Electrum, Erythrite, and Wassonite - 2022 ICS threat group profile updates
Updated profiles of three ICS threat groups: Electrum (Industroyer/Industroyer2, Sandworm), Erythrite (IT/OT reconnaissance in North America), Wassonite (targeting nuclear and energy sectors).
Józef Sulwiński 
In our previous article in this series, we covered Kostovite, Kamacite, and Xenotime - three ICS threat groups whose profiles Dragos updated in 2022. This article completes the picture with three more groups: Electrum, Erythrite, and Wassonite. Each operates in a different segment of the critical infrastructure threat ecosystem.
Electrum - the creators of Industroyer and Industroyer2
Electrum is the group responsible for developing the Industroyer (2016) and Industroyer2 (2022) malware - two of the most sophisticated tools ever detected in a production environment for attacking power grids.
From Industroyer to Industroyer2
On December 17, 2016, at 23:21 local time, the Pivnichna electrical substation in Kyiv lost power. For one hour, one-fifth of Ukraine’s capital was plunged into darkness. The cause was Industroyer - malware capable of communicating with power grid devices using four industrial protocols: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA.
Six years later, in April 2022 - two months after Russia’s invasion of Ukraine - Electrum returned with Industroyer2. Ukrainian CERT-UA, in collaboration with ESET and Microsoft, detected and neutralized an attack on the high-voltage grid before it caused a power outage.
What changed in Electrum’s profile in 2022
The Industroyer2 attack revealed the evolution of Electrum’s capabilities:
| Aspect | Industroyer (2016) | Industroyer2 (2022) |
|---|---|---|
| Architecture | Modular (4 protocols) | Simplified (IEC 104 only) |
| Configuration | External configuration files | Attack parameters compiled into the binary |
| Target | Distribution substation | High-voltage transmission station |
| Accompanying malware | Wiper (KillDisk) | CaddyWiper, ORCSHRED, SOLOSHRED, AWFULSHRED |
| Coordination | Standalone operation | Coordinated multi-vector attack |
The simplification of Industroyer2 (one protocol instead of four) does not indicate capability degradation. The attack parameters - ASDU (Application Service Data Unit) addresses, IOA (Information Object Address), and timing schedule - were precisely tailored to the specific target infrastructure. Electrum conducted thorough reconnaissance before the attack.
WARNING
The coordination of Industroyer2 with wipers (CaddyWiper on IT workstations, ORCSHRED/SOLOSHRED/AWFULSHRED on Linux/Solaris) indicates intent to hinder recovery after the attack. Even if the OT attack is neutralized, destruction of IT systems delays restoration of normal operations.
Electrum-Kamacite collaboration
Dragos confirmed in 2022 the collaboration model between Kamacite and Electrum. Kamacite provides initial access to the victim’s network and conducts reconnaissance. Electrum takes over the operation when ICS-specific capabilities are required - developing tools for interacting with industrial protocols and executing the actual attack.
This division-of-labor model allows both groups to specialize in their domains and significantly complicates attribution - Kamacite’s activity in the IT network looks like a typical espionage operation until Electrum appears with ICS tools.
Erythrite - reconnaissance at the IT/OT boundary
Erythrite is a threat group identified by Dragos that conducts broad reconnaissance operations in the networks of organizations operating critical infrastructure in North America. Unlike groups such as Electrum or Xenotime, Erythrite does not possess (as far as we know) dedicated ICS attack tools. Its role in the threat ecosystem is different - intelligence collection.
Operational profile
Erythrite employs:
- SEO poisoning - creating fake websites that rank highly in search results for queries related to industrial software and engineering tools
- Malvertising - malicious advertisements directing users to malware-hosting sites
- Watering hole - compromising websites visited by OT engineers
- Infostealers - collecting credentials, session tokens, and system information
2022 Update
In 2022, Dragos noted:
- Expansion of Erythrite operations to the energy and water sectors (previously focused on manufacturing and pharmaceuticals)
- New SEO poisoning campaigns targeting queries related to Schneider Electric, Siemens, and Rockwell Automation software
- Collection of VPN and remote access portal credentials belonging to OT operators
TIP
Erythrite is a reminder that threats to OT do not always come through the network - sometimes they start with a search engine. Engineering staff training should cover recognizing fake software download sites and verifying sources for configuration tools.
Defensive checklist for Erythrite
- Centralized engineering software repository (instead of downloading from the internet)
- Block known malvertising campaign domains at the DNS level
- Credential usage monitoring - alerts for logins from unusual locations
- OT engineer training on recognizing phishing and SEO poisoning
- Separate accounts for IT and OT work (credential isolation)
- Enforce MFA on all remote access portals
Wassonite - targeting nuclear and energy sectors
Wassonite is a threat group specializing in long-term espionage operations targeting the energy and nuclear sectors. Dragos linked Wassonite activity to the threat ecosystem attributed to North Korean actors (infrastructure overlap with Lazarus Group), though as always, they noted that this does not constitute formal state attribution.
Profile and motivation
Unlike Electrum or Xenotime, Wassonite does not possess publicly known tools for direct ICS attacks. The group’s motivation appears to be intelligence collection - technical documentation, network diagrams, operational procedures - that could serve to prepare future attacks or support an industrial capability development program.
2022 Update
The Wassonite profile in 2022 was expanded with:
- Target expansion to European nuclear technology suppliers
- New phishing campaigns using nuclear energy-related documents as lures
- Use of DTrack malware (a RAT variant linked to the Lazarus ecosystem)
- Attempts to access technical documentation management systems
| Group | Motivation | Target sector | ICS capabilities |
|---|---|---|---|
| Electrum | Destruction | Energy | Industroyer/Industroyer2 |
| Erythrite | Reconnaissance | Manufacturing, energy, water | No known ICS tools |
| Wassonite | Espionage | Energy, nuclear | No known ICS tools |
Conclusions for operators
The three groups discussed illustrate that ICS/OT threats extend far beyond malware capable of manipulating industrial processes. The ecosystem encompasses:
- Destructive groups (Electrum) - with tools for direct attacks on power grids
- Reconnaissance groups (Erythrite) - collecting credentials and information that can be leveraged by other actors
- Intelligence groups (Wassonite) - gathering technical knowledge that lowers the barrier for future attacks
Defense requires an approach addressing each of these profiles. OT network monitoring is essential against Electrum. Credential protection and employee training help against Erythrite. Technical documentation access control and segmentation reduce the effectiveness of Wassonite operations.
Sources:
- Dragos, Year in Review 2022 - dragos.com
- Dragos, ELECTRUM Activity Group - dragos.com
- Dragos, ERYTHRITE Activity Group - dragos.com
- Dragos, WASSONITE Activity Group - dragos.com
- ESET, Industroyer2: Industroyer reloaded, April 2022 - welivesecurity.com
- CERT-UA, Cyberattack on Ukrainian Energy Infrastructure, April 2022 - cert.gov.ua
Need help in this area?
Our experts will help you assess the risk and plan next steps.