Dragonfly

Dragonfly is a Russian state-sponsored espionage threat actor linked in the provided content to the FSB’s Center 16 and also tracked under aliases including Berserk Bear, Energetic Bear, Static Tundra, Crouching Yeti, Dymalloy, Ghost Blizzard, Iron Liberty, Koala Team, Blue Kraken, Bromine, Temp.Isotope, TG-4192, and Dragonfly 2.0. The group has historically targeted energy, nuclear, defense, telecommunications, higher education, manufacturing, aviation, and government organizations, with reporting in the content emphasizing operations against Western energy suppliers, U.S. state/local/territorial/tribal government and aviation networks, and organizations in Ukraine and allied countries. The content describes long-running targeting of critical infrastructure and industrial environments, including watering hole and supply-chain compromises involving trojanized ICS software packages, and use of HAVEX and a Karagany variant associated with the group. Observed initial access and persistence tradecraft in the content includes spearphishing emails with malicious attachments, malicious links and template injection for credential harvesting, compromise of legitimate websites to host malware and command-and-control, strategic web compromise, SQL injection, brute force, and exploitation of CVE-2011-0611, CVE-2018-13379, CVE-2019-19781, CVE-2020-0688, CVE-2020-1472, and CVE-2018-0171 on Cisco Smart Install devices. On Cisco infrastructure, the group was reported exploiting CVE-2018-0171 to extract startup configurations, expose passwords and SNMP community strings, create local accounts, enable Telnet, disable TACACS+ logging, modify ACLs, and maintain persistence via reused SNMP credentials or SYNful Knock. On Windows systems, Dragonfly established persistence via a Registry Run key using the value name "ntdll," modified the Registry for multiple techniques including hiding created accounts, used scheduled tasks, created local and administrator accounts, and used VPNs and Outlook Web Access as external remote services. The content states Dragonfly used command-line execution, PowerShell, batch scripts, and Python scripts; queried the Registry and used query user for discovery; collected data from local victim systems; staged files in an "out" directory under %AppData%; compressed data into ZIP archives; identified and browsed network shares including ICS/SCADA-related files; and obtained or used Mimikatz, CrackMapExec, PsExec, Hydra, and SecretsDump. Credential access activity described includes dumping SAM, LSA Secrets, NTDS, and obtaining ntds.dit from domain controllers. Lateral movement and remote access methods mentioned include RDP, SMB, scheduled tasks, Telnet on compromised Cisco devices, and use of valid accounts. Defense evasion and cleanup behaviors in the content include deleting operational files and screenshots, clearing Windows event logs and other logs, deleting Registry keys, and removing artifacts after operations.