Dragonfly
G00351 reportsAnalyst assessment — key judgments
- Signature techniques: T1583 (Acquire Infrastructure), T1003 (OS Credential Dumping), T1602 (Data from Configuration Repository).
- Primary targeting: RU, US, AU, CA.
- Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 31 new technique(s), 35 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 26% of 31 observed techniques (23 gap(s)).
- Assessment confidence: high (95).
Activity & trend
Movement — last 30 days
Vulnerabilities in this actor's reporting · 2
- CVE-2008-4128KEV1 rpt
- CVE-2018-0171KEV1 rpt
Overview
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)
ATT&CK technique matrix
- T1583 · Acquire Infrastructureconf 951
- T1003 · OS Credential Dumpingconf 951
- T1602 · Data from Configuration Repositoryconf 951
- T1590.005 · IP Addressesconf 951
- T1584.008 · Network Devicesconf 951
- T1588.006 · Vulnerabilitiesconf 951
- T1071 · Application Layer Protocolconf 951
- T1584.003 · Virtual Private Serverconf 951
- T1190 · Exploit Public-Facing Applicationconf 951
- T1602.002 · Network Device Configuration Dumpconf 951
- T1595.002 · Vulnerability Scanningconf 951
- T1595 · Active Scanningconf 951
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|