Group: Dragonfly 2.0, Berserk Bear, DYMALLOY

From attackics
Jump to navigation Jump to search
Dragonfly 2.0, Berserk Bear, DYMALLOY
Group
ID G0006
Associated Groups Dragonfly 2.0, Berserk Bear, DYMALLOY
External Contributors Dragos Threat Intelligence

Dragonfly 2.0 is a suspected Russian threat group that has targeted government entities and multiple U.S. critical infrastructure sectors and parts of the energy sector within Turkey and Switzerland since at least December 2015. 1 There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to those being tracked as two separate groups.2

Associated Group Descriptions

  • Dragonfly 2.0 - 1
  • Berserk Bear - 2
  • DYMALLOY - 3

Techniques Used

  • Data from Information Repositories - Dragonfly 2.0 accessed workstations and servers within the corporate network that contained data from power generation control system environments. The files were related to the ICS and SCADA systems including vendor names and ICS reference documents such as wiring diagrams and panel layouts.4
  • Drive-by Compromise - Dragonfly 2.0 utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.1 A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.4
  • Indicator Removal on Host - Dragonfly 2.0 deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.4
  • Scripting - Dragonfly 2.0 deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.4