<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v15/theme/favicon.ico" type='image/x-icon'> <title>Dragonfly, TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE, Group G0035 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v15/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v15/"><img src="/versions/v15/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v15/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v15/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/groups">Groups</a> <a class="dropdown-item" href="/versions/v15/software">Software</a> <a class="dropdown-item" href="/versions/v15/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v15/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v15/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v15/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v15/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v15/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v15/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v15/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v15/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v15/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" target="_blank">ATT&CK v15.1</a> which was live between April 23, 2024 and October 30, 2024. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v15/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v15/groups/">Groups</a></li> <li class="breadcrumb-item">Dragonfly</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Dragonfly </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022."data-reference="DOJ Russia Targeting Critical Infrastructure March 2022">^{<a href="https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022."data-reference="UK GOV FSB Factsheet April 2022">^{<a href="https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> Active since at least 2010, <a href="/versions/v15/groups/G0035">Dragonfly</a> has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly">^{<a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017."data-reference="Symantec Dragonfly Sept 2017">^{<a href="https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018."data-reference="Fortune Dragonfly 2.0 Sept 2017">^{<a href="http://fortune.com/2017/09/06/hack-energy-grid-symantec/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022."data-reference="Symantec Dragonfly 2.0 October 2017">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G0035 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Dragos Threat Intelligence </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 4.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>08 January 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0035" href="/versions/v15/groups/G0035/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0035" href="/groups/G0035/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> TEMP.Isotope </td> <td> <p><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022."data-reference="Mandiant Ukraine Cyber Threats January 2022">^{<a href="https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> DYMALLOY </td> <td> <p><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020."data-reference="Dragos DYMALLOY ">^{<a href="https://www.dragos.com/threat/dymalloy/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022."data-reference="UK GOV FSB Factsheet April 2022">^{<a href="https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> Berserk Bear </td> <td> <p><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022."data-reference="DOJ Russia Targeting Critical Infrastructure March 2022">^{<a href="https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022."data-reference="UK GOV FSB Factsheet April 2022">^{<a href="https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> TG-4192 </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022."data-reference="UK GOV FSB Factsheet April 2022">^{<a href="https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> Crouching Yeti </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022."data-reference="DOJ Russia Targeting Critical Infrastructure March 2022">^{<a href="https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022."data-reference="UK GOV FSB Factsheet April 2022">^{<a href="https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> IRON LIBERTY </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."data-reference="Secureworks MCMD July 2019">^{<a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019">^{<a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022."data-reference="UK GOV FSB Factsheet April 2022">^{<a href="https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> Energetic Bear </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly">^{<a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."data-reference="Secureworks MCMD July 2019">^{<a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019">^{<a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022."data-reference="DOJ Russia Targeting Critical Infrastructure March 2022">^{<a href="https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022."data-reference="UK GOV FSB Factsheet April 2022">^{<a href="https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> Ghost Blizzard </td> <td> <p><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023."data-reference="Microsoft Threat Actor Naming July 2023">^{<a href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> BROMINE </td> <td> <p><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023."data-reference="Microsoft Threat Actor Naming July 2023">^{<a href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> </tbody> </table> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v15/groups/G0035/G0035-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v15/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v15/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0035/G0035-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> <div class="dropdown-divider"></div> <h6 class="dropdown-header">ICS Layer</h6> <a class="dropdown-item" href="/versions/v15/groups/G0035/G0035-ics-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-ics" target="_blank">view <img width="10" src="/versions/v15/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v15/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0035/G0035-ics-layer.json"; document.getElementById("view-layer-on-navigator-ics").