attack.mitre.org
Open in
urlscan Pro
2606:50c0:8003::153
Public Scan
URL:
https://attack.mitre.org/groups/G0035/
Submission: On July 24 via api from US — Scanned from DE
Submission: On July 24 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* Matrices
* Tactics
Enterprise Mobile ICS
* Techniques
Enterprise Mobile ICS
* Data Sources
* Mitigations
Enterprise Mobile ICS
* Groups
* Software
* Resources
General Information Getting Started Training ATT&CKcon Working with ATT&CK
FAQ Updates Versions of ATT&CK Related Projects
* Blog
* Contribute
* Search
GROUPS
Overview
admin@338
Ajax Security Team
ALLANITE
Andariel
APT-C-36
APT1
APT12
APT16
APT17
APT18
APT19
APT28
APT29
APT3
APT30
APT32
APT33
APT37
APT38
APT39
APT41
Aquatic Panda
Axiom
BackdoorDiplomacy
BlackOasis
BlackTech
Blue Mockingbird
Bouncing Golf
BRONZE BUTLER
Carbanak
Chimera
Cleaver
Cobalt Group
Confucius
CopyKittens
CostaRicto
Dark Caracal
Darkhotel
DarkHydrus
DarkVishnya
Deep Panda
Dragonfly
DragonOK
Dust Storm
Elderwood
Equation
Evilnum
Ferocious Kitten
FIN10
FIN4
FIN5
FIN6
FIN7
FIN8
Fox Kitten
Frankenstein
GALLIUM
Gallmaker
Gamaredon Group
GCMAN
GOLD SOUTHFIELD
Gorgon Group
Group5
HAFNIUM
HEXANE
Higaisa
Honeybee
Inception
IndigoZebra
Indrik Spider
Ke3chang
Kimsuky
Lazarus Group
LazyScripter
Leafminer
Leviathan
Lotus Blossom
Machete
Magic Hound
menuPass
Moafee
Mofang
Molerats
MuddyWater
Mustang Panda
Naikon
NEODYMIUM
Night Dragon
Nomadic Octopus
OilRig
Operation Wocao
Orangeworm
Patchwork
PittyTiger
PLATINUM
Poseidon Group
PROMETHIUM
Putter Panda
Rancor
Rocke
RTM
Sandworm Team
Scarlet Mimic
Sharpshooter
Sidewinder
Silence
Silent Librarian
SilverTerrier
Sowbug
Stealth Falcon
Strider
Suckfly
TA459
TA505
TA551
TeamTNT
TEMP.Veles
The White Company
Threat Group-1314
Threat Group-3390
Thrip
Tonto Team
Transparent Tribe
Tropic Trooper
Turla
Volatile Cedar
Whitefly
Windigo
Windshift
Winnti Group
WIRTE
Wizard Spider
ZIRCONIUM
GROUPS
Overview
A-B
admin@338
Ajax Security Team
ALLANITE
Andariel
APT-C-36
APT1
APT12
APT16
APT17
APT18
APT19
APT28
APT29
APT3
APT30
APT32
APT33
APT37
APT38
APT39
APT41
Aquatic Panda
Axiom
BackdoorDiplomacy
BlackOasis
BlackTech
Blue Mockingbird
Bouncing Golf
BRONZE BUTLER
C-D
Carbanak
Chimera
Cleaver
Cobalt Group
Confucius
CopyKittens
CostaRicto
Dark Caracal
Darkhotel
DarkHydrus
DarkVishnya
Deep Panda
Dragonfly
DragonOK
Dust Storm
E-F
Elderwood
Equation
Evilnum
Ferocious Kitten
FIN10
FIN4
FIN5
FIN6
FIN7
FIN8
Fox Kitten
Frankenstein
G-H
GALLIUM
Gallmaker
Gamaredon Group
GCMAN
GOLD SOUTHFIELD
Gorgon Group
Group5
HAFNIUM
HEXANE
Higaisa
Honeybee
I-J
Inception
IndigoZebra
Indrik Spider
K-L
Ke3chang
Kimsuky
Lazarus Group
LazyScripter
Leafminer
Leviathan
Lotus Blossom
M-N
Machete
Magic Hound
menuPass
Moafee
Mofang
Molerats
MuddyWater
Mustang Panda
Naikon
NEODYMIUM
Night Dragon
Nomadic Octopus
O-P
OilRig
Operation Wocao
Orangeworm
Patchwork
PittyTiger
PLATINUM
Poseidon Group
PROMETHIUM
Putter Panda
Q-R
Rancor
Rocke
RTM
S-T
Sandworm Team
Scarlet Mimic
Sharpshooter
Sidewinder
Silence
Silent Librarian
SilverTerrier
Sowbug
Stealth Falcon
Strider
Suckfly
TA459
TA505
TA551
TeamTNT
TEMP.Veles
The White Company
Threat Group-1314
Threat Group-3390
Thrip
Tonto Team
Transparent Tribe
Tropic Trooper
Turla
U-V
Volatile Cedar
W-X
Whitefly
Windigo
Windshift
Winnti Group
WIRTE
Wizard Spider
Y-Z
ZIRCONIUM
1. Home
2. Groups
3. Dragonfly
DRAGONFLY
Dragonfly is a cyber espionage group that has been attributed to Russia's
Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010,
Dragonfly has targeted defense and aviation companies, government entities,
companies related to industrial control systems, and critical infrastructure
sectors worldwide through supply chain, spearphishing, and drive-by compromise
attacks.[3][4][5][6][7][8][9]
ID: G0035
ⓘ
Associated Groups: TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching
Yeti, IRON LIBERTY, Energetic Bear
Contributors: Dragos Threat Intelligence
Version: 3.0
Created: 31 May 2017
