← threatfilter.dev / all groups / Dragonfly
Dragonfly
Also known as: TEMP.Isotope · DYMALLOY · Berserk Bear · TG-4192 · Crouching Yeti · IRON LIBERTY · Energetic Bear · Ghost Blizzard · BROMINE
Overview
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.
Targets
Energy · Government · Private sector
Regions
China · France · Germany · Ireland · Italy · Japan · Poland · Spain · Turkey · United States
Capabilities
- Supply-chain compromise — ATT&CK T1195.002
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
TTPs — 56 techniques across 12 tactics
Reconnaissance
-
T1591.002Business Relationships -
T1595.002Vulnerability Scanning -
T1598.002Spearphishing Attachment -
T1598.003Spearphishing Link
Resource Development
-
T1583.001Domains -
T1583.003Virtual Private Server -
T1584.004Server -
T1588.002Tool -
T1608.004Drive-by Target
Initial Access
-
T1189Drive-by Compromise -
T1190Exploit Public-Facing Application -
T1195.002Compromise Software Supply Chain -
T1566.001Spearphishing Attachment
Execution
-
T1053.005Scheduled Task -
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.006Python -
T1203Exploitation for Client Execution -
T1204.002Malicious File
Persistence
-
T1098.007Additional Local or Domain Groups -
T1133External Remote Services -
T1136.001Local Account -
T1505.003Web Shell -
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1036.010Masquerade Account Name -
T1070.004File Deletion -
T1078Valid Accounts -
T1221Template Injection -
T1564.002Hidden Users
Defense Impairment
-
T1112Modify Registry -
T1685.005Clear Windows Event Logs -
T1686Disable or Modify System Firewall
Credential Access
-
T1003.002Security Account Manager -
T1003.003NTDS -
T1003.004LSA Secrets -
T1110Brute Force -
T1110.002Password Cracking -
T1187Forced Authentication
Discovery
-
T1012Query Registry -
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1069.002Domain Groups -
T1083File and Directory Discovery -
T1087.002Domain Account -
T1135Network Share Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1210Exploitation of Remote Services
Collection
-
T1005Data from Local System -
T1074.001Local Data Staging -
T1113Screen Capture -
T1114.002Remote Email Collection -
T1560Archive Collected Data
Command and Control
-
T1071.002File Transfer Protocols -
T1105Ingress Tool Transfer
Tools & malware (10)
MCMD · Net · Impacket · CrackMapExec · Reg · Backdoor.Oldrea · Mimikatz · PsExec · Trojan.Karagany · netsh