Dragonfly

Last Updated

Also known as: Berserk Bear, BROMINE, Crouching Yeti, Dragonfly, DYMALLOY, Energetic Bear, Ghost Blizzard, IRON LIBERTY, TEMP.Isotope, TG-4192, BERSERK BEAR, Koala Team, Blue Kraken, ALLANITE, CASTLE, Group 24, Havex, G0035, ATK6, ITG15, ENERGETIC BEAR

Dragonfly is a cyber espionage group that has been attributed to Russia’s Federal Security Service (FSB) Center 16. DOJ Russia Targeting Critical Infrastructure March 2022 UK GOV FSB Factsheet April 2022 Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks. Symantec Dragonfly Secureworks IRON LIBERTY July 2019 Symantec Dragonfly Sept 2017 Fortune Dragonfly 2.0 Sept 2017 Gigamon Berserk Bear October 2021 CISA AA20-296A Berserk Bear December 2020 Symantec Dragonfly 2.0 October 2017

🌍 Country Russia
πŸ“ Last Updated
🎯 Incident Type Espionage
🧭 ATT&CK G0035
Energy Private sector Government

Targeted Victims

United States Germany Turkey China Spain France Ireland Japan Italy Poland

Introduction

Dragonfly is a cyber espionage group that has been attributed to Russia’s Federal Security Service (FSB) Center 16. DOJ Russia Targeting Critical Infrastructure March 2022 UK GOV FSB Factsheet April 2022 Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks. Symantec Dragonfly Secureworks IRON LIBERTY July 2019 Symantec Dragonfly Sept 2017 Fortune Dragonfly 2.0 Sept 2017 Gigamon Berserk Bear October 2021 CISA AA20-296A Berserk Bear December 2020 Symantec Dragonfly 2.0 October 2017

Activities and Tactics

Targeted Sectors: Energy, Private sector, Government

Country of Origin: πŸ‡·πŸ‡Ί Russia

Incident Type: Espionage

Suspected Victims: United States, Germany, Turkey, China, Spain, France, Ireland, Japan, Italy, Poland

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Russian APT Tool Matrix observations

Category Observed tools
Credential Theft Mimikatz, ProcDump
Discovery Angry IP Scanner
LOLBAS BITSAdmin, PsExec
Networking FortiClient
OffSec CrackMapExec, Hydra, Impacket, Phishery
RMM Tools TeamViewer

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

[1] MITRE ATT&CK MITRE ATT&CK entry [2] DOJ Russia Targeting Critical Infrastructure March 2022 [3] UK GOV FSB Factsheet April 2022 [4] Symantec Dragonfly [5] Secureworks IRON LIBERTY July 2019 [6] Symantec Dragonfly Sept 2017 [7] Fortune Dragonfly 2.0 Sept 2017 [8] Gigamon Berserk Bear October 2021 [9] CISA AA20-296A Berserk Bear December 2020 [10] Symantec Dragonfly 2.0 October 2017