Last Modified: 24 May 2022
Version Permalink
Live Version
ASSOCIATED GROUP DESCRIPTIONS
Name Description TEMP.Isotope
[10][7]
DYMALLOY
[11][2]
Berserk Bear
[7][1][2]
TG-4192
[4][2]
Crouching Yeti
[4][7][1][2]
IRON LIBERTY
[4][12][13][2]
Energetic Bear
[3][4][12][13][7][1][2]
ATT&CK® Navigator Layers
ENTERPRISE LAYER
download view
TECHNIQUES USED
Domain ID Name Use Enterprise T1087 .002 Account Discovery: Domain Account
Dragonfly has used batch scripts to enumerate users on a victim domain
controller.[14]
Enterprise T1098 Account Manipulation
Dragonfly has added newly created accounts to the administrators group to
maintain elevated access.[14]
Enterprise T1583 .001 Acquire Infrastructure: Domains
Dragonfly has registered domains for targeting intended victims.[8]
.003 Acquire Infrastructure: Virtual Private Server
Dragonfly has acquired VPS infrastructure for use in malicious campaigns.[7]
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning
Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft
Exchange services.[8]
Enterprise T1071 Application Layer Protocol
Dragonfly has used SMB for C2.[14]
Enterprise T1560 Archive Collected Data
Dragonfly has compressed data into .zip files prior to exfiltration.[14]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys /
Startup Folder
Dragonfly has added the registry value ntdll to the Registry Run key to
establish persistence.[14]
.009 Boot or Logon Autostart Execution: Shortcut Modification
Dragonfly has manipulated .lnk files to gather user credentials in conjunction
with Forced Authentication.[14]
Enterprise T1110 Brute Force
Dragonfly has attempted to brute force credentials to gain access.[8]
.002 Password Cracking
Dragonfly has dropped and executed tools used for password cracking, including
Hydra and CrackMapExec.[14][15]
Enterprise T1059 Command and Scripting Interpreter
Dragonfly has used the command line for execution.[14]
.001 PowerShell
Dragonfly has used PowerShell scripts for execution.[14][5]
.003 Windows Command Shell
Dragonfly has used various types of scripting to perform operations, including
batch scripts.[14]
.006 Python
Dragonfly has used various types of scripting to perform operations, including
Python scripts. The group was observed installing Python 2.7 on a victim.[14]
Enterprise T1584 .004 Compromise Infrastructure: Server
Dragonfly has compromised legitimate websites to host C2 and malware modules.[7]
Enterprise T1136 .001 Create Account: Local Account
Dragonfly has created accounts on victims, including administrator accounts,
some of which appeared to be tailored to each individual staging target.[14]
Enterprise T1005 Data from Local System
Dragonfly has collected data from local victim systems.[14]
Enterprise T1074 .001 Data Staged: Local Data Staging
Dragonfly has created a directory named "out" in the user's %AppData% folder and
copied files to it.[14]
Enterprise T1189 Drive-by Compromise
Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a
custom exploit kit.[4][14][7]
Enterprise T1114 .002 Email Collection: Remote Email Collection
Dragonfly has accessed email accounts using Outlook Web Access.[14]
Enterprise T1190 Exploit Public-Facing Application
Dragonfly has conducted SQL injection attacks, exploited vulnerabilities
CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379
for Fortinet VPNs.[8]
Enterprise T1203 Exploitation for Client Execution
Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on
a targeted system.[7]
Enterprise T1210 Exploitation of Remote Services
Dragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to
obtain access to Windows Active Directory servers.[8]
Enterprise T1133 External Remote Services
Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to
victim networks.[14][8]
Enterprise T1083 File and Directory Discovery
Dragonfly has used a batch script to gather folder and file names from victim
hosts.[14][7][8]
Enterprise T1187 Forced Authentication