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-ics").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1087">T1087</a> </td> <td> <a href="/versions/v15/techniques/T1087/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1087">Account Discovery</a>: <a href="/versions/v15/techniques/T1087/002">Domain Account</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used batch scripts to enumerate users on a victim domain controller.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1098">T1098</a> </td> <td> <a href="/versions/v15/techniques/T1098">Account Manipulation</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has added newly created accounts to the administrators group to maintain elevated access.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1583">T1583</a> </td> <td> <a href="/versions/v15/techniques/T1583/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v15/techniques/T1583/001">Domains</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has registered domains for targeting intended victims.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1583/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v15/techniques/T1583/003">Virtual Private Server</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has acquired VPS infrastructure for use in malicious campaigns.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1595">T1595</a> </td> <td> <a href="/versions/v15/techniques/T1595/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1595">Active Scanning</a>: <a href="/versions/v15/techniques/T1595/002">Vulnerability Scanning</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v15/techniques/T1071/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v15/techniques/T1071/002">File Transfer Protocols</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used SMB for C2.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1560">T1560</a> </td> <td> <a href="/versions/v15/techniques/T1560">Archive Collected Data</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has compressed data into .zip files prior to exfiltration.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v15/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v15/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has added the registry value ntdll to the Registry Run key to establish persistence.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1110">T1110</a> </td> <td> <a href="/versions/v15/techniques/T1110">Brute Force</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has attempted to brute force credentials to gain access.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1110/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1110/002">Password Cracking</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has dropped and executed tools used for password cracking, including Hydra and <a href="/versions/v15/software/S0488">CrackMapExec</a>.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017."data-reference="Kali Hydra">^{<a href="https://tools.kali.org/password-attacks/hydra" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v15/techniques/T1059">Command and Scripting Interpreter</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used the command line for execution.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used PowerShell scripts for execution.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017."data-reference="Symantec Dragonfly Sept 2017">^{<a href="https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1059/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used various types of scripting to perform operations, including batch scripts.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1059/006">.006</a> </td> <td> <a href="/versions/v15/techniques/T1059/006">Python</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1584">T1584</a> </td> <td> <a href="/versions/v15/techniques/T1584/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1584">Compromise Infrastructure</a>: <a href="/versions/v15/techniques/T1584/004">Server</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has compromised legitimate websites to host C2 and malware modules.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1136">T1136</a> </td> <td> <a href="/versions/v15/techniques/T1136/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1136">Create Account</a>: <a href="/versions/v15/techniques/T1136/001">Local Account</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v15/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has collected data from local victim systems.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1074">T1074</a> </td> <td> <a href="/versions/v15/techniques/T1074/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1074">Data Staged</a>: <a href="/versions/v15/techniques/T1074/001">Local Data Staging</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has created a directory named "out" in the user's %AppData% folder and copied files to it.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1189">T1189</a> </td> <td> <a href="/versions/v15/techniques/T1189">Drive-by Compromise</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1114">T1114</a> </td> <td> <a href="/versions/v15/techniques/T1114/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1114">Email Collection</a>: <a href="/versions/v15/techniques/T1114/002">Remote Email Collection</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has accessed email accounts using Outlook Web Access.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1190">T1190</a> </td> <td> <a href="/versions/v15/techniques/T1190">Exploit Public-Facing Application</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1203">T1203</a> </td> <td> <a href="/versions/v15/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1210">T1210</a> </td> <td> <a href="/versions/v15/techniques/T1210">Exploitation of Remote Services</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1133">T1133</a> </td> <td> <a href="/versions/v15/techniques/T1133">External Remote Services</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1083">T1083</a> </td> <td> <a href="/versions/v15/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used a batch script to gather folder and file names from victim hosts.