ALLANITE | Threat Actor Profile

A narrowly focused ICS reconnaissance group targeting electric utilities in the US and UK, first documented by Dragos in 2018 and linked to the DHS's Palmetto Fusion campaign designation. What distinguishes ALLANITE from Dragonfly and similar actors is its operational discipline: the group deploys no custom malware, relying entirely on legitimate Windows tools, publicly available utilities, and stolen credentials to access both corporate IT and industrial control networks. It collects screenshots of human-machine interfaces (HMIs) and gathers operational intelligence needed to understand — and potentially disrupt — the electric grid. Dragos assesses with moderate confidence that ALLANITE maintains ICS access to develop disruptive capabilities and hold ready access from which to disrupt electric utilities.

attributed origin Russia — suspected FSB-linked (third-party attribution)

dragos attribution Dragos does not corroborate specific country attribution

active since At least May 2017 (ongoing)

signature capability No custom malware — 100% Windows LOLBins + free tools

primary goal ICS reconnaissance + HMI screenshot collection

dragos assessment Developing disruptive capabilities (moderate confidence)

target sectors Electric utilities — US and UK only

disclosed May 10, 2018 — Dragos

mitre ics group G1000

Overview

ALLANITE is Dragos's designation for an ICS-focused threat actor that has been systematically targeting the electric utility sector in the United States and United Kingdom since at least May 2017. The group was publicly documented by Dragos in May 2018 — the first release in Dragos's ICS Activity Groups series — and represents a distinctive variant of the broader Russian electric grid access threat: one that achieves equivalent strategic effect to Dragonfly while leaving a significantly smaller forensic footprint.

The defining characteristic of ALLANITE's tradecraft is the complete absence of custom malware. Where Dragonfly deployed Havex — a purpose-built ICS RAT with OPC scanning capability — ALLANITE achieves similar access and reconnaissance using only built-in Windows functionality, freely available open-source utilities, and credentials stolen through phishing and watering-hole attacks. This "living off the land" approach makes ALLANITE activity considerably harder to detect than traditional malware-based intrusions: the tools the group uses are the same tools legitimate system administrators use, generating the same log events, the same process names, and the same network traffic patterns as authorized activity.

The DHS and US government have linked ALLANITE's activity to Russian strategic interests — specifically connecting it to the Palmetto Fusion campaign designation issued by the Department of Homeland Security in July 2017 and the broader DHS/FBI TA17-293A alert in October 2017. Dragos independently confirmed that ALLANITE had accessed ICS networks directly — contradicting early official statements that adversaries had only reached business and administrative systems. Dragos assesses with moderate confidence that ALLANITE maintains this ICS access specifically to (1) understand the operational environment well enough to develop disruptive capabilities, and (2) maintain ready access from which to disrupt US and UK electric utilities.

attribution note

Dragos explicitly does not corroborate or conduct political attribution — the firm focuses on behavior rather than nation-state identification. The US government (DHS, FBI) and several private sector firms have independently linked ALLANITE's operations to Russian strategic interests and connected them to the Palmetto Fusion / Dragonfly ecosystem. This profile reflects that third-party US government attribution while noting Dragos's formal position. ALLANITE is separate from and distinguished by Dragos from both Dragonfly (Energetic Bear) and DYMALLOY, despite operating in the same target sector with similar techniques.

The Living-Off-the-Land Model

ALLANITE's complete reliance on legitimate tools and Windows native capabilities is not merely a technical detail — it is the core of the group's operational security strategy and its primary defense against detection. Understanding why this matters requires understanding what it means for defenders.