Dragonfly has gathered hashed user credentials over SMB using spearphishing
attachments with external resource links and by modifying .LNK file icon
resources to collect credentials from virtualized systems.[14][7]
Enterprise T1591 .002 Gather Victim Org Information: Business Relationships
Dragonfly has collected open source information to identify relationships
between organizations for targeting purposes.[7]
Enterprise T1564 .002 Hide Artifacts: Hidden Users
Dragonfly has modified the Registry to hide created user accounts.[14]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall
Dragonfly has disabled host-based firewalls. The group has also globally opened
port 3389.[14]
Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs
Dragonfly has cleared Windows event logs and other logs produced by tools they
used, including system, security, terminal services, remote services, and audit
logs. The actors also deleted specific Registry keys.[14]
.004 Indicator Removal on Host: File Deletion
Dragonfly has deleted many of its files used during operations as part of
cleanup, including removing applications and deleting screenshots.[14]
Enterprise T1105 Ingress Tool Transfer
Dragonfly has copied and installed tools for operations once in the victim
environment.[14]
Enterprise T1036 Masquerading
Dragonfly has created accounts disguised as legitimate backup and service
accounts as well as an email administration account.[14]
Enterprise T1112 Modify Registry
Dragonfly has modified the Registry to perform multiple techniques through the
use of Reg.[14]
Enterprise T1135 Network Share Discovery
Dragonfly has identified and browsed file servers in the victim network,
sometimes , viewing files pertaining to ICS or Supervisory Control and Data
Acquisition (SCADA) systems.[14]
Enterprise T1588 .002 Obtain Capabilities: Tool
Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and
PsExec.[4]
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager
Dragonfly has dropped and executed SecretsDump to dump password hashes.[14]
.003 OS Credential Dumping: NTDS
Dragonfly has dropped and executed SecretsDump to dump password hashes. They
also obtained ntds.dit from domain controllers.[14][16]
.004 OS Credential Dumping: LSA Secrets
Dragonfly has dropped and executed SecretsDump to dump password hashes.[14][16]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups
Dragonfly has used batch scripts to enumerate administrators and users in the
domain.[14]
Enterprise T1566 .001 Phishing: Spearphishing Attachment
Dragonfly has sent emails with malicious attachments to gain initial access.[7]
Enterprise T1598 .002 Phishing for Information: Spearphishing Attachment
Dragonfly has used spearphishing with Microsoft Office attachments to enable
harvesting of user credentials.[14]
.003 Phishing for Information: Spearphishing Link
Dragonfly has used spearphishing with PDF attachments containing malicious links
that redirected to credential harvesting websites.[14]
Enterprise T1012 Query Registry
Dragonfly has queried the Registry to identify victim information.[14]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol
Dragonfly has moved laterally via RDP.[14]
Enterprise T1018 Remote System Discovery
Dragonfly has likely obtained a list of hosts in the victim environment.[14]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task
Dragonfly has used scheduled tasks to automatically log out of created accounts
every 8 hours as well as to execute malicious files.[14]
Enterprise T1113 Screen Capture
Dragonfly has performed screen captures of victims, including by using a tool,
scr.exe (which matched the hash of ScreenUtil).[14][5][7]
Enterprise T1505 .003 Server Software Component: Web Shell
Dragonfly has commonly created Web shells on victims' publicly accessible email
and web servers, which they used to maintain access to a victim network and
download additional malicious files.[14]
Enterprise T1608 .004 Stage Capabilities: Drive-by Target
