running state if the [Triton](https://attack.mitre.org/software/S1009) malware failed. If the controller could not recover in a defined time window, [TEMP.Veles](https://attack.mitre.org/groups/G0088) programmatically overwrote their malicious program with invalid data.(Citation: FireEye TRITON Dec 2017)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0867", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) made attempts on multiple victim machines to transfer and execute the WMImplant tool.(Citation: FireEye TEMP.Veles 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0828", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.(Citation: FireEye TRITON Dec 2017)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0843", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.(Citation: FireEye TRITON Dec 2017)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0886", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls (Citation: Triton-EENews-2017), along with other traditional malware backdoors, to move into the ICS environment.(Citation: FireEye TRITON 2018)(Citation: Triton-EENews-2017)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0853", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used a publicly available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0862", "comment": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0855", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to send unauthorized command messages to the Triconex safety controllers.(Citation: FireEye TRITON 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T0859", "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment.(Citation: FireEye TRITON 2018)", "score": 1, "color": "#ff6666", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TEMP.Veles", "color": "#66b1ff"}, {"label": "used by a campaign attributed to TEMP.Veles", "color": "#ff6666"}, {"label": "used by TEMP.Veles and used by a campaign attributed to TEMP.Veles", "color": "#ff66f4"}]}