No malware signatures to detect: Every commercial endpoint detection and response product, antivirus solution, and IDS/IPS system relies in part on recognizing malicious software through behavioral signatures or file hashes. ALLANITE gives these controls nothing to recognize. There is no Havex RAT, no Karagany Trojan, no C2 beacon — just Windows processes doing what Windows processes do, operated by an unauthorized user with stolen credentials.
Stolen credentials as the attack surface: ALLANITE's initial access model is entirely credential-based. Phishing campaigns and watering-hole attacks are used not to deliver malware but to harvest Windows authentication credentials — specifically targeting energy sector employees and ICS engineers. Those credentials then become the attack surface: the group authenticates to systems as if it were the legitimate user, eliminating the need for exploitation and making intrusion activity appear as authorized access in authentication logs.
Free tools from public repositories: The DHS's TA17-293A technical alert documented the use of THC Hydra (brute-force authentication tool, downloaded from GitHub), SecretsDump (credential extraction, part of Impacket), CrackMapExec (network enumeration and credential testing), Inveigh (PowerShell-based network credential capture), and PSExec (remote process execution, part of Sysinternals). All of these tools are freely available, widely used by legitimate security professionals for penetration testing and system administration, and routinely present in enterprise environments. Their presence in forensic evidence creates attribution ambiguity — even when detected, their use does not necessarily point to a nation-state actor.
PowerShell for operational flexibility: PowerShell scripts provide ALLANITE with scripting capability equivalent to custom malware without requiring any compiled code. PowerShell can read files, move laterally, dump credentials, take screenshots, and communicate with remote systems entirely through Windows-native interpreter execution. PowerShell logging (if enabled) can surface this activity, but many organizations in the electric utility sector had limited PowerShell audit logging during the documented campaign period.
The HMI screenshot as the intelligence collection artifact: The culminating intelligence collection technique is taking screenshots of human-machine interface (HMI) displays — the graphical interfaces through which plant operators monitor and control electrical generation and distribution equipment. A screenshot of an HMI shows the operator-visible state of the process: circuit breaker status, generator output, transformer configurations, alarm states. For an actor building disruptive capability, a library of HMI screenshots from target facilities provides a training dataset for understanding what normal operation looks like, what abnormal operation looks like, and what the visual indicators of a successful disruption event would be.
Vendor and contractor compromise as a phishing amplifier: Dragos's sector reporting explicitly documents that ALLANITE and DYMALLOY compromised vendors and contractors to use as launchpads for subsequent phishing campaigns targeting electric utilities. By compromising a trusted third party — an ICS integrator, equipment vendor, or service contractor — the actor can send phishing emails from a legitimate account that the target organization has an established working relationship with. Recipients are significantly more likely to open attachments and follow links from known vendors than from strangers, dramatically increasing campaign effectiveness. This supply chain–adjacent technique extends ALLANITE's reach beyond what direct spear-phishing alone could achieve, and it is entirely consistent with the group's malware-less approach: no novel tools required, just a compromised email account and a plausible pretext.

Palmetto Fusion and the DHS Context

ALLANITE's activity was publicly referenced by the US government before Dragos formally documented the group — specifically through the Palmetto Fusion campaign name and associated DHS/FBI advisories. Understanding the government's public description of these intrusions provides important context for the threat.

Palmetto Fusion — July 2017: The Department of Homeland Security referenced the Palmetto Fusion campaign in July 2017 briefings, describing it as a Russian-attributed campaign targeting the US electric sector. The July 2017 public DHS statements indicated that adversaries had gained access to business and administrative systems of energy companies — not operational networks. Dragos later confirmed independently that this was an understatement: ALLANITE had in fact harvested information directly from ICS networks.
DHS/FBI Alert TA17-293A — October 2017: The joint DHS/FBI Technical Alert TA17-293A, titled "Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors," provided detailed technical documentation of the campaign tactics. The alert documented credential harvesting through .lnk file manipulation, the use of Hydra, SecretsDump, and CrackMapExec, Python 2.7 installation on compromised hosts, and spear-phishing emails disguised as engineering résumés — a technique specifically targeting human resources staff and engineering teams at electric utilities. Dragos's view is that the October 2017 alert combined Dragonfly/DYMALLOY tactics with ALLANITE activity, treating them as a single campaign when they were in fact conducted by distinct operational clusters.
Engineering Résumé Lures: One of the most operationally specific documented ALLANITE techniques: spear-phishing documents disguised as engineering résumé submissions sent to industrial infrastructure companies. The targeting is deliberate — a résumé for an engineering position would be opened by both HR staff and by technical engineering managers assessing the candidate's qualifications. Both audiences are inside the target organization; the engineering manager who opens the résumé may have direct access to ICS systems or credentials that provide a path to them. This lure technique is documented by Dragos in their spear-phishing analysis as a 2017 ALLANITE campaign example.

