{ "type": "bundle", "id": "bundle--59720d00-615e-4878-b5ab-736e626221c9", "spec_version": "2.0", "objects": [ { "modified": "2023-03-08T22:03:28.170Z", "name": "Dragonfly", "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", "aliases": [ "Dragonfly", "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear" ], "x_mitre_deprecated": false, "x_mitre_version": "3.1", "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "type": "intrusion-set", "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "created": "2017-05-31T21:32:05.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0035", "external_id": "G0035" }, { "source_name": "DYMALLOY", "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "Berserk Bear", "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "TEMP.Isotope", "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" }, { "source_name": "Crouching Yeti", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "IRON LIBERTY", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "TG-4192", "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "Dragonfly", "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "Energetic Bear", "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" }, { "source_name": "CISA AA20-296A Berserk Bear December 2020", "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" }, { "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" }, { "source_name": "Dragos DYMALLOY ", "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", "url": "https://www.dragos.com/threat/dymalloy/" }, { "source_name": "Fortune Dragonfly 2.0 Sept 2017", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" }, { "source_name": "Mandiant Ukraine Cyber Threats January 2022", "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" }, { "source_name": "Secureworks MCMD July 2019", "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", "url": "https://www.secureworks.com/research/mcmd-malware-analysis" }, { "source_name": "Secureworks IRON LIBERTY July 2019", "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" }, { "source_name": "Secureworks Karagany July 2019", "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" }, { "source_name": "Gigamon Berserk Bear October 2021", "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" }, { "source_name": "Symantec Dragonfly Sept 2017", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" }, { "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" }, { "source_name": "Symantec Dragonfly 2.0 October 2017", "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" }, { "source_name": "UK GOV FSB Factsheet April 2022", "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }