basicsecurity.net
Proof, not just disclosure.
Threats / Actors / TEMP.Veles
G0088 Unknownour call,
not MITRE’s ATT&CK Group

TEMP.Veles

How MITRE ATT&CK characterizes this group1: TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.

Origin / sponsor: not established from a curated public advisory — see Coverage & confidence. Not asserted here.

Also tracked as: XENOTIME — ATT&CK group page1
Read this as · tier is our editorial call, not MITRE’s

Motivation not classified from the public record.

We could not place this actor into a coarse motivation tier from ATT&CK’s intrusion-set type and description prose. That uncertainty is itself a finding — the tradecraft below is still cited; the “why” is a coverage gap. All tradecraft below is sourced to MITRE ATT&CK.

0
Techniques
ATT&CK count1
2
Named tools / malware
ATT&CK count2
2
Attributed campaigns
ATT&CK count1
0
Tactics spanned
ATT&CK count1
~2014–2017approx.
Activity bounds (campaign floor)
approximate1
01

Known for

— signature moves, each sourced to ATT&CK
CampaignTriton Safety Instrumented System Attack. ATT&CK tracks this attributed operation as C0030.5
CampaignC0032. ATT&CK tracks this attributed operation as C0032.6
ArsenalNamed tooling. ATT&CK attributes 2 tools/malware to this group, including Mimikatz, PsExec.3
02

Tradecraft heatmap

— ATT&CK techniques mapped onto the five attacker-outcome narratives

No techniques are recorded for this group in the ATT&CK snapshot below — the tradecraft heatmap is empty. That is an honest coverage gap (sparse / legacy / revoked group), never a claim that the actor does nothing.1

03

Arsenal

— named tools & malware ATT&CK attributes to this group
MimikatzS0002 · Tool
ATT&CK S0002 ↗
PsExecS0029 · Tool
ATT&CK S0029 ↗
04

Campaign highlights

— attributed operations in the ATT&CK record
A

Triton Safety Instrumented System Attack — ATT&CK Campaign C0030

Attributed operation
ATT&CK records Triton Safety Instrumented System Attack (C0030) — roughly 2017–2017 as an operation attributed to this group.5
Open ATT&CK C0030 ↗
B

C0032 — ATT&CK Campaign C0032

Attributed operation
ATT&CK records C0032 (C0032) — roughly 2014–2017 as an operation attributed to this group.6
Open ATT&CK C0032 ↗
05

Latest activity

— with explicit confidence, and what we cannot yet claim
ATT&CK
snapshot

The most recent cited activity in this card is the ATT&CK record itself. We do not paste a “last seen this week” line we cannot source. Recency from secondary reporting appears here only when attached to a named advisory.

ATT&CK snapshot, compiled 2026-06-22Coverage gap — live “currently active” status not asserted
CVE ↔ actor bridge: no confirmed CVE link is established for this group. ATT&CK provides no first-class group→CVE relationship, so this card does not claim specific CVEs as “exploited by this actor” unless a named advisory says so. Absence of a CVE here is a coverage gap, never a clean bill — confirmed links surface as a cited, linked list as the advisory bridge grows.
06

Coverage & confidence

— what we know, and what we don’t

Established (cited)

  • Group identity, aliases, description — MITRE ATT&CK group page
  • 2 software (arsenal) — ATT&CK software pages
  • 2 attributed campaign(s) — ATT&CK campaign pages
  • 5 third-party research citations — ATT&CK external references

    • Coverage gaps — stated, not hidden

  • Origin/sponsor not established from a curated public advisory. ATT&CK prose may imply attribution but is not asserted here — absence of a curated source is a coverage finding, not a clean bill of attribution.
  • Threat tier is OUR editorial classification (rule-based), not a MITRE field — labeled as such.
  • Technique → outcome heatmap is editorial alignment over ATT&CK tactic data, not a separately-sourced MITRE edge.
  • Activity bounds are a floor from attributed-campaign dates only — flagged approx., not a true active-since range.
  • ATT&CK has no first-class group→CVE relationship; this card asserts no specific CVE without a named advisory.
  • No techniques attributed to this group in ATT&CK — a real source coverage gap, surfaced honestly, never fabricated.
  • Empty heatmap column(s): Front door, Keys to kingdom, Lateral reach, Data at risk, Lights out — consistent with this actor's nature, stated as a finding.