Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. [1] [2] There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. [3]

ID: G0074
Version: 1.1

Associated Group Descriptions

Berserk Bear[3]

Techniques Used

EnterpriseT1087Account DiscoveryDragonfly 2.0 used batch scripts to enumerate users in the victim environment.[1]
EnterpriseT1098Account ManipulationDragonfly 2.0 added newly created accounts to the administrators group to maintain elevated access.[1][4]
EnterpriseT1110Brute ForceDragonfly 2.0 dropped and executed tools used for password cracking, including Hydra.[1][4][5]
EnterpriseT1059Command-Line InterfaceDragonfly 2.0 used command line for execution.[1]
EnterpriseT1043Commonly Used PortDragonfly 2.0 used SMB over ports 445 or 139 for C2. The group also established encrypted connections over port 443.[1][4]
EnterpriseT1136Create AccountDragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.[1][4]
EnterpriseT1003Credential DumpingDragonfly 2.0 dropped and executed SecretsDump and CrackMapExec, tools that can dump password hashes.[1][4][6]
EnterpriseT1002Data CompressedDragonfly 2.0 compressed data into .zip files prior to exfiltrating it.[1]
EnterpriseT1005Data from Local SystemDragonfly 2.0 collected data from local victim systems.[1]
EnterpriseT1074Data StagedDragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it.[1]
EnterpriseT1089Disabling Security ToolsDragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389.[1][4]
EnterpriseT1189Drive-by CompromiseDragonfly 2.0 compromised legitimate organizations' websites to create watering holes to compromise victims.[1]
EnterpriseT1114Email CollectionDragonfly 2.0 accessed email accounts using Outlook Web Access.[4]
EnterpriseT1133External Remote ServicesDragonfly 2.0 used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.[1][4]
EnterpriseT1083File and Directory DiscoveryDragonfly 2.0 used a batch script to gather folder and file names from victim hosts.[1]
EnterpriseT1107File DeletionDragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.[1][4]
EnterpriseT1187Forced AuthenticationDragonfly 2.0 has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.[1][4]
EnterpriseT1070Indicator Removal on HostDragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.[1][4]
EnterpriseT1036MasqueradingDragonfly 2.0 created accounts disguised as legitimate backup and service accounts as well as an email administration account.[1][4]
EnterpriseT1112Modify RegistryDragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg.[1]
EnterpriseT1135Network Share DiscoveryDragonfly 2.0 identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.[1][4]
EnterpriseT1069Permission Groups DiscoveryDragonfly 2.0 used batch scripts to enumerate administrators in the environment.[1]
EnterpriseT1086PowerShellDragonfly 2.0 used PowerShell scripts for execution.[1][2][4]
EnterpriseT1012Query RegistryDragonfly 2.0 queried the Registry to identify victim information.[1]
EnterpriseT1060Registry Run Keys / Startup FolderDragonfly 2.0 added the registry value ntdll to the Registry Run key to establish persistence.[1]
EnterpriseT1076Remote Desktop ProtocolDragonfly 2.0 moved laterally via RDP.[1][4]
EnterpriseT1105Remote File CopyDragonfly 2.0 copied and installed tools for operations once in the victim environment.[1][4]
EnterpriseT1018Remote System DiscoveryDragonfly 2.0 likely obtained a list of hosts in the victim environment.[1]
EnterpriseT1053Scheduled TaskDragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.[1][4]
EnterpriseT1113Screen CaptureDragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).[1][2]
EnterpriseT1064ScriptingDragonfly 2.0 used various types of scripting to perform operations, including Python and batch scripts. The group was observed installing Python 2.7 on a victim.[1][4]
EnterpriseT1023Shortcut ModificationDragonfly 2.0 manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.[1]
EnterpriseT1193Spearphishing AttachmentDragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.[1][4]
EnterpriseT1192Spearphishing LinkDragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.[1]
EnterpriseT1071Standard Application Layer ProtocolDragonfly 2.0 used SMB for C2.[1]
EnterpriseT1016System Network Configuration DiscoveryDragonfly 2.0 used batch scripts to enumerate network information, including information about trusts, zones, and the domain.[1]
EnterpriseT1033System Owner/User DiscoveryDragonfly 2.0 used the command query user on victim hosts.[1]
EnterpriseT1221Template InjectionDragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.[1][4]
EnterpriseT1204User ExecutionDragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links or attachments.[1][4]
EnterpriseT1078Valid AccountsDragonfly 2.0 compromised user credentials and used valid accounts for operations.[1]
EnterpriseT1100Web ShellDragonfly 2.0 commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.[1][4]


S0357Impacket[1][4][6]Credential Dumping, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Network Sniffing, Service Execution, Windows Management Instrumentation
S0039Net[1]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0108netsh[1]Connection Proxy, Disabling Security Tools, Netsh Helper DLL, Security Software Discovery
S0029PsExec[1][2]Service Execution, Windows Admin Shares
S0075Reg[1]Credentials in Registry, Modify Registry, Query Registry