Dragonfly
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| DYMALLOY | (Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022) |
| TEMP.Isotope | (Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021) |
| Berserk Bear | (Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) |
| TG-4192 | (Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022) |
| IRON LIBERTY | (Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022) |
| Energetic Bear | (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) |
| Crouching Yeti | (Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) |
| BROMINE | (Citation: Microsoft Threat Actor Naming July 2023) |
| Ghost Blizzard | (Citation: Microsoft Threat Actor Naming July 2023) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Dragonfly has used batch scripts to enumerate users on a victim domain controller.(Citation: US-CERT TA18-074A) |
| Enterprise | T1098 | .007 | Account Manipulation: Additional Local or Domain Groups |
Dragonfly has added newly created accounts to the administrators group to maintain elevated access.(Citation: US-CERT TA18-074A) |
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Dragonfly has registered domains for targeting intended victims.(Citation: CISA AA20-296A Berserk Bear December 2020) |
| .003 | Acquire Infrastructure: Virtual Private Server |
Dragonfly has acquired VPS infrastructure for use in malicious campaigns.(Citation: Gigamon Berserk Bear October 2021) |
||
| Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.(Citation: CISA AA20-296A Berserk Bear December 2020) |
| Enterprise | T1071 | .002 | Application Layer Protocol: File Transfer Protocols |
Dragonfly has used SMB for C2.(Citation: US-CERT TA18-074A) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.(Citation: US-CERT TA18-074A) |
| Enterprise | T1110 | .002 | Brute Force: Password Cracking |
Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.(Citation: US-CERT TA18-074A)(Citation: Kali Hydra) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Dragonfly has used PowerShell scripts for execution.(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Dragonfly has used various types of scripting to perform operations, including batch scripts.(Citation: US-CERT TA18-074A) |
||
| .006 | Command and Scripting Interpreter: Python |
Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A) |
||
| Enterprise | T1584 | .004 | Compromise Infrastructure: Server |
Dragonfly has compromised legitimate websites to host C2 and malware modules.(Citation: Gigamon Berserk Bear October 2021) |
| Enterprise | T1136 | .001 | Create Account: Local Account |
Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Dragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A) |
| Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Dragonfly has accessed email accounts using Outlook Web Access.(Citation: US-CERT TA18-074A) |
| Enterprise | T1591 | .002 | Gather Victim Org Information: Business Relationships |
Dragonfly has collected open source information to identify relationships between organizations for targeting purposes.(Citation: Gigamon Berserk Bear October 2021) |
| Enterprise | T1564 | .002 | Hide Artifacts: Hidden Users |
Dragonfly has modified the Registry to hide created user accounts.(Citation: US-CERT TA18-074A) |
| Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.(Citation: US-CERT TA18-074A) |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A) |
| .004 | Indicator Removal: File Deletion |
Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.(Citation: US-CERT TA18-074A) |
||
| Enterprise | T1036 | .010 | Masquerading: Masquerade Account Name |
Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.(Citation: US-CERT TA18-074A) |
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
Dragonfly has dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A) |
| .003 | OS Credential Dumping: NTDS |
Dragonfly has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.(Citation: US-CERT TA18-074A)(Citation: Core Security Impacket) |
||
| .004 | OS Credential Dumping: LSA Secrets |
Dragonfly has dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: Core Security Impacket) |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.(Citation: Secureworks IRON LIBERTY July 2019) |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Dragonfly has used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Dragonfly has sent emails with malicious attachments to gain initial access.(Citation: Gigamon Berserk Bear October 2021) |
| Enterprise | T1598 | .002 | Phishing for Information: Spearphishing Attachment |
Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.(Citation: US-CERT TA18-074A) |
| .003 | Phishing for Information: Spearphishing Link |
Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.(Citation: US-CERT TA18-074A) |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Dragonfly has moved laterally via RDP.(Citation: US-CERT TA18-074A) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.(Citation: US-CERT TA18-074A) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Dragonfly has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.(Citation: US-CERT TA18-074A) |
| Enterprise | T1608 | .004 | Stage Capabilities: Drive-by Target |
Dragonfly has compromised websites to redirect traffic and to host exploit kits.(Citation: Gigamon Berserk Bear October 2021) |
| Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores.(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.(Citation: Gigamon Berserk Bear October 2021) |
References
- Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
- CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
- Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.
- Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.
- Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
- Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.
- Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.
- Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.
- Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
- Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.