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1187">T1187</a> </td> <td> <a href="/versions/v15/techniques/T1187">Forced Authentication</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1591">T1591</a> </td> <td> <a href="/versions/v15/techniques/T1591/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1591">Gather Victim Org Information</a>: <a href="/versions/v15/techniques/T1591/002">Business Relationships</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has collected open source information to identify relationships between organizations for targeting purposes.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v15/techniques/T1564/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v15/techniques/T1564/002">Hidden Users</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has modified the Registry to hide created user accounts.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1562">T1562</a> </td> <td> <a href="/versions/v15/techniques/T1562/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1562">Impair Defenses</a>: <a href="/versions/v15/techniques/T1562/004">Disable or Modify System Firewall</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has disabled host-based firewalls. The group has also globally opened port 3389.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v15/techniques/T1070/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1070">Indicator Removal</a>: <a href="/versions/v15/techniques/T1070/001">Clear Windows Event Logs</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1070/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1070">Indicator Removal</a>: <a href="/versions/v15/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v15/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has copied and installed tools for operations once in the victim environment.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v15/techniques/T1036">Masquerading</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has created accounts disguised as legitimate backup and service accounts as well as an email administration account.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1112">T1112</a> </td> <td> <a href="/versions/v15/techniques/T1112">Modify Registry</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has modified the Registry to perform multiple techniques through the use of <a href="/versions/v15/software/S0075">Reg</a>.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1135">T1135</a> </td> <td> <a href="/versions/v15/techniques/T1135">Network Share Discovery</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1588">T1588</a> </td> <td> <a href="/versions/v15/techniques/T1588/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v15/techniques/T1588/002">Tool</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has obtained and used tools such as <a href="/versions/v15/software/S0002">Mimikatz</a>, <a href="/versions/v15/software/S0488">CrackMapExec</a>, and <a href="/versions/v15/software/S0029">PsExec</a>.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v15/techniques/T1003/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/002">Security Account Manager</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has dropped and executed SecretsDump to dump password hashes.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1003/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/003">NTDS</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Core Security. (n.d.). Impacket. Retrieved November 2, 2017."data-reference="Core Security Impacket">^{<a href="https://www.coresecurity.com/core-labs/open-source-tools/impacket" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1003/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/004">LSA Secrets</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has dropped and executed SecretsDump to dump password hashes.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Core Security. (n.d.). Impacket. Retrieved November 2, 2017."data-reference="Core Security Impacket">^{<a href="https://www.coresecurity.com/core-labs/open-source-tools/impacket" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1069">T1069</a> </td> <td> <a href="/versions/v15/techniques/T1069/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v15/techniques/T1069/002">Domain Groups</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used batch scripts to enumerate administrators and users in the domain.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v15/techniques/T1566/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1566">Phishing</a>: <a href="/versions/v15/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has sent emails with malicious attachments to gain initial access.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1598">T1598</a> </td> <td> <a href="/versions/v15/techniques/T1598/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1598">Phishing for Information</a>: <a href="/versions/v15/techniques/T1598/002">Spearphishing Attachment</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1598/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1598">Phishing for Information</a>: <a href="/versions/v15/techniques/T1598/003">Spearphishing Link</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1012">T1012</a> </td> <td> <a href="/versions/v15/techniques/T1012">Query Registry</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has queried the Registry to identify victim information.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1021">T1021</a> </td> <td> <a href="/versions/v15/techniques/T1021/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1021">Remote Services</a>: <a href="/versions/v15/techniques/T1021/001">Remote Desktop Protocol</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has moved laterally via RDP.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1018">T1018</a> </td> <td> <a href="/versions/v15/techniques/T1018">Remote System Discovery</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has likely obtained a list of hosts in the victim environment.