Dragonfly has compromised websites to redirect traffic and to host exploit
kits.[7]
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain
Dragonfly has placed trojanized installers for control system software on
legitimate vendor app stores.[4][7]
Enterprise T1016 System Network Configuration Discovery
Dragonfly has used batch scripts to enumerate network information, including
information about trusts, zones, and the domain.[14]
Enterprise T1033 System Owner/User Discovery
Dragonfly used the command query user on victim hosts.[14]
Enterprise T1221 Template Injection
Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to
initiate Forced Authentication.[14]
Enterprise T1204 .002 User Execution: Malicious File
Dragonfly has used various forms of spearphishing in attempts to get users to
open malicious attachments.[7]
Enterprise T1078 Valid Accounts
Dragonfly has compromised user credentials and used valid accounts for
operations.[14][7][8]
ICS T0817 Drive-by Compromise
Dragonfly utilized watering hole attacks on energy sector websites by injecting
a redirect iframe to deliver Backdoor.Oldrea or [/software/S0094/
Trojan.Karagany]. [17]
ICS T0862 Supply Chain Compromise
Dragonfly trojanized legitimate ICS equipment providers software packages
available for download on their websites. [17]
SOFTWARE
ID Name References Techniques S0093 Backdoor.Oldrea [3][7] Account Discovery:
Email Account, Archive Collected Data, Automated Collection, Boot or Logon
Autostart Execution: Registry Run Keys / Startup Folder, Credentials from
Password Stores: Credentials from Web Browsers, Data Encoding: Standard
Encoding, Denial of Service, File and Directory Discovery, Indicator Removal on
Host: File Deletion, Ingress Tool Transfer, Network Service Discovery, Point &
Tag Identification, Process Discovery, Process Injection, Remote System
Discovery, Remote System Discovery, Remote System Information Discovery,
Spearphishing Attachment, Supply Chain Compromise, System Binary Proxy
Execution: Rundll32, System Information Discovery, System Network Configuration
Discovery, System Owner/User Discovery, User Execution S0488 CrackMapExec
[4][14] Account Discovery: Domain Account, Brute Force: Password Spraying, Brute
Force: Password Guessing, Brute Force, Command and Scripting Interpreter:
PowerShell, File and Directory Discovery, Modify Registry, Network Share
Discovery, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, OS
Credential Dumping: Security Account Manager, Password Policy Discovery,
Permission Groups Discovery: Domain Groups, Remote System Discovery, Scheduled
Task/Job: At, System Information Discovery, System Network Configuration
Discovery, System Network Connections Discovery, Use Alternate Authentication
Material: Pass the Hash, Windows Management Instrumentation S0357 Impacket
[14][16] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network
Sniffing, OS Credential Dumping: Security Account Manager, OS Credential
Dumping: LSA Secrets, OS Credential Dumping: LSASS Memory, OS Credential
Dumping: NTDS, Steal or Forge Kerberos Tickets: Kerberoasting, System Services:
Service Execution, Windows Management Instrumentation S0500 MCMD [12]
Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution:
Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows
Command Shell, Data from Local System, Hide Artifacts: Hidden Window, Indicator
Removal on Host, Ingress Tool Transfer, Masquerading: Match Legitimate Name or
Location, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task
S0002 Mimikatz [4] Access Token Manipulation: SID-History Injection, Account
Manipulation, Boot or Logon Autostart Execution: Security Support Provider,
Credentials from Password Stores: Windows Credential Manager, Credentials from
Password Stores, Credentials from Password Stores: Credentials from Web
Browsers, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security
Account Manager, OS Credential Dumping: DCSync, OS Credential Dumping: LSA
Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Golden
Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials:
Private Keys, Use Alternate Authentication Material: Pass the Ticket, Use
Alternate Authentication Material: Pass the Hash S0039 Net [14] Account
Discovery: Domain Account, Account Discovery: Local Account, Create Account:
Local Account, Create Account: Domain Account, Indicator Removal on Host:
Network Share Connection Removal, Network Share Discovery, Password Policy
Discovery, Permission Groups Discovery: Domain Groups, Permission Groups
Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote
System Discovery, System Network Connections Discovery, System Service
Discovery, System Services: Service Execution, System Time Discovery S0108 netsh
[14] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or
Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0029 PsExec [4][14][5][7] Create Account: Domain Account, Create or Modify
System Process: Windows Service, Lateral Tool Transfer, Remote Services:
SMB/Windows Admin Shares, System Services: Service Execution S0075 Reg [14]
Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0094 Trojan.Karagany [3][13][7] Application Layer Protocol: Web Protocols,
Application Window Discovery, Boot or Logon Autostart Execution: Registry Run
Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell,
Credentials from Password Stores: Credentials from Web Browsers, Data Staged:
Local Data Staging, Encrypted Channel: Asymmetric Cryptography, File and
Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool
Transfer, Input Capture: Keylogging, Obfuscated Files or Information: Software
Packing, Obfuscated Files or Information, OS Credential Dumping, Process
Discovery, Process Injection: Thread Execution Hijacking, Screen Capture, System
Information Discovery, System Network Configuration Discovery, System Network
Connections Discovery, System Owner/User Discovery, Virtualization/Sandbox
Evasion: System Checks
REFERENCES
1. Department of Justice. (2022, March 24). Four Russian Government Employees
Charged in Two Historical Hacking Campaigns Targeting Critical
Infrastructure Worldwide. Retrieved April 5, 2022.
2. UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved
April 5, 2022.
3. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage
Attacks Against Energy Suppliers. Retrieved April 8, 2016.
4. Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy
Sector. Retrieved August 12, 2020.
5. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector
targeted by sophisticated attack group. Retrieved September 9, 2017.
6. Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid,
Symantec Warns. Retrieved June 6, 2018.
7. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY
TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
8. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat
Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
9. Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by
sophisticated attack group. Retrieved April 19, 2022.
10. Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine
Crisis Escalates. Retrieved January 24, 2022.
11. Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.
12. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13,
2020.
13. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy
Sector. Retrieved August 12, 2020.
14. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber
Activity Targeting Energy and Other Critical Infrastructure Sectors.
Retrieved June 6, 2018.
15. Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017.
16. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
17. Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks
Against Energy Suppliers Retrieved. 2016/04/08
×
load more results
© 2015-2022, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered
trademarks of The MITRE Corporation.
Privacy Policy
Terms of Use
ATT&CK v11.3
@MITREattack
Contact