Group: Dragonfly, Energetic Bear

From enterprise
Jump to: navigation, search
Dragonfly, Energetic Bear
ID G0035
Aliases Dragonfly, Energetic Bear

Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. The group appeared to decrease activity following public exposure in 2014, and re-emerged in late 2015 through 2017.12

Alias Descriptions

  • Dragonfly - 1
  • Energetic Bear - 1

Techniques Used

  • Scripting - Dragonfly used various scripts for execution, and was observed installing Python 2.7 on a victim.3
  • Web Shell - Dragonfly used Web shells to maintain access to a victim network and download additional malicious files.3
  • Network Share Discovery - Dragonfly identified and browsed file servers on the victim network, viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.3
  • Forced Authentication - Dragonfly has performed forced authentication to gather hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.3