Group: Dragonfly 2.0, Berserk Bear, DYMALLOY
|Dragonfly 2.0, Berserk Bear, DYMALLOY|
|Associated Groups||Dragonfly 2.0, Berserk Bear, DYMALLOY|
|External Contributors||Dragos Threat Intelligence|
Dragonfly 2.0 is a suspected Russian threat group that has targeted government entities and multiple U.S. critical infrastructure sectors and parts of the energy sector within Turkey and Switzerland since at least December 2015. 1 There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to those being tracked as two separate groups.2
Associated Group Descriptions
- Commonly Used Port - Dragonfly 2.0 communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.4
- Data from Information Repositories - Dragonfly 2.0 accessed workstations and servers within the corporate network that contained data from power generation control system environments. The files were related to the ICS and SCADA systems including vendor names and ICS reference documents such as wiring diagrams and panel layouts.4
- Drive-by Compromise - Dragonfly 2.0 utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.1 A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.4
- Indicator Removal on Host - Dragonfly 2.0 deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.4
- Screen Capture - Dragonfly 2.0 has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.4
- Scripting - Dragonfly 2.0 deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.4
- Spearphishing Attachment - Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.15 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America.67
- Supply Chain Compromise - Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications.1
- Theft of Operational Information - Dragonfly 2.0 captured ICS vendor names, reference documents, wiring diagrams, and panel layouts about the process environment.4
- Valid Accounts - Dragonfly 2.0 leveraged compromised user credentials to access the targets networks and download tools from a remote server.34
- Symantec. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 14, 2017.
- Robert Hackett. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved December 4, 2019.
- Dragos. (n.d.). Dymalloy. Retrieved October 27, 2019.
- Cybersecurity & Infrastructure Security Agency. (2018, March 15). Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 11, 2019.
- Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall. (2017, July 07). Attack on Critical Infrastructure Leverages Template Injection. Retrieved December 5, 2019.
- Dragos Threat Intelligence. (2018, September 17). THREAT INTELLIGENCE SUMMARY TR-2018-25: Phishing Campaign Targeting Electric Utility Companies. Retrieved January 3, 2020.
- Dragos Threat Intelligence. (2018). ICS Activity Groups and Threat Landscape. Retrieved January 3, 2020.