3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
ALLANITE

ALLANITE

ID: 0b50c970769040ce210e8cfe2bfb607296649
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, ICS Compromise
Russia UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 47% Completeness: 45% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
Palmetto Fusion
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

ALLANITE (a.k.a. Palmetto Fusion) — suspected Russia-nexus espionage group targeting US/UK electric utilities since at least 2017 with watering holes, spearphishing, malware-less LOLBins, and ICS reconnaissance (including screenshot collection); no destructive actions observed.


Technique Technique name Tactics Evidence
T1189 Drive-by Compromise TA0001
  • 2017-2018 — Watering-hole compromises leveraged to access electric-utility targets and harvest credentials. · ref
  • 2018-05-10 — Dragos description explicitly cites watering holes for initial access. · ref
T1566 Phishing TA0001
  • 2018-05-10 — Spearphishing campaigns used alongside watering holes to steal credentials. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2018-05-10 — Use of stolen/valid accounts for persistence and movement within utility environments. · ref
T1113 Screen Capture TA0009
  • 2018-05-10 — Collection and distribution of ICS screenshots during reconnaissance. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2017-2018 — Exfiltration of collected data from business and ICS networks (pattern described in public reporting). · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T15:49:35+00:00
ALLANITE (Palmetto Fusion) — ICS-Focused Espionage Targeting Electric Utilities

CLASSIFICATION: Unclassified / Open Source


Executive Summary

ALLANITE is a suspected Russia-nexus cyber-espionage group that has primarily targeted the electric utility sector in the United States and United Kingdom. Public sources assess that its tactics resemble Dragonfly (Energetic Bear) but, to date, no destructive/disruptive capabilities have been demonstrated. Reporting indicates watering-hole and spearphishing activity used to harvest credentials, followed by “malware-less” operations leveraging built-in Windows tooling to conduct ICS reconnaissance, including collection and distribution of ICS screenshots. Dragos links ALLANITE’s tradecraft to the Palmetto Fusion activity described by DHS in 2017, and dates activity to at least May 2017. Confidence: high on targeting and TTPs, medium on Russia nexus (Dragos does not corroborate national attribution).


Operationally focused on intelligence collection against energy-sector business networks and ICS/OT environments. Public-sector and private analyses suggest Russian strategic interests, but Dragos explicitly avoids political attribution while acknowledging third-party assessments.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.