Group description: Dragonfly

Dragonfly, TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE, Group G0035 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Dragonfly Dragonfly Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. [1] [2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks. [3] [4] [5] [6] [7] [8] [9] ID: G0035 ⓘ Associated Groups : TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE Contributors : Dragos Threat Intelligence Version : 4.0 Created: 31 May 2017 Last Modified: 08 January 2024 Version Permalink Live Version Associated Group Descriptions Name Description TEMP.Isotope [10] [7] DYMALLOY [11] [2] Berserk Bear [7] [1] [2] TG-4192 [4] [2] Crouching Yeti [4] [7] [1] [2] IRON LIBERTY [4] [12] [13] [2] Energetic Bear [3] [4] [12] [13] [7] [1] [2] Ghost Blizzard [14] BROMINE [14] ATT&CK ® Navigator Layers Enterprise Layer download view ICS Layer download view Techniques Used Domain ID Name Use Enterprise T1087 .002 Account Discovery : Domain Account Dragonfly has used batch scripts to enumerate users on a victim domain controller. [15] Enterprise T1098 .007 Account Manipulation : Additional Local or Domain Groups Dragonfly has added newly created accounts to the administrators group to maintain elevated access. [15] Enterprise T1583 .001 Acquire Infrastructure : Domains Dragonfly has registered domains for targeting intended victims. [8] .003 Acquire Infrastructure : Virtual Private Server Dragonfly has acquired VPS infrastructure for use in malicious campaigns. [7] Enterprise T1595 .002 Active Scanning : Vulnerability Scanning Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services. [8] Enterprise T1071 .002 Application Layer Protocol : File Transfer Protocols Dragonfly has used SMB for C2. [15] Enterprise T1560 Archive Collected Data Dragonfly has compressed data into .zip files prior to exfiltration. [15] Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence. [15] Enterprise T1110 Brute Force Dragonfly has attempted to brute force credentials to gain access. [8] .002 Password Cracking Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec . [15] [16] Enterprise T1059 Command and Scripting Interpreter Dragonfly has used the command line for execution. [15] .001 PowerShell Dragonfly has used PowerShell scripts for execution. [15] [5] .003 Windows Command Shell Dragonfly has used various types of scripting to perform operations, including batch scripts. [15] .006 Python Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim. [15] Enterprise T1584 .004 Compromise Infrastructure : Server Dragonfly has compromised legitimate websites to host C2 and malware modules. [7] Enterprise T1136 .001 Create Account : Local Account Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target. [15] Enterprise T1005 Data from Local System Dragonfly has collected data from local victim systems. [15] Enterprise T1074 .001 Data Staged : Local Data Staging Dragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it. [15] Enterprise T1189 Drive-by Compromise Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit. [4] [15] [7] Enterprise T1114 .002 Email Collection : Remote Email Collection Dragonfly has accessed email accounts using Outlook Web Access. [15] Enterprise T1190 Exploit Public-Facing Application Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs. [8] Enterprise T1203 Exploitation for Client Execution Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system. [7] Enterprise T1210 Exploitation of Remote Services Dragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers. [8] Enterprise T1133 External Remote Services Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks. [15] [8] Enterprise T1083 File and Directory Discovery Dragonfly has used a batch script to gather folder and file names from victim hosts. [15] [7] [8] Enterprise T1187 Forced Authentication Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems. [15] [7] Enterprise T1591 .002 Gather Victim Org Information : Business Relationships Dragonfly has collected open source information to identify relationships between organizations for targeting purposes. [7] Enterprise T1564 .002 Hide Artifacts : Hidden Users Dragonfly has modified the Registry to hide created user accounts. [15] Enterprise T1562 .004 Impair Defenses : Disable or Modify System Firewall Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389. [15] Enterprise T1070 .001 Indicator Removal : Clear Windows Event Logs Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys. [15] .004 Indicator Removal : File Deletion Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots. [15] Enterprise T1105 Ingress Tool Transfer Dragonfly has copied and installed tools for operations once in the victim environment. [15] Enterprise T1036 .010 Masquerading : Masquerade Account Name Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account. [15] Enterprise T1112 Modify Registry Dragonfly has modified the Registry to perform multiple techniques through the use of Reg . [15] Enterprise T1135 Network Share Discovery Dragonfly has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. [15] Enterprise T1588 .002 Obtain Capabilities : Tool Dragonfly has obtained and used tools such as Mimikatz , CrackMapExec , and PsExec . [4] Enterprise T1003 .002 OS Credential Dumping : Security Account Manager Dragonfly has dropped and executed SecretsDump to dump password hashes. [15] .003 OS Credential Dumping : NTDS Dragonfly has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers. [15] [17] .004 OS Credential Dumping : LSA Secrets Dragonfly has dropped and executed SecretsDump to dump password hashes. [15] [17] Enterprise T1069 .002 Permission Groups Discovery : Domain Groups Dragonfly has used batch scripts to enumerate administrators and users in the domain. [15] Enterprise T1566 .001 Phishing : Spearphishing Attachment Dragonfly has sent emails with malicious attachments to gain initial access. [7] Enterprise T1598 .002 Phishing for Information : Spearphishing Attachment Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials. [15] .003 Phishing for Information : Spearphishing