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1053">T1053</a> </td> <td> <a href="/versions/v15/techniques/T1053/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v15/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1113">T1113</a> </td> <td> <a href="/versions/v15/techniques/T1113">Screen Capture</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017."data-reference="Symantec Dragonfly Sept 2017">^{<a href="https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1505">T1505</a> </td> <td> <a href="/versions/v15/techniques/T1505/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1505">Server Software Component</a>: <a href="/versions/v15/techniques/T1505/003">Web Shell</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1608">T1608</a> </td> <td> <a href="/versions/v15/techniques/T1608/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1608">Stage Capabilities</a>: <a href="/versions/v15/techniques/T1608/004">Drive-by Target</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has compromised websites to redirect traffic and to host exploit kits.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1195">T1195</a> </td> <td> <a href="/versions/v15/techniques/T1195/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1195">Supply Chain Compromise</a>: <a href="/versions/v15/techniques/T1195/002">Compromise Software Supply Chain</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has placed trojanized installers for control system software on legitimate vendor app stores.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1016">T1016</a> </td> <td> <a href="/versions/v15/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1033">T1033</a> </td> <td> <a href="/versions/v15/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> used the command <code>query user</code> on victim hosts.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1221">T1221</a> </td> <td> <a href="/versions/v15/techniques/T1221">Template Injection</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has injected SMB URLs into malicious Word spearphishing attachments to initiate <a href="/versions/v15/techniques/T1187">Forced Authentication</a>.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v15/techniques/T1204/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1204">User Execution</a>: <a href="/versions/v15/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used various forms of spearphishing in attempts to get users to open malicious attachments.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1078">T1078</a> </td> <td> <a href="/versions/v15/techniques/T1078">Valid Accounts</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has compromised user credentials and used valid accounts for operations.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v15/techniques/T0817">T0817</a> </td> <td> <a href="/versions/v15/techniques/T0817">Drive-by Compromise</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver <a href="/versions/v15/software/S0093">Backdoor.Oldrea</a> or <a href="/versions/v15/software/S0094">Trojan.Karagany</a>. <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 "data-reference="Symantec Security Response July 2014">^{<a href="https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v15/techniques/T0862">T0862</a> </td> <td> <a href="/versions/v15/techniques/T0862">Supply Chain Compromise</a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> trojanized legitimate ICS equipment providers software packages available for download on their websites.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 "data-reference="Symantec Security Response July 2014">^{<a href="https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/software/S0093">S0093</a> </td> <td> <a href="/versions/v15/software/S0093">Backdoor.Oldrea</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly">^{<a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1087">Account Discovery</a>: <a href="/versions/v15/techniques/T1087/003">Email Account</a>, <a href="/versions/v15/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v15/techniques/T0802">Automated Collection</a>, <a href="/versions/v15/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v15/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v15/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v15/techniques/T1132">Data Encoding</a>: <a href="/versions/v15/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v15/techniques/T0814">Denial of Service</a>, <a href="/versions/v15/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v15/techniques/T1070">Indicator Removal</a>: <a href="/versions/v15/techniques/T1070/004">File Deletion</a>, <a href="/versions/v15/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v15/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v15/techniques/T0861">Point & Tag Identification</a>, <a href="/versions/v15/techniques/T1057">Process Discovery</a>, <a href="/versions/v15/techniques/T1055">Process Injection</a>, <a href="/versions/v15/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v15/techniques/T0846">Remote System Discovery</a>, <a href="/versions/v15/techniques/T0888">Remote System Information Discovery</a>, <a href="/versions/v15/techniques/T0865">Spearphishing Attachment</a>, <a href="/versions/v15/techniques/T0862">Supply Chain Compromise</a>, <a href="/versions/v15/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v15/techniques/T1218/011">Rundll32</a>, <a href="/versions/v15/techniques/T1082">System Information Discovery</a>, <a href="/versions/v15/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v15/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v15/techniques/T0863">User Execution</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0488">S0488</a> </td> <td> <a href="/versions/v15/software/S0488">CrackMapExec</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1087">Account Discovery</a>: <a href="/versions/v15/techniques/T1087/002">Domain Account</a>, <a href="/versions/v15/techniques/T1110">Brute Force</a>: <a href="/versions/v15/techniques/T1110/003">Password Spraying</a>, <a href="/versions/v15/techniques/T1110">Brute Force</a>: <a href="/versions/v15/techniques/T1110/001">Password Guessing</a>, <a href="/versions/v15/techniques/T1110">Brute Force</a>, <a href="/versions/v15/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v15/techniques/T1059/001">PowerShell</a>, <a href="/versions/v15/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v15/techniques/T1112">Modify Registry</a>, <a href="/versions/v15/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/003">NTDS</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v15/techniques/T1201">Password Policy Discovery</a>, <a href="/versions/v15/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v15/techniques/T1069/002">Domain Groups</a>, <a href="/versions/v15/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v15/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v15/techniques/T1053/002">At</a>, <a href="/versions/v15/techniques/T1082">System Information Discovery</a>, <a href="/versions/v15/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v15/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v15/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v15/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v15/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0357">S0357</a> </td> <td> <a href="/versions/v15/software/S0357">Impacket</a> </td> <td> <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Core Security. (n.d.). Impacket. Retrieved November 2, 2017."data-reference="Core Security Impacket">^{<a href="https://www.coresecurity.com/core-labs/open-source-tools/impacket" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/versions/v15/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v15/techniques/T1040">Network Sniffing</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/003">NTDS</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v15/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v15/techniques/T1558/003">Kerberoasting</a>, <a href="/versions/v15/techniques/T1569">System Services</a>: <a href="/versions/v15/techniques/T1569/002">Service Execution</a>, <a href="/versions/v15/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0500">S0500</a> </td> <td> <a href="/versions/v15/software/S0500">MCMD</a> </td> <td> <span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."data-reference="Secureworks MCMD July 2019">^{<a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v15/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v15/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v15/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v15/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v15/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v15/techniques/T1005">Data from Local System</a>, <a href="/versions/v15/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v15/techniques/T1564/003">Hidden Window</a>, <a href="/versions/v15/techniques/T1070">Indicator Removal</a>: <a href="/versions/v15/techniques/T1070/009">Clear Persistence</a>, <a href="/versions/v15/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v15/techniques/T1036">Masquerading</a>: <a href="/versions/v15/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v15/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v15/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v15/techniques/T1053/005">Scheduled Task</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0002">S0002</a> </td> <td> <a href="/versions/v15/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v15/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v15/techniques/T1098">Account Manipulation</a>, <a href="/versions/v15/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v15/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v15/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v15/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/006">DCSync</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v15/techniques/T1207">Rogue Domain Controller</a>, <a href="/versions/v15/techniques/T1649">Steal or Forge Authentication Certificates</a>, <a href="/versions/v15/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v15/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v15/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v15/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v15/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v15/techniques/T1552/004">Private Keys</a>, <a href="/versions/v15/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v15/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v15/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v15/techniques/T1550/003">Pass the Ticket</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0039">S0039</a> </td> <td> <a href="/versions/v15/software/S0039">Net</a> </td> <td> <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1087">Account Discovery</a>: <a href="/versions/v15/techniques/T1087/002">Domain Account</a>, <a href="/versions/v15/techniques/T1087">Account Discovery</a>: <a href="/versions/v15/techniques/T1087/001">Local Account</a>, <a href="/versions/v15/techniques/T1136">Create Account</a>: <a href="/versions/v15/techniques/T1136/001">Local Account</a>, <a href="/versions/v15/techniques/T1136">Create Account</a>: <a href="/versions/v15/techniques/T1136/002">Domain Account</a>, <a href="/versions/v15/techniques/T1070">Indicator Removal</a>: <a href="/versions/v15/techniques/T1070/005">Network Share Connection Removal</a>, <a href="/versions/v15/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v15/techniques/T1201">Password Policy Discovery</a>, <a href="/versions/v15/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v15/techniques/T1069/002">Domain Groups</a>, <a href="/versions/v15/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v15/techniques/T1069/001">Local Groups</a>, <a href="/versions/v15/techniques/T1021">Remote Services</a>: <a href="/versions/v15/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v15/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v15/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v15/techniques/T1007">System Service Discovery</a>, <a href="/versions/v15/techniques/T1569">System Services</a>: <a href="/versions/v15/techniques/T1569/002">Service Execution</a>, <a