Tactics, Techniques & Procedures

mitre id	technique	description
T1566.001	Spear-Phishing Attachment	ALLANITE uses targeted phishing emails with attached documents to steal Windows credentials from energy sector employees. A documented 2017 variant used documents disguised as engineering résumé submissions — targeting both HR staff and engineering managers at electric utilities. The phishing documents are designed to harvest NTLM credentials via forced authentication to attacker-controlled servers when opened, exploiting Windows's automatic credential-passing behavior for SMB connections initiated by document content. No malware is delivered; only credentials are stolen.
T1189	Drive-by Compromise — Energy Sector Watering Holes	ALLANITE compromises websites specifically visited by electric utility sector employees and ICS engineers — industry portals, technical forums, and energy-sector resources. Compromised sites harvest NTLM credentials from visiting employees via hidden scripts that trigger authentication requests to attacker-controlled servers. This technique is combined with LNK file manipulation — the DHS TA17-293A advisory specifically documented threat actors manipulating .lnk files to repeatedly gather user credentials by forcing Windows to load icons from attacker-controlled servers, generating automatic NTLM authentication requests.
T1078	Valid Accounts — Credential Reuse	Stolen credentials from phishing and watering-hole campaigns are used to authenticate to victim systems as legitimate users. ALLANITE uses harvested credentials to gain initial access, escalate within networks, and reach both corporate IT and ICS-adjacent systems. Authentication via valid credentials generates login events indistinguishable from authorized access, bypassing perimeter controls, VPN authentication, and many endpoint detection solutions that rely on anomaly detection tuned against baseline user behavior rather than identity-based access control.
T0852 ICS	Screen Capture — HMI Screenshots	The culminating intelligence collection technique: capturing and exfiltrating screenshots of industrial control system human-machine interfaces (HMIs). HMI displays show plant operators the real-time state of electrical generation and distribution equipment — circuit breaker positions, transformer configurations, generator output levels, alarm states. ALLANITE collects and distributes these screenshots to build a visual understanding of target facility operations. This constitutes a form of pre-attack reconnaissance that documents what normal operations look like and identifies the visual indicators that would accompany disruption. Screen capture of ICS displays is documented as an ALLANITE technique in both the Dragos profile and the MITRE ATT&CK for ICS framework (T0852).
T1110	Brute Force — THC Hydra	THC Hydra, a free and widely used network authentication brute-force tool, is used to attack login interfaces after initial access has been established. The DHS TA17-293A advisory confirmed Hydra's use in the Palmetto Fusion campaign with files downloaded directly from public GitHub repositories — a pattern that suggests operational preference for readily available tools rather than custom capability development. Hydra can attack a wide range of authentication protocols including HTTP, FTP, SMB, RDP, and SSH.
T1003	Credential Dumping — SecretsDump / CrackMapExec	After establishing access via stolen credentials, ALLANITE uses SecretsDump (part of the Impacket Python library) to extract additional credential material from Windows systems — dumping NTLM hashes, Kerberos tickets, and cached credentials from Active Directory and local accounts. CrackMapExec is used alongside SecretsDump for network enumeration and credential testing across multiple systems simultaneously. The DHS advisory confirmed both tools were executed during the timeframe in which the threat actor was actively accessing systems, indicating these are core operational tools rather than opportunistic additions.
T1557	Adversary-in-the-Middle — Inveigh (NTLM Capture)	Inveigh is a PowerShell-based network responder that captures NTLM credentials by impersonating network services and responding to broadcast authentication requests. When run on a compromised host inside the target network, Inveigh intercepts Windows name resolution broadcasts and captures NTLM challenge-response hashes from other systems on the network attempting to authenticate to network services. These captures provide additional credential material for lateral movement without requiring any direct interaction with target systems.
T1569.002	Service Execution — PSExec	PSExec (Microsoft Sysinternals) is used for remote command execution across the target network using harvested credentials — enabling ALLANITE operators to run commands on remote systems without interactive login. PSExec creates a temporary service on the remote system, executes the specified command, and removes the service — leaving minimal persistent artifacts. Combined with domain administrator credentials from SecretsDump, PSExec provides comprehensive lateral movement capability across the entire target domain through legitimate, Microsoft-signed system tooling.
T1195.001	Supply Chain Compromise — Trusted Third-Party Phishing	Dragos documents that ALLANITE has compromised vendors and contractors serving the electric utility sector and used those compromised accounts to conduct phishing campaigns against the ultimate targets. An email arriving from a known equipment vendor, ICS integrator, or service contractor carries implicit trust — the recipient has an established working relationship with the sender. ALLANITE exploits this trust relationship to achieve higher phishing success rates without delivering malware: the goal is credential capture via forced NTLM authentication or document template injection from a lure that the target has reason to open. This technique extends the group's reach to electric utilities that would not have been reachable through direct cold-phishing campaigns.

