Dragos_Year-In-Review-Report-2022.pdf (7 MB)

Dragos' 2022 ICS/OT review identifies WASSONITE as an activity group with limited technical overlaps to COVELLITE and the cluster tracked by other vendors as Kimsuky. The report says WASSONITE uses customized DTrack and Appleseed RAT variants, Mimikatz, system tools for lateral movement and file transfers, and adversary-controlled domains or compromised services for C2. Its victim profile centers on ICS-related organizations in nuclear energy, electric, oil and gas, advanced manufacturing, pharmaceutical, and aerospace sectors across South and East Asia and North America. Dragos frames the activity as Stage 1 ICS kill-chain access and information-gathering operations rather than disruptive ICS attacks.