G0088: TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]
Analyst context for executives and security teams
TEMP.Veles, also known as XENOTIME, matters because ATT&CK links it to critical infrastructure targeting and to TRITON, a framework designed to interact with industrial safety instrumented systems. For executives, this is not just an IT intrusion concern: the relationship context includes a petrochemical campaign targeting Triconex safety controllers, so readiness should be evaluated across IT, OT, incident response, and safety governance boundaries.
Executive priority
Prioritize this as a cyber-physical resilience and board-level risk scenario where applicable, especially for organizations operating industrial control or safety systems. Leaders should ask whether IT foothold detection, credential misuse controls, remote administration monitoring, supply-chain assurance, and OT/SIS incident response plans are evidenced and tested. The supplied ATT&CK data does not indicate current activity or specific exposure, so priority should be based on local critical infrastructure relevance and safety-system dependency.
Technical view
MITRE does not provide a detection section or group-level platforms/tactics for TEMP.Veles. However, relationships show use of Mimikatz and PsExec in enterprise contexts, TRITON in ICS context, and ICS techniques including Drive-by Compromise and Supply Chain Compromise. SOC and IR teams should validate visibility for Windows credential access and lateral execution where Mimikatz/PsExec are relevant, and coordinate with OT teams to confirm monitoring and response coverage around SIS engineering workstations, safety controller communications, trusted vendor workflows, and web-access paths used by personnel supporting control environments.
Likely telemetry
- Windows security and authentication logs relevant to credential access and lateral movement
- Endpoint process execution and command-line telemetry for administrative tools and credential dumping indicators
- Remote service creation/execution and administrative share activity associated with PsExec-like behavior
- OT/SIS engineering workstation logs where available
- Network traffic between engineering workstations and safety controllers or control-system segments
Detection direction
- Do not assume ATT&CK supplies ready-made detections for this group; build coverage from the related software and techniques.
- Tune for suspicious use of legitimate administration utilities such as PsExec, separating approved IT operations from unexpected execution paths, accounts, hosts, or timing.
- Validate credential dumping detection around Mimikatz-like activity, while accounting for security testing tools and administrator activity as false-positive sources.
- For OT environments, confirm whether monitoring can observe engineering workstation activity and communications to safety controllers; many SOC programs have blind spots at this boundary.
- Review web and supplier-facing telemetry for signs consistent with drive-by or supply-chain access paths, but avoid treating these as group-specific without corroborating evidence.
Mitigation priorities
- Start with governance: identify whether the organization operates safety instrumented systems or other critical infrastructure assets relevant to the ATT&CK relationships.
- Harden and monitor privileged Windows administration, including credential protection, least privilege, and controlled use of remote execution tools.
- Strengthen segmentation and access control between enterprise IT, OT, engineering workstations, and safety-system environments.
- Formalize vendor, software, and supply-chain assurance processes for control-system products and workflows.
- Ensure incident response plans include OT/SIS escalation, safety operations decision-makers, evidence preservation, and safe isolation procedures.
Analyst notes and limits
The most decision-relevant ATT&CK relationships are the attributed Triton Safety Instrumented System Attack campaign, the C0032 campaign focused on IT foothold activity, and use of Mimikatz, PsExec, and TRITON. The alias XENOTIME is included because ATT&CK external references describe overlap with FireEye reporting on TEMP.Veles and TRITON actors.
The supplied ATT&CK object has no official detection text, no group-level tactics, and no group-level platforms. Defensive recommendations are therefore framed from the official description, external references, and explicit relationships only. Local architecture, asset inventory, vendor access paths, and OT telemetry are required to determine actual exposure or detection coverage.
TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0002: Mimikatz
S0029: PsExec
C0030: Triton Safety Instrumented System Attack
Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[1] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[2] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[3]
C0032: C0032
C0032 was an extended campaign suspected to involve the Triton adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the Triton Safety Instrumented System Attack.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | e2f06926b098… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye TRITON 2019
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
Open source URL -
[2]
FireEye TEMP.Veles 2018
FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
Open source URL -
[3]
FireEye TEMP.Veles JSON April 2019
Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
Open source URL -
[4]
Dragos Xenotime 2018
Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.
Open source URL -
[5]
Pylos Xenotime 2019
Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.
Open source URL -
[6]
TEMP.Veles
(Citation: FireEye TRITON 2019)
-
[7]
XENOTIME
The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)
-
[8]
mitre-attack G0088Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.