Known Activity

Palmetto Fusion — US Electric Utility Credential Harvest and ICS Access May 2017 – ongoing

The documented ALLANITE campaign beginning in May 2017 that became the basis for the DHS Palmetto Fusion designation and the TA17-293A technical alert. ALLANITE used spear-phishing campaigns — including engineering résumé lures targeting utility employees — and watering-hole attacks on energy-sector websites to harvest Windows NTLM credentials. Harvested credentials were used to authenticate to business networks at US and UK electric utilities, with operators then using native Windows tools, Hydra, SecretsDump, CrackMapExec, Inveigh, and PSExec to traverse networks, escalate privileges, and reach ICS-adjacent systems. The campaign culminated in screenshot collection of HMI displays showing plant operational state. US officials initially stated in July 2017 that adversaries had only reached business networks; Dragos independently confirmed and publicly documented that ICS network access and data collection had in fact occurred. Dragos's Allanite profile (published May 2018) notes that operations continued and intelligence indicates activity since at least May 2017 — with no stated end date, indicating the group remains active.

Vendor and Contractor Supply Chain Phishing 2017 – ongoing

Dragos's sector reporting confirms that ALLANITE, alongside DYMALLOY, compromised vendors and contractors serving the electric utility sector for use as trusted phishing platforms. Rather than sending phishing emails directly from unknown addresses, the group compromised accounts at ICS integrators, equipment suppliers, and service contractors, then used those legitimate accounts to send credential-harvesting emails to electric utility personnel who had established working relationships with those third parties. This technique requires no custom malware — the actor needs only a compromised email account and a plausible business pretext. Its effectiveness is substantially higher than cold-phishing campaigns because recipients are conditioned to open correspondence from known vendors. This supply chain–adjacent approach is documented in Dragos's Global Electric Cyber Threat Perspective report and is consistent with ALLANITE's broader malware-less operational model: every technique in the chain leverages trust and legitimacy rather than novel technical capability.

UK Electric Utility Targeting 2017 – ongoing

Parallel to US electric utility targeting, ALLANITE conducted equivalent operations against UK electric utilities using the same TTPs and toolset. The UK operations are referenced consistently alongside US activity in both Dragos's profile and the MITRE ATT&CK ICS group entry, indicating that ALLANITE treats US and UK electric infrastructure as equivalent targets within a single operational mandate. The simultaneous targeting of both US and UK electric sectors is consistent with the strategic interest of an actor tasked with understanding and gaining access to Western allied electric infrastructure — both countries are NATO members and Five Eyes partners, making their combined grid access a significant intelligence and contingency capability.

ALLANITE vs. Dragonfly: The Distinction That Matters

Dragos explicitly distinguishes ALLANITE from both Dragonfly (Energetic Bear) and DYMALLOY despite similar targeting and overlapping techniques. Understanding why Dragos treats these as separate actors — and why that distinction matters for defenders — requires examining the specific differences.