Link Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites. [15] Enterprise T1012 Query Registry Dragonfly has queried the Registry to identify victim information. [15] Enterprise T1021 .001 Remote Services : Remote Desktop Protocol Dragonfly has moved laterally via RDP. [15] Enterprise T1018 Remote System Discovery Dragonfly has likely obtained a list of hosts in the victim environment. [15] Enterprise T1053 .005 Scheduled Task/Job : Scheduled Task Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files. [15] Enterprise T1113 Screen Capture Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil). [15] [5] [7] Enterprise T1505 .003 Server Software Component : Web Shell Dragonfly has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files. [15] Enterprise T1608 .004 Stage Capabilities : Drive-by Target Dragonfly has compromised websites to redirect traffic and to host exploit kits. [7] Enterprise T1195 .002 Supply Chain Compromise : Compromise Software Supply Chain Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores. [4] [7] Enterprise T1016 System Network Configuration Discovery Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain. [15] Enterprise T1033 System Owner/User Discovery Dragonfly used the command query user on victim hosts. [15] Enterprise T1221 Template Injection Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication . [15] Enterprise T1204 .002 User Execution : Malicious File Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments. [7] Enterprise T1078 Valid Accounts Dragonfly has compromised user credentials and used valid accounts for operations. [15] [7] [8] ICS T0817 Drive-by Compromise Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany . [18] ICS T0862 Supply Chain Compromise Dragonfly trojanized legitimate ICS equipment providers software packages available for download on their websites. [18] Software ID Name References Techniques S0093 Backdoor.Oldrea [3] [7] Account Discovery : Email Account , Archive Collected Data , Automated Collection , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Credentials from Password Stores : Credentials from Web Browsers , Data Encoding : Standard Encoding , Denial of Service , File and Directory Discovery , Indicator Removal : File Deletion , Ingress Tool Transfer , Network Service Discovery , Point & Tag Identification , Process Discovery , Process Injection , Remote System Discovery , Remote System Discovery , Remote System Information Discovery , Spearphishing Attachment , Supply Chain Compromise , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , User Execution S0488 CrackMapExec [4] [15] Account Discovery : Domain Account , Brute Force : Password Spraying , Brute Force : Password Guessing , Brute Force , Command and Scripting Interpreter : PowerShell , File and Directory Discovery , Local Storage Discovery , Modify Registry , Network Share Discovery , OS Credential Dumping : Security Account Manager , OS Credential Dumping : NTDS , OS Credential Dumping : LSA Secrets , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Remote System Discovery , Scheduled Task/Job : At , System Network Configuration Discovery , System Network Connections Discovery , Use Alternate Authentication Material : Pass the Hash , Windows Management Instrumentation S0357 Impacket [15] [17] Adversary-in-the-Middle : LLMNR/NBT-NS Poisoning and SMB Relay , Lateral Tool Transfer , Network Sniffing , OS Credential Dumping : NTDS , OS Credential Dumping : LSASS Memory , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSA Secrets , Steal or Forge Kerberos Tickets : Kerberoasting , Steal or Forge Kerberos Tickets : Ccache Files , System Services : Service Execution , Windows Management Instrumentation S0500 MCMD [12] Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Data from Local System , Hide Artifacts : Hidden Window , Indicator Removal : Clear Persistence , Ingress Tool Transfer , Masquerading : Match Legitimate Resource Name or Location , Obfuscated Files or Information , Scheduled Task/Job : Scheduled Task S0002 Mimikatz [4] Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket S0039 Net [15] Account Discovery : Domain Account , Account Discovery : Local Account , Account Manipulation : Additional Local or Domain Groups , Create Account : Local Account , Create Account : Domain Account , Indicator Removal : Network Share Connection Removal , Network Share Discovery , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Remote Services : SMB/Windows Admin Shares , Remote System Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , System Time Discovery S0108 netsh [15] Event Triggered Execution : Netsh Helper DLL , Impair Defenses : Disable or Modify System Firewall , Proxy , Software Discovery : Security Software Discovery S0029 PsExec [4] [15] [5] [7] Create Account : Domain Account , Create or Modify System Process : Windows Service , Lateral Tool Transfer , Remote Services : SMB/Windows Admin Shares , System Services : Service Execution S0075 Reg [15] Modify Registry , Query Registry , Unsecured Credentials : Credentials in Registry S0094 Trojan.Karagany [3] [13] [7] Application Layer Protocol : Web Protocols , Application Window Discovery , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Credentials from Password Stores : Credentials from Web Browsers , Data Staged : Local Data Staging , Encrypted Channel : Asymmetric Cryptography , File and Directory Discovery , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Obfuscated Files or Information , Obfuscated Files or Information : Software Packing , OS Credential Dumping , Process Discovery , Process Injection : Thread Execution Hijacking , Screen Capture , System Information Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery , Virtualization/Sandbox Evasion : System Checks References Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022. UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022. Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022. Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017. Core Security. (n.d.). Impacket. Retrieved November 2, 2017. Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 × load more results