1. Home
  2. Groups
  3. Dragonfly

Dragonfly

Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]

ID: G0035
Associated Groups: TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE
Contributors: Dragos Threat Intelligence
Version: 4.0
Created: 31 May 2017
Last Modified: 08 January 2024

Associated Group Descriptions

Name Description
TEMP.Isotope

[10][7]
DYMALLOY

[11][2]
Berserk Bear

[7][1][2]
TG-4192

[4][2]
Crouching Yeti

[4][7][1][2]
IRON LIBERTY

[4][12][13][2]
Energetic Bear

[3][4][12][13][7][1][2]
Ghost Blizzard

[14]
BROMINE

[14]
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1595 .002 主动扫描: Vulnerability Scanning

Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.[8]
Enterprise T1005 从本地系统获取数据

Dragonfly has collected data from local victim systems.[15]
Enterprise T1036 .010 伪装: Masquerade Account Name

Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.[15]
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores.[4][7]
Enterprise T1598 .002 信息钓鱼: Spearphishing Attachment

Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.[15]
.003 信息钓鱼: Spearphishing Link

Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.[15]
Enterprise T1112 修改注册表

Dragonfly has modified the Registry to perform multiple techniques through the use of Reg.[15]
Enterprise T1136 .001 创建账户: Local Account

Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.[15]
Enterprise T1190 利用公开应用程序漏洞

Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.[8]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.[15]
Enterprise T1059 命令与脚本解释器

Dragonfly has used the command line for execution.[15]
.001 PowerShell

Dragonfly has used PowerShell scripts for execution.[15][5]
.003 Windows Command Shell

Dragonfly has used various types of scripting to perform operations, including batch scripts.[15]
.006 Python

Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.[15]
Enterprise T1584 .004 基础设施妥协: Server

Dragonfly has compromised legitimate websites to host C2 and malware modules.[7]
Enterprise T1133 外部远程服务

Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.[15][8]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.[15]
Enterprise T1203 客户端执行漏洞利用

Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.[7]
Enterprise T1113 屏幕捕获

Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).[15][5][7]
Enterprise T1071 .002 应用层协议: File Transfer Protocols

Dragonfly has used SMB for C2.[15]
Enterprise T1187 强制身份验证

Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.[15][7]
Enterprise T1560 归档收集数据

Dragonfly has compressed data into .zip files prior to exfiltration.[15]
Enterprise T1003 .002 操作系统凭证转储: Security Account Manager

Dragonfly has dropped and executed SecretsDump to dump password hashes.[15]
.003 操作系统凭证转储: NTDS

Dragonfly has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.[15][16]
.004 操作系统凭证转储: LSA Secrets

Dragonfly has dropped and executed SecretsDump to dump password hashes.[15][16]
Enterprise T1591 .002 收集受害者组织信息: Business Relationships

Dragonfly has collected open source information to identify relationships between organizations for targeting purposes.[7]
Enterprise T1074 .001 数据分段: Local Data Staging

Dragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it.[15]
Enterprise T1083 文件和目录发现

Dragonfly has used a batch script to gather folder and file names from victim hosts.[15][7][8]
Enterprise T1608 .004 暂存能力: Drive-by Target

Dragonfly has compromised websites to redirect traffic and to host exploit kits.[7]
Enterprise T1110 暴力破解

Dragonfly has attempted to brute force credentials to gain access.[8]
.002 Password Cracking

Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.[15][17]
Enterprise T1078 有效账户

Dragonfly has compromised user credentials and used valid accounts for operations.[15][7][8]
Enterprise T1505 .003 服务器软件组件: Web Shell

Dragonfly has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.[15]
Enterprise T1069 .002 权限组发现: Domain Groups

Dragonfly has used batch scripts to enumerate administrators and users in the domain.[15]
Enterprise T1012 查询注册表

Dragonfly has queried the Registry to identify victim information.[15]
Enterprise T1221 模板注入

Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.[15]
Enterprise T1189 浏览器攻击

Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.[4][15][7]
Enterprise T1204 .002 用户执行: Malicious File

Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.[7]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

Dragonfly has accessed email accounts using Outlook Web Access.[15]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.[15]
.004 移除指标: File Deletion

Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.[15]
Enterprise T1033 系统所有者/用户发现

Dragonfly used the command query user on victim hosts.[15]
Enterprise T1016 系统网络配置发现

Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.[15]
Enterprise T1135 网络共享发现

Dragonfly has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.[15]
Enterprise T1583 .001 获取基础设施: Domains

Dragonfly has registered domains for targeting intended victims.[8]
.003 获取基础设施: Virtual Private Server

Dragonfly has acquired VPS infrastructure for use in malicious campaigns.[7]
Enterprise T1588 .002 获取能力: Tool

Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.[4]
Enterprise T1087 .002 账号发现: Domain Account

Dragonfly has used batch scripts to enumerate users on a victim domain controller.[15]
Enterprise T1098 .007 账号操控: Additional Local or Domain Groups

Dragonfly has added newly created accounts to the administrators group to maintain elevated access.[15]
Enterprise T1105 输入工具传输

Dragonfly has copied and installed tools for operations once in the victim environment.[15]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Dragonfly has moved laterally via RDP.[15]
Enterprise T1210 远程服务漏洞利用

Dragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers.[8]
Enterprise T1018 远程系统发现

Dragonfly has likely obtained a list of hosts in the victim environment.[15]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Dragonfly has sent emails with malicious attachments to gain initial access.[7]
Enterprise T1564 .002 隐藏伪装: Hidden Users

Dragonfly has modified the Registry to hide created user accounts.[15]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.[15]
ICS T0817 Drive-by Compromise

Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany. [18]
ICS T0862 Supply Chain Compromise

Dragonfly trojanized legitimate ICS equipment providers software packages available for download on their websites.[18]

Software

ID Name References Techniques
S0093 Backdoor.Oldrea [3][7] Automated Collection, Denial of Service, Point & Tag Identification, Remote System Discovery, Remote System Information Discovery, Spearphishing Attachment, Supply Chain Compromise, User Execution, 从密码存储中获取凭证: Credentials from Web Browsers, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 归档收集数据, 数据编码: Standard Encoding, 文件和目录发现, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 网络服务发现, 账号发现: Email Account, 输入工具传输, 进程发现, 进程注入, 远程系统发现
S0488 CrackMapExec [4][15] Windows管理规范, 使用备用认证材料: Pass the Hash, 修改注册表, 命令与脚本解释器: PowerShell, 密码策略发现, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSA Secrets, 文件和目录发现, 暴力破解: Password Spraying, 暴力破解: Password Guessing, 暴力破解, 权限组发现: Domain Groups, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 账号发现: Domain Account, 远程系统发现, 预定任务/作业: At
S0357 Impacket [15][16] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0500 MCMD [12] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 混淆文件或信息, 移除指标: Clear Persistence, 输入工具传输, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task
S0002 Mimikatz [4] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [15] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0108 netsh [15] 事件触发执行: Netsh Helper DLL, 代理, 妨碍防御: Disable or Modify System Firewall, 软件发现: Security Software Discovery
S0029 PsExec [4][15][5][7] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0075 Reg [15] 修改注册表, 未加密凭证: Credentials in Registry, 查询注册表
S0094 Trojan.Karagany [3][13][7] 从密码存储中获取凭证: Credentials from Web Browsers, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 操作系统凭证转储, 数据分段: Local Data Staging, 文件和目录发现, 混淆文件或信息, 混淆文件或信息: Software Packing, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Thread Execution Hijacking

References

  1. Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.
  2. UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.
  3. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  4. Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
  5. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  6. Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.
  7. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  8. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
  9. Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.
  1. Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.
  2. Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.
  3. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  4. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  5. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  6. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  7. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
  8. Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017.
  9. Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08