Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Dragonfly

Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)
ID: G0035
Associated Groups: DYMALLOY, Berserk Bear, TEMP.Isotope, Ghost Blizzard, BROMINE, Crouching Yeti, IRON LIBERTY, TG-4192, Energetic Bear
Version: 4.0
Created: 31 May 2017
Last Modified: 08 Jan 2024

Associated Group Descriptions

Name Description
DYMALLOY (Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)
Berserk Bear (Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)
TEMP.Isotope (Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)
Ghost Blizzard (Citation: Microsoft Threat Actor Naming July 2023)
BROMINE (Citation: Microsoft Threat Actor Naming July 2023)
Crouching Yeti (Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)
IRON LIBERTY (Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)
TG-4192 (Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)
Energetic Bear (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Dragonfly has used batch scripts to enumerate users on a victim domain controller.(Citation: US-CERT TA18-074A)

Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

Dragonfly has added newly created accounts to the administrators group to maintain elevated access.(Citation: US-CERT TA18-074A)

Enterprise T1583 .001 Acquire Infrastructure: Domains

Dragonfly has registered domains for targeting intended victims.(Citation: CISA AA20-296A Berserk Bear December 2020)

.003 Acquire Infrastructure: Virtual Private Server

Dragonfly has acquired VPS infrastructure for use in malicious campaigns.(Citation: Gigamon Berserk Bear October 2021)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.(Citation: CISA AA20-296A Berserk Bear December 2020)

Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

Dragonfly has used SMB for C2.(Citation: US-CERT TA18-074A)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.(Citation: US-CERT TA18-074A)

Enterprise T1110 .002 Brute Force: Password Cracking

Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.(Citation: US-CERT TA18-074A)(Citation: Kali Hydra)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Dragonfly has used PowerShell scripts for execution.(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017)

.003 Command and Scripting Interpreter: Windows Command Shell

Dragonfly has used various types of scripting to perform operations, including batch scripts.(Citation: US-CERT TA18-074A)

.006 Command and Scripting Interpreter: Python

Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A)

Enterprise T1584 .004 Compromise Infrastructure: Server

Dragonfly has compromised legitimate websites to host C2 and malware modules.(Citation: Gigamon Berserk Bear October 2021)

Enterprise T1136 .001 Create Account: Local Account

Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)

Enterprise T1074 .001 Data Staged: Local Data Staging

Dragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A)

Enterprise T1114 .002 Email Collection: Remote Email Collection

Dragonfly has accessed email accounts using Outlook Web Access.(Citation: US-CERT TA18-074A)

Enterprise T1591 .002 Gather Victim Org Information: Business Relationships

Dragonfly has collected open source information to identify relationships between organizations for targeting purposes.(Citation: Gigamon Berserk Bear October 2021)

Enterprise T1564 .002 Hide Artifacts: Hidden Users

Dragonfly has modified the Registry to hide created user accounts.(Citation: US-CERT TA18-074A)

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.(Citation: US-CERT TA18-074A)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)

.004 Indicator Removal: File Deletion

Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.(Citation: US-CERT TA18-074A)

Enterprise T1036 .010 Masquerading: Masquerade Account Name

Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.(Citation: US-CERT TA18-074A)

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Dragonfly has dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)

.003 OS Credential Dumping: NTDS

Dragonfly has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.(Citation: US-CERT TA18-074A)(Citation: Core Security Impacket)

.004 OS Credential Dumping: LSA Secrets

Dragonfly has dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: Core Security Impacket)

Enterprise T1588 .002 Obtain Capabilities: Tool

Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.(Citation: Secureworks IRON LIBERTY July 2019)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Dragonfly has used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Dragonfly has sent emails with malicious attachments to gain initial access.(Citation: Gigamon Berserk Bear October 2021)

Enterprise T1598 .002 Phishing for Information: Spearphishing Attachment

Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.(Citation: US-CERT TA18-074A)