No Custom Malware: Dragonfly developed Havex — a purpose-built RAT with ICS-specific OPC scanning capability. ALLANITE has no equivalent. The complete absence of custom malware is the single most operationally significant difference, as it eliminates the malware-analysis pipeline that generated most of the public technical intelligence about Dragonfly's operations. There are no Havex samples to reverse-engineer, no C2 domains to sinkhole, no binary indicators to push to endpoint products. ALLANITE's operational footprint in forensic data looks like a system administrator with bad password hygiene.
Overlapping DHS Attribution: The DHS's October 2017 TA17-293A alert combined both Dragonfly/DYMALLOY tactics and ALLANITE activity in a single document. Dragos's formal analysis identified these as separate actors that were operating in the same target space during the same timeframe — generating an overlap in the government's public reporting that obscured the distinction. This conflation created public confusion about whether ALLANITE was a subset of Dragonfly or a distinct entity.
Stage 1 vs. Stage 2 ICS Kill Chain: Dragonfly 2.0 demonstrated advanced Stage 2 ICS Kill Chain access — it reached circuit breaker control interfaces and acquired the operational knowledge to take disruptive action — but no documented Dragonfly operation has resulted in confirmed manipulation of ICS devices or a power disruption in the United States or United Kingdom. ALLANITE, per Dragos's documentation, has demonstrated only Stage 1 capability: reconnaissance, credential collection, and intelligence gathering. The HMI screenshots confirm ICS network access, but no ALLANITE operation has documented control of or interaction with ICS devices beyond observation. Dragos's assessment of disruptive capability development suggests Stage 2 access remains the operational goal rather than a current demonstrated capability.
Operational Discipline: The malware-less approach, combined with consistently downloading free tools from public repositories rather than developing or purchasing custom tools, suggests a different operational culture from Dragonfly's more sophisticated toolkit. This could indicate a smaller or less-resourced team, a team with different operational training, or a deliberate tactical choice to maximize attribution ambiguity at the expense of capability — accepting that living-off-the-land access is slower and more limited in exchange for dramatically reduced detection probability.

Tools Inventory

ALLANITE's complete tool inventory consists entirely of legitimate Windows functionality and freely available public tools. The group deploys no custom malware, no proprietary backdoors, and no purpose-built ICS exploitation tools. Every item below is available to any network administrator or security professional and is routinely present in enterprise environments for legitimate purposes.

PowerShell (native Windows): Used for scripting, lateral movement, reconnaissance, and screenshot capture. PowerShell is present on all modern Windows systems and is the primary scripting environment used across all ALLANITE operations.
THC Hydra: Free, open-source brute-force authentication attack tool. Supports dozens of protocols including HTTP, FTP, SMB, RDP, and SSH. Downloaded directly from public GitHub repositories during documented operations per DHS TA17-293A analysis.
Impacket — SecretsDump: Python library providing Windows network protocol implementations, specifically the SecretsDump module for remote credential extraction from Windows systems via SMB. Used for NTLM hash and Kerberos ticket collection after initial access.
CrackMapExec: Open-source network pentesting tool for Active Directory enumeration, credential testing, and lateral movement. Used alongside SecretsDump for domain reconnaissance and credential validation across multiple systems.
Inveigh: PowerShell-based network responder for NTLM credential capture on local network segments. Responds to broadcast name resolution requests to intercept authentication attempts from other systems on the network.
PSExec (Sysinternals): Microsoft-signed remote execution utility for running commands on remote Windows systems using harvested credentials. Provides lateral movement capability without requiring additional tooling.
Python 2.7: Documented in DHS TA17-293A as installed on compromised hosts. Used as the runtime environment for Impacket and related Python-based credential extraction tools.
Windows Screenshot Functionality: Native Windows screen capture (via PowerShell cmdlets, the Win32 API, or built-in screenshot tools) used to capture and distribute HMI display images from ICS-accessible systems.
Compromised Vendor and Contractor Email Accounts: Documented by Dragos as a technique used by ALLANITE (and DYMALLOY) to conduct supply chain–assisted phishing. The "tool" in this case is a legitimate email account at a trusted third party — an ICS integrator, equipment vendor, or service contractor — that ALLANITE has compromised and uses to send credential-harvesting lures to electric utility targets. No custom software required. The weapon is the implicit trust relationship between the vendor and its utility customers.

