G1000: ALLANITE
ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly, although ALLANITEs technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. [1]
Analyst context for executives and security teams
ALLANITE matters because ATT&CK describes it as a suspected Russian cyber espionage group focused primarily on the U.S. and U.K. electric utility sector, with reported interest in maintaining ICS presence and understanding industrial processes rather than demonstrated disruptive or destructive capability. For leaders, the decision point is whether the organization can prove it would notice credential misuse, phishing-driven access, drive-by compromise, and collection of control-room/HMI screen information before espionage turns into operational risk.
Executive priority
Prioritize this as an ICS visibility and resilience issue, especially for electric utility environments or organizations with similar control-system dependencies. The business question is not only “can we block phishing?” but “can we produce evidence that identity controls, OT monitoring, email security, web access monitoring, and incident response procedures cover the pathways ATT&CK associates with this group?” Because ATT&CK provides no official detection guidance and no platforms or tactics for this object, leaders should require local validation rather than assume existing SOC coverage applies to ICS.
Technical view
Validate coverage around the related ATT&CK techniques: Drive-by Compromise, Spearphishing Attachment, Valid Accounts, and Screen Capture in control-system environments. SOC and IR teams should test whether they can correlate suspicious email attachments, browsing to compromised or industry-relevant sites, unusual use of legitimate accounts, and evidence of screenshot or screen-capture activity on workstations, HMIs, or other systems displaying process data. Because tactics and platforms are not specified for this group object, detection engineering should be environment-led: map where users browse, receive email, authenticate into OT/ICS resources, and view sensitive process displays.
Likely telemetry
- Email security logs and attachment detonation or analysis results for targeted spearphishing attempts
- Web proxy, DNS, browser, and endpoint telemetry for drive-by compromise indicators or visits to compromised trusted/industry sites
- Identity and access logs for user, service, remote access, and default-account activity involving ICS or supporting networks
- Endpoint or host telemetry that may show screen capture tools, screenshot file creation, or unusual access to HMI/control-room workstations
- OT/ICS network access logs and jump-host/session records showing authenticated access paths into control-system environments
Detection direction
- Confirm that phishing attachment detections are tuned for targeted, low-volume campaigns and are not limited to commodity malware patterns.
- Validate monitoring for normal user web browsing paths, including trusted third-party, supplier, or industry-specific websites that could support drive-by compromise scenarios.
- Baseline legitimate account use in and around ICS, including remote access, service accounts, privileged accounts, and any default credentials that may exist.
- Review whether screen capture activity on systems displaying ICS process data is logged at all; this is a common blind spot because HMIs and operator workstations may have limited endpoint monitoring.
- Correlate email, web, identity, and OT access telemetry rather than treating each alert independently; the relationship context suggests multiple access and collection paths.
Mitigation priorities
- Start with identity hygiene for ICS access: remove or control default credentials, restrict service-account use, enforce least privilege, and review remote access paths.
- Strengthen email and attachment handling for personnel with access to OT/ICS processes, including user reporting and containment procedures.
- Control and monitor web browsing from systems or users that can reach sensitive control environments; reduce unnecessary browsing from ICS-adjacent assets.
- Limit and audit screen capture capability on HMIs, engineering workstations, and other systems showing process or alarm data where operationally feasible.
- Ensure incident response playbooks include espionage-oriented ICS scenarios, not only destructive or disruptive events.
Analyst notes and limits
The official ATT&CK description frames ALLANITE as suspected Russian cyber espionage activity focused primarily on electric utilities in the United States and United Kingdom, with similarities reportedly noted to Dragonfly. ATT&CK also states that disruptive or destructive capabilities have not been exhibited in the cited reporting. The most defensible operational use of this object is therefore to validate visibility into access, credential use, and process-intelligence collection in ICS environments.
ATT&CK provides no official detection text, no tactics, and no platforms for this group object. The guidance above is derived only from the supplied description and the listed uses of T0817, T0852, T0859, and T0865. Local asset architecture, logging coverage, identity design, and ICS operational constraints are required to determine actual exposure or detection capability.
ALLANITE
ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly, although ALLANITEs technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0859 | Valid Accounts | ALLANITE utilized credentials collected through phishing and watering hole attacks. CitationDragos |
| ICS | T0852 | Screen Capture | ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs. CitationDragos CitationICS-CERT October 2017 |
| ICS | T0865 | Spearphishing Attachment | ALLANITE utilized spear phishing to gain access into energy sector environments. CitationJeff Jones May 2018 |
| ICS | T0817 | Drive-by Compromise | ALLANITE leverages watering hole attacks to gain access into electric utilities. CitationEduard Kovacs May 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8b83f82f782f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dragos
Dragos Allanite Retrieved. 2019/10/27
Open source URL -
[2]
mitre-attack G1000Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.