.003 Phishing for Information: Spearphishing Link

Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.(Citation: US-CERT TA18-074A)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Dragonfly has moved laterally via RDP.(Citation: US-CERT TA18-074A)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.(Citation: US-CERT TA18-074A)

Enterprise T1505 .003 Server Software Component: Web Shell

Dragonfly has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.(Citation: US-CERT TA18-074A)

Enterprise T1608 .004 Stage Capabilities: Drive-by Target

Dragonfly has compromised websites to redirect traffic and to host exploit kits.(Citation: Gigamon Berserk Bear October 2021)

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores.(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)

Enterprise T1204 .002 User Execution: Malicious File

Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.(Citation: Gigamon Berserk Bear October 2021)

Software

ID Name References Techniques
S0039 Net (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: US-CERT TA18-074A) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0093 Backdoor.Oldrea (Citation: Gigamon Berserk Bear October 2021) (Citation: Symantec Dragonfly Sept 2017) (Citation: Symantec Dragonfly) Registry Run Keys / Startup Folder, Network Service Discovery, File Deletion, System Network Configuration Discovery, Rundll32, Process Injection, Standard Encoding, Ingress Tool Transfer, Email Account, Archive Collected Data, Credentials from Web Browsers, Process Discovery, File and Directory Discovery, System Owner/User Discovery, Remote System Discovery, System Information Discovery
S0357 Impacket (Citation: Core Security Impacket) (Citation: Impacket Tools) (Citation: US-CERT TA18-074A) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S0108 netsh (Citation: TechNet Netsh) (Citation: US-CERT TA18-074A) Disable or Modify System Firewall, Netsh Helper DLL, Proxy, Security Software Discovery
S0094 Trojan.Karagany (Citation: Dragos DYMALLOY ) (Citation: Gigamon Berserk Bear October 2021) (Citation: Karagany) (Citation: Secureworks Karagany July 2019) (Citation: Symantec Dragonfly) (Citation: xFrost) System Owner/User Discovery, Screen Capture, System Network Connections Discovery, Application Window Discovery, Obfuscated Files or Information, Software Packing, Credentials from Web Browsers, Process Discovery, Registry Run Keys / Startup Folder, System Information Discovery, File Deletion, Ingress Tool Transfer, Keylogging, File and Directory Discovery, Local Data Staging, Thread Execution Hijacking, Asymmetric Cryptography, System Checks, OS Credential Dumping, System Network Configuration Discovery, Windows Command Shell, Web Protocols
S0500 MCMD (Citation: Secureworks MCMD July 2019) Indicator Removal, Clear Persistence, Windows Command Shell, Hidden Window, Web Protocols, Match Legitimate Name or Location, Obfuscated Files or Information, Scheduled Task, Data from Local System, Ingress Tool Transfer, Registry Run Keys / Startup Folder
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Secureworks IRON LIBERTY July 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0488 CrackMapExec (Citation: CME Github September 2018) (Citation: Secureworks IRON LIBERTY July 2019) (Citation: US-CERT TA18-074A) Security Account Manager, NTDS, Password Spraying, Password Policy Discovery, Domain Account, System Network Connections Discovery, Password Guessing, At, Network Share Discovery, Remote System Discovery, LSA Secrets, Windows Management Instrumentation, Modify Registry, File and Directory Discovery, Pass the Hash, System Information Discovery, Domain Groups, PowerShell, System Network Configuration Discovery, Brute Force
S0075 Reg (Citation: Microsoft Reg) (Citation: US-CERT TA18-074A) (Citation: Windows Commands JPCERT) Credentials in Registry, Query Registry, Modify Registry
S0029 PsExec (Citation: Gigamon Berserk Bear October 2021) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Secureworks IRON LIBERTY July 2019) (Citation: Symantec Dragonfly Sept 2017) (Citation: US-CERT TA18-074A) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  4. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  5. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  6. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
  7. Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017.
  8. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
  9. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  10. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  11. Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.
  12. Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.
  13. Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.
  14. Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.
  15. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  16. Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.
  17. UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.