Indicators of Compromise

ALLANITE's malware-less approach means traditional malware-based IOCs do not apply. Behavioral and tool-based detection is the only viable approach for this actor. IOCs derive from DHS TA17-293A, Dragos public documentation, and MITRE ATT&CK for ICS.

detection challenge

ALLANITE deploys no custom malware and uses only legitimate tools. Hash-based IOCs and malware signatures are completely ineffective against this actor. All detection must be behavioral: anomalous tool execution patterns, unexpected process combinations, unusual authentication event sequences, and atypical access to ICS-adjacent systems. The absence of malware in detection data should not be taken as evidence of absence of ALLANITE activity.

behavioral and technical indicators

tool chain Hydra + SecretsDump + CrackMapExec executed in sequence on the same host — combination of three free credential tools in one session is strongly indicative of unauthorized access; legitimate admins rarely use all three in sequence

behavior Inveigh.ps1 execution on non-security-team hosts — PowerShell NTLM responder on a workstation or server not associated with authorized security testing; alert on Inveigh process creation outside approved security tools

behavior Python 2.7 install on non-developer corporate hosts — DHS documented Python 2.7 installation on compromised energy sector hosts for Impacket tooling; alert on Python interpreter installation on IT/OT workstations

network Outbound SMB authentication to external IPs — .lnk file manipulation triggering automatic NTLM credential capture to external servers; block outbound SMB at network boundary and alert on NTLM authentication events to non-corporate IPs

behavior Screen capture from OT/ICS network hosts or from corporate hosts with ICS application access — HMI screenshot collection; monitor for screenshot API calls (BitBlt, GDI+, PrintWindow) from non-HMI-application processes on ICS-accessible systems

auth anomaly Legitimate user credential authentication from unusual geographic locations, unusual times, or unusual source IPs — ALLANITE operates through stolen valid credentials; impossible travel alerts and off-hours authentication on energy sector accounts warrant investigation

path C:\Users\[username]\Desktop\OWAExchange\ — folder structure documented in DHS TA17-293A used by threat actors to stage credential harvesting tools and output files; presence of this path warrants immediate investigation

email anomaly Phishing email originating from a known vendor or contractor domain — ALLANITE compromises trusted third-party accounts to conduct supply chain–assisted phishing; anomalous messages from known vendor addresses (unexpected attachments, credential-harvesting links, engineering document requests) should be treated with the same suspicion as cold-phishing; validate directly with the vendor via phone before opening

Mitigation & Defense

Defending against ALLANITE requires a fundamentally different approach from defending against malware-based actors. Standard antivirus, EDR signature-based detection, and known-malware blocking provide no protection against an actor that deploys none. The defense must be identity-centric, network-architecture-based, and behavioral.

