Kostovite, Kamacite, and Xenotime - 2022 ICS threat group profile updates
Updated profiles of three ICS threat groups: Kostovite (IT-to-OT access), Kamacite (BlackEnergy/Sandworm ecosystem), Xenotime (Triton/Trisis) - new TTPs, targets, and implications for critical infrastructure.
Józef Sulwiński 
Dragos, the leading industrial control system security firm, monitors and profiles threat activity groups operating in the ICS/OT space. Unlike IT-focused firms, Dragos does not attribute groups to specific nations - it focuses on technical capabilities, infrastructure, and tactics. This article covers three groups whose profiles were updated in 2022: Kostovite, Kamacite, and Xenotime.
Xenotime - from Triton to a global threat
Xenotime is the most concerning ICS threat group ever identified. Its story begins in August 2017 at a petrochemical facility in the Middle East, where the Triton malware (also known as Trisis) attacked Schneider Electric Triconex Safety Instrumented Systems (SIS).
Why Triton changed everything
An attack on SIS is a fundamentally different type of threat than an attack on an industrial process. Safety systems are the last line of defense - they protect people and the environment from catastrophic failure consequences. Disabling SIS while simultaneously manipulating the industrial process could lead to explosions, toxic substance leaks, or facility destruction.
Triton attempted to reprogram Triconex controllers so that SIS would not activate when process conditions exceeded safe parameters. The attack was discovered accidentally - a bug in the malware code caused an unplanned emergency shutdown of the facility, which drew the attention of the maintenance team.
2022 Update
In 2022, the Xenotime profile was expanded with the following findings:
| Aspect | Status through 2021 | 2022 Update |
|---|---|---|
| Target scope | Petrochemical sector, Middle East | Expansion to energy sector in North America, Europe, and Asia-Pacific |
| Reconnaissance | OT network scanning after gaining access | Active scanning of internet-facing ICS devices (Shodan, FOFA) |
| Access vector | Pivot from IT to OT | Additional vectors: VPN, RDP, supply chain compromise |
| Infrastructure | Limited | Expanded C2 network with frequent rotation |
Particularly concerning is Xenotime’s expanded interest in the energy sector. Dragos noted scanning and reconnaissance attempts against energy operators in countries that the group had not previously targeted.
WARNING
Xenotime remains the only publicly known group that deliberately attacked industrial safety systems (SIS). This capability signals willingness to cause physical consequences - equipment destruction, threats to human health and life.
Kamacite - the gateway to energy networks
Kamacite is a threat group specializing in gaining initial access to energy infrastructure operator networks. Analysts link it to the Sandworm/BlackEnergy ecosystem - the same one behind the attacks on the Ukrainian power grid in 2015 and 2016.
Role in the threat ecosystem
Kamacite serves as an “access provider” for more advanced ICS operations. Its operational pattern:
- Spearphishing targeted at energy operator employees
- Compromise of workstations in the corporate network
- Privilege escalation and administrative credential acquisition
- Reconnaissance of network topology and identification of IT/OT boundary points
- Access handoff or independent pivot to the OT network
Dragos noted that Kamacite operates in close coordination with Electrum - the group responsible for developing the Industroyer and Industroyer2 malware. Kamacite provides access; Electrum executes the attack on OT systems.
2022 Update
In 2022, Kamacite expanded its operations:
- New initial access vectors - beyond phishing, the group began exploiting vulnerabilities in VPN appliances and firewalls at the corporate network perimeter
- Geographic expansion - beyond Ukraine and Eastern Europe, activity was observed against operators in Western Europe and North America
- Supply chain compromise - attempts to gain access through IT service providers serving energy operators
TIP
Defense against Kamacite requires, above all, strong IT/OT boundary protection. Network segmentation, multi-factor authentication (MFA) on all remote access points, and traffic monitoring at zone boundaries are fundamentals without which additional protective measures lose their effectiveness.
Kostovite - precision access through IT
Kostovite is a threat group identified by Dragos that specializes in gaining OT network access through IT infrastructure compromise. Unlike Kamacite, which operates on a broad front, Kostovite conducts precise, targeted operations.
Operational profile
Kostovite distinguishes itself through:
- Zero-day vulnerability exploitation in VPN appliances and access gateways - in 2021, vulnerabilities in Ivanti Connect Secure (formerly Pulse Secure) were exploited
- Operational patience - the group maintains access for months without taking visible actions
- Precise targeting - specific organizations are attacked, not mass campaigns
- IT-to-OT pivot capability - Kostovite understands industrial network architecture and can identify jump-host systems, historians, and HMI interfaces
2022 Update
The Kostovite profile in 2022 was updated with:
- New zero-day vulnerabilities exploited for initial access
- Expanded persistent access (persistence) capabilities in IT networks
- Additional detection evasion techniques, including use of legitimate administrative tools (living off the land)
Defensive checklist for Kostovite
- Regular updates of VPN appliances and access gateways (within 24-48h of critical patch release)
- VPN log monitoring for anomalous access patterns
- Network segmentation with a separate DMZ zone between IT and OT
- Audit of all accounts with OT system access
- Monitoring of administrative tool usage (PowerShell, WMI, PsExec) in the OT zone
- Implementation of least-privilege principles for service accounts
Three groups, one conclusion
Kostovite, Kamacite, and Xenotime represent three phases of the critical infrastructure attack chain:
| Group | Phase | Specialization |
|---|---|---|
| Kostovite | Initial access | VPN zero-days, precise targeting |
| Kamacite | Initial access + pivot | Phishing, IT compromise, access handoff |
| Xenotime | OT attack | SIS safety systems, industrial processes |
The 2022 updates reveal a clear trend: all three groups are expanding their geographic reach, diversifying attack vectors, and investing in detection evasion capabilities. For critical infrastructure operators, this means that defense must be multi-layered - from securing the internet-facing perimeter, through internal segmentation, to monitoring within the OT network itself.
Sources:
- Dragos, Year in Review 2022 - dragos.com
- Dragos, XENOTIME Activity Group - dragos.com
- Dragos, KAMACITE Activity Group - dragos.com
- Dragos, KOSTOVITE Activity Group - dragos.com
- FireEye (Mandiant), TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools, October 2018 - mandiant.com
Need help in this area?
Our experts will help you assess the risk and plan next steps.