Group: Dragonfly, Energetic Bear

From enterprise
Jump to: navigation, search
Dragonfly, Energetic Bear
ID G0035
Aliases Dragonfly, Energetic Bear

Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. The group appeared to decrease activity following public exposure in 2014, and re-emerged in late 2015 through 2017.12

Alias Descriptions

  • Dragonfly - 1
  • Energetic Bear - 1

Techniques Used

  • Remote File Copy - Dragonfly downloaded tools from a remote server after they were inside the victim network.3
  • File Deletion - Dragonfly deleted a file immediately after executing it on a victim host.3
  • Create Account - Dragonfly created accounts that appeared to be tailored to each individual staging target.3
  • Brute Force - Dragonfly dropped and executed Hydra, a password cracker.34
  • Credential Dumping - Dragonfly dropped and executed SecretsDump, a tool that dumps password hashes.35
  • Scripting - Dragonfly used various scripts for execution, and was observed installing Python 2.7 on a victim.3
  • Masquerading - Accounts created by Dragonfly masqueraded as legitimate service accounts.3
  • Indicator Removal on Host - Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim.3
  • Web Shell - Dragonfly used Web shells to maintain access to a victim network and download additional malicious files.3
  • Network Share Discovery - Dragonfly identified and browsed file servers on the victim network, viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.3
  • Scheduled Task - Dragonfly has used a scheduled task to execute a malicious file.3
  • Forced Authentication - Dragonfly has performed forced authentication to gather hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.3