Group: Dragonfly, Energetic Bear
|Dragonfly, Energetic Bear|
|Aliases||Dragonfly, Energetic Bear|
Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. The group appeared to decrease activity following public exposure in 2014, and re-emerged in late 2015 through 2017.12
- Remote File Copy - Dragonfly downloaded tools from a remote server after they were inside the victim network.3
- Create Account - Dragonfly created accounts that appeared to be tailored to each individual staging target.3
- Disabling Security Tools - Dragonfly disabled the host-based firewall on a victim and globally opened port 3389.3
- External Remote Services - Dragonfly used remote access services, including VPN and Outlook Web Access (OWA).3
- Credential Dumping - Dragonfly dropped and executed SecretsDump, a tool that dumps password hashes.35
- Scripting - Dragonfly used various scripts for execution, and was observed installing Python 2.7 on a victim.3
- Indicator Removal on Host - Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim.3
- Web Shell - Dragonfly used Web shells to maintain access to a victim network and download additional malicious files.3
- Network Share Discovery - Dragonfly identified and browsed file servers on the victim network, viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.3
- Forced Authentication - Dragonfly has performed forced authentication to gather hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.3
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.