href="/versions/v15/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0108">S0108</a> </td> <td> <a href="/versions/v15/software/S0108">netsh</a> </td> <td> <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v15/techniques/T1546/007">Netsh Helper DLL</a>, <a href="/versions/v15/techniques/T1562">Impair Defenses</a>: <a href="/versions/v15/techniques/T1562/004">Disable or Modify System Firewall</a>, <a href="/versions/v15/techniques/T1090">Proxy</a>, <a href="/versions/v15/techniques/T1518">Software Discovery</a>: <a href="/versions/v15/techniques/T1518/001">Security Software Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0029">S0029</a> </td> <td> <a href="/versions/v15/software/S0029">PsExec</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks IRON LIBERTY July 2019">^{<a href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017."data-reference="Symantec Dragonfly Sept 2017">^{<a href="https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1136">Create Account</a>: <a href="/versions/v15/techniques/T1136/002">Domain Account</a>, <a href="/versions/v15/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v15/techniques/T1543/003">Windows Service</a>, <a href="/versions/v15/techniques/T1570">Lateral Tool Transfer</a>, <a href="/versions/v15/techniques/T1021">Remote Services</a>: <a href="/versions/v15/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v15/techniques/T1569">System Services</a>: <a href="/versions/v15/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0075">S0075</a> </td> <td> <a href="/versions/v15/software/S0075">Reg</a> </td> <td> <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1112">Modify Registry</a>, <a href="/versions/v15/techniques/T1012">Query Registry</a>, <a href="/versions/v15/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v15/techniques/T1552/002">Credentials in Registry</a> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0094">S0094</a> </td> <td> <a href="/versions/v15/software/S0094">Trojan.Karagany</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly">^{<a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019">^{<a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> </td> <td> <a href="/versions/v15/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v15/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v15/techniques/T1010">Application Window Discovery</a>, <a href="/versions/v15/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v15/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v15/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v15/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v15/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v15/techniques/T1074">Data Staged</a>: <a href="/versions/v15/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v15/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v15/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v15/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v15/techniques/T1070">Indicator Removal</a>: <a href="/versions/v15/techniques/T1070/004">File Deletion</a>, <a href="/versions/v15/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v15/techniques/T1056">Input Capture</a>: <a href="/versions/v15/techniques/T1056/001">Keylogging</a>, <a href="/versions/v15/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v15/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v15/techniques/T1027/002">Software Packing</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>, <a href="/versions/v15/techniques/T1057">Process Discovery</a>, <a href="/versions/v15/techniques/T1055">Process Injection</a>: <a href="/versions/v15/techniques/T1055/003">Thread Execution Hijacking</a>, <a href="/versions/v15/techniques/T1113">Screen Capture</a>, <a href="/versions/v15/techniques/T1082">System Information Discovery</a>, <a href="/versions/v15/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v15/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v15/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v15/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/versions/v15/techniques/T1497/001">System Checks</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" target="_blank"> Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" target="_blank"> UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank"> Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" target="_blank"> Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" target="_blank"> Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="http://fortune.com/2017/09/06/hack-energy-grid-symantec/" target="_blank"> Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank"> Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE鈥橲 ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank"> CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" target="_blank"> Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="10.0"> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" target="_blank"> Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.dragos.com/threat/dymalloy/" target="_blank"> Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank"> Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank"> Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://tools.kali.org/password-attacks/hydra" target="_blank"> Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.coresecurity.com/core-labs/open-source-tools/impacket" target="_blank"> Core Security. (n.d.). Impacket. Retrieved November 2, 2017. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." target="_blank"> Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v15/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v15/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v15.1&#013;Website v4.1.6">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v15/theme/scripts/popper.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v15/theme/scripts/site.js?1245"></script> <script src="/versions/v15/theme/scripts/settings.js?5419"></script> <script src="/versions/v15/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/sidebar-load-all.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v15/theme/scripts/settings.js"></script> <script src="/versions/v15/theme/scripts/tour/tour-relationships.js"></script> </body> </html>