TEMP.Veles / XENOTIME

Executive Summary

TEMP.Veles (Mandiant designation) and XENOTIME (Dragos designation) refer to the same threat activity cluster responsible for developing and deploying TRITON — also known as TRISIS and HatMan — a malware framework engineered to attack Triconex Safety Instrumented Systems (SIS). The group is responsible for known attacks on industrial control systems, targeting safety mechanisms whose failure could permit uncontrolled physical processes. MITRE ATT&CK tracks the cluster as G0088.

The actor is assessed as Russia-aligned based on corroborating evidence from multiple independent vendor and government investigations. Dragos observed the group expanding its targeting beyond the initial incident scope to cover additional geographies and sectors through at least 2019.

Notable Campaigns

The most publicly documented incident attributed to this group targeted a petrochemical facility in Saudi Arabia in 2017. The attackers gained access to Triconex SIS controllers and deployed TRITON. A logic error in the malware caused the controllers to enter a fail-safe state, which triggered an unplanned process shutdown and surfaced the intrusion to defenders before physical damage occurred.

Dragos subsequently tracked XENOTIME conducting reconnaissance against targets beyond the initial Saudi Arabian target set, including entities in the United States and the Middle East, with particular interest noted in the electrical sector. This expansion is documented in Dragos’s XENOTIME threat profile. No additional confirmed destructive incidents attributable to this group have been disclosed in open-source reporting.

Technical Capabilities

The group’s primary capability is the TRITON framework, which communicates directly with Triconex Safety Instrumented Systems via Triconex’s proprietary TriStation protocol. TRITON is designed to reprogram SIS controller logic, disable safety instrumentation, or cause controllers to enter a fail state — any of which could remove safety protections from an industrial process.

Supporting capabilities include use of legitimate remote access tools (PLINK) and VPN sessions to blend with normal IT traffic, Python-based scripting for controller interaction and operational tooling, credential harvesting using Impacket and custom tooling, and multi-stage pre-positioning within corporate IT networks prior to OT environment access. The tool development quality and operational tradecraft are consistent with state-linked operators.

Attribution

The actor is assessed as Russia-aligned across independent government and vendor investigations. Vendor reporting — primarily from Mandiant and Dragos — identifies the Russian Central Scientific Research Institute of Chemistry and Physics (TsNIIKhM) as an assessed responsible organization. The CISA HatMan Malware Analysis Report (MAR-17-352-01, Update B) is the primary U.S. government technical document; it corroborates the Russia-based assessment but should not be read as independently confirming the specific TsNIIKhM attribution claim.

Attribution evidence includes infrastructure and IP address overlap linked to TsNIIKhM, malware artifacts consistent with Russian development patterns, and operational security lapses during the intrusion that exposed supporting infrastructure. Attribution of TsNIIKhM to a specific Russian government ministry or intelligence sponsor is not definitively established in available public reporting and should not be assumed.

MITRE ATT&CK (G0088) classifies activity associated with this group beginning approximately 2014, reflecting assessed pre-positioning and reconnaissance consistent with this actor. The first confirmed deployment of TRITON was the 2017 incident at the Saudi petrochemical facility.

MITRE ATT&CK Profile

Initial Access: The group used spearphishing attachments (T1566.001) to gain entry to target networks prior to OT environment access.

Execution: Python-based scripting and custom frameworks (T1059) were used for controller interaction and operational tooling, including communication with Triconex controllers via the proprietary TriStation protocol.

Persistence and Credential Access: Valid VPN and remote-access credentials (T1078) were leveraged to maintain access and blend with normal traffic. OS credential dumping (T1003) using Impacket and custom tooling supported lateral movement into OT environments.

Defense Evasion: TRITON malware components used filenames resembling legitimate Triconex software and Windows system files (T1036) to blend with expected host artifacts.

Impact: TRITON was engineered to stop or disable Triconex Safety Instrumented System services (T1489), removing safety protections from the targeted industrial process.

Sources & References

Coverage of this actor is concentrated in the 2017–2019 period. Post-2019 operational activity has not been confirmed in open-source reporting. The Russia-aligned assessment is supported across independent government and vendor sources; the specific TsNIIKhM institutional attribution appears primarily in vendor reporting and should be read as an assessed claim. Attribution to a higher-level Russian state principal beyond TsNIIKhM remains plausible but is not definitively established in the open-source record. The three names for the malware — TRITON, TRISIS, HatMan — and the two names for the group — TEMP.Veles, XENOTIME — reflect independent discovery threads and do not indicate distinct toolsets or activity clusters.

• MITRE: ATT&CK Group G0088 — TEMP.Veles — MITRE, 2021-01-13
• CISA / DHS: HatMan — Safety System Targeted Malware (Update B) — CISA / DHS, 2018-12-18
• Google / Mandiant: Attackers Deploy New ICS Attack Framework TRITON — Google / Mandiant, 2017-12-14
• Dragos: XENOTIME Threat Profile — Dragos, 2019-01-01