Phishing-Resistant Authentication for Energy Sector Accounts: ALLANITE's entire attack model depends on credential theft through phishing and watering holes. NTLM credential capture via document-based .lnk files and forced authentication requests can be defeated at the source: implement FIDO2 hardware security keys for all accounts with access to corporate energy sector networks, especially engineering and ICS-adjacent accounts. Hardware security keys cannot be captured via NTLM relay attacks — they require physical possession of the key and user presence. This single control would eliminate ALLANITE's primary initial access vector.
Block Outbound SMB at Network Perimeter: ALLANITE's credential harvesting via .lnk file manipulation and watering holes works by triggering automatic NTLM authentication from victim hosts to attacker-controlled external servers over SMB (TCP 445, 139; UDP 137, 138). Blocking outbound SMB at the network boundary prevents this automatic credential exposure. This should be standard policy for any electric utility — outbound SMB to external destinations has essentially no legitimate use case and is a documented ALLANITE and Dragonfly credential capture mechanism.
PowerShell Constrained Language Mode and Script Block Logging: ALLANITE uses PowerShell extensively. Implement PowerShell Constrained Language Mode on non-development corporate hosts to prevent advanced PowerShell capabilities (including .NET method calls required by Inveigh and similar tools). Enable PowerShell Script Block Logging to capture all executed script content and forward to a SIEM. Alert on execution of known ALLANITE tools (Inveigh.ps1) and on PowerShell encoding patterns associated with credential capture scripts.
Privileged Access Workstations and IT/OT Segmentation: ALLANITE reaches ICS networks by traversing from corporate IT to ICS-adjacent systems using stolen credentials. Hard network segmentation between IT and OT environments — with dedicated privileged access workstations (PAWs) required for any ICS access — eliminates the traversal path. Any system with HMI access should be on a network segment that requires explicit, separately credentialed authentication from the corporate IT network, with that authentication fully logged and monitored.
Monitor for Pentest Tool Execution on Production Systems: THC Hydra, SecretsDump, CrackMapExec, Inveigh, and PSExec are legitimate security tools that have no business reason to be running on production electric utility corporate workstations or servers outside of explicitly authorized security assessments. Implement application control (AppLocker or WDAC) policies that alert or block execution of these tools outside of designated security assessment systems. Any detection of these tools on production energy sector systems outside of authorized testing windows is an incident requiring immediate investigation.
ICS Network Access Logging and HMI Process Monitoring: ALLANITE's goal is capturing HMI screenshots from ICS systems. Any system that provides access to HMI displays should have full process execution logging enabled and forwarded to a SIEM. Alert on screen capture API calls (BitBlt, GDI+ CopyImage, PrintWindow) from processes other than the authorized HMI application. Implement OT-specific network monitoring that baselines normal OT traffic patterns and alerts on unexpected connections to HMI systems from IT network segments or from accounts not associated with operations staff.
Vendor and Third-Party Email Vetting: ALLANITE compromises vendors and contractors to run trusted phishing campaigns against utility targets. Standard email security controls (domain reputation, attachment scanning) will not flag an email from a legitimately compromised vendor account that has been used in normal business communication. Train engineering, HR, and procurement staff to treat any unsolicited or unexpected attachment or credential request from a vendor — regardless of the sender's legitimacy — as requiring out-of-band verification before opening. Establish explicit procedures for verifying unusual vendor requests by phone or through a separate communication channel. Consider implementing email authentication controls (DMARC, DKIM, SPF) not just for your own domain but for verifying inbound messages from critical vendors.

analyst note

ALLANITE illustrates a security industry blind spot: the implicit assumption that a lack of custom malware means a lower threat level. By every conventional detection metric — malware signatures, C2 domain reputation, exploit code detection — ALLANITE is invisible. The tools it uses are in every enterprise environment. The credentials it operates with are real credentials. The authentication events it generates match the pattern of the stolen account's legitimate owner. The screenshots it collects look, to network DLP tools, like a user taking screenshots. For defenders at US and UK electric utilities, the absence of malware should not produce comfort. It should produce the opposite. An actor that needs no malware to reach your HMI displays and document what your operators see has achieved a level of access that matters regardless of what software they brought with them.

The broader ICS threat landscape has escalated significantly since ALLANITE was first disclosed. Dragos's 2026 OT/ICS Cybersecurity Report (its 9th year in review, published February 2026) now tracks 26 threat groups globally, with 11 active in 2025 alone. Groups like VOLTZITE (overlapping with Volt Typhoon) and KAMACITE are now documented at Stage 2 of the ICS Cyber Kill Chain — actively mapping control loops, extracting alarm data, and investigating what operational conditions trigger process shutdowns. SYLVANITE operates as an initial access broker, handing off footholds at US electric and water utilities directly to VOLTZITE. In this escalated environment, ALLANITE's Stage 1 reconnaissance posture — collecting HMI screenshots and building operational understanding — reads as preparation for the same transition toward Stage 2 effects that other groups have already made. The question ALLANITE poses to every electric utility SOC is: if an attacker is operating as a legitimate user, do you have the behavioral detection capability to notice — and do you know whether Stage 2 capabilities are already being quietly built on top of that access?

Sources & Further Reading

Primary vendor research, government advisories, and sector reports used to build this profile. All claims trace to at least one source listed here.

— end of profile