Description
[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)
Techniques Used (TTPs)
- T1560 — Archive Collected Data (collection)
- T1113 — Screen Capture (collection)
- T1564.002 — Hidden Users (defense-evasion)
- T1505.003 — Web Shell (persistence)
- T1204.002 — Malicious File (execution)
- T1591.002 — Business Relationships (reconnaissance)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1016 — System Network Configuration Discovery (discovery)
- T1584.004 — Server (resource-development)
- T1083 — File and Directory Discovery (discovery)
- T1136.001 — Local Account (persistence)
- T1221 — Template Injection (defense-evasion)
- T1203 — Exploitation for Client Execution (execution)
- T1110.002 — Password Cracking (credential-access)
- T1608.004 — Drive-by Target (resource-development)
- T1562.004 — Disable or Modify System Firewall (defense-evasion)
- T1012 — Query Registry (discovery)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1189 — Drive-by Compromise (initial-access)
- T1583.001 — Domains (resource-development)
- T1003.002 — Security Account Manager (credential-access)
- T1598.002 — Spearphishing Attachment (reconnaissance)
- T1070.001 — Clear Windows Event Logs (defense-evasion)
- T1005 — Data from Local System (collection)
- T1070.004 — File Deletion (defense-evasion)
- T1059 — Command and Scripting Interpreter (execution)
- T1112 — Modify Registry (defense-evasion, persistence)
- T1588.002 — Tool (resource-development)
- T1195.002 — Compromise Software Supply Chain (initial-access)
- T1036.010 — Masquerade Account Name (defense-evasion)
- T1003.003 — NTDS (credential-access)
- T1098.007 — Additional Local or Domain Groups (persistence, privilege-escalation)
- T1583.003 — Virtual Private Server (resource-development)
- T1059.003 — Windows Command Shell (execution)
- T1071.002 — File Transfer Protocols (command-and-control)
- T1598.003 — Spearphishing Link (reconnaissance)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1069.002 — Domain Groups (discovery)
- T1114.002 — Remote Email Collection (collection)
- T1595.002 — Vulnerability Scanning (reconnaissance)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1133 — External Remote Services (persistence, initial-access)
- T1003.004 — LSA Secrets (credential-access)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1135 — Network Share Discovery (discovery)
- T1110 — Brute Force (credential-access)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1187 — Forced Authentication (credential-access)
- T1033 — System Owner/User Discovery (discovery)
- T1074.001 — Local Data Staging (collection)
- T1059.001 — PowerShell (execution)
- T1210 — Exploitation of Remote Services (lateral-movement)
- T1059.006 — Python (execution)
- T1018 — Remote System Discovery (discovery)
- T1087.002 — Domain Account (discovery)
Total TTPs: 56
Malware & Tools
Malware: Backdoor.Oldrea, Trojan.Karagany
Tools: CrackMapExec, Impacket, MCMD, Mimikatz, Net, PsExec, Reg, netsh