Dragonfly Energy Sector Intrusion Campaign
Russian Dragonfly group multi-year campaign against Western energy sector including US, UK, and European power grid operators, nuclear facilities and industrial control systems. CISA advisory AA20-296A attributed grid network access with capability to cause disruptions.
Start date
1 January 2017
End date
—
Techniques
24
Attributed actors
Techniques (24)
collection1
T1005Data from Local System
command-and-control2
T1105Ingress Tool Transfer
T1071.001Web Protocols
defense-impairment1
T1070.001Clear Windows Event Logs
discovery4
T1018Remote System Discovery
T1082System Information Discovery
T1083File and Directory Discovery
T1016System Network Configuration Discovery
execution3
T1059.003Windows Command Shell
T1059.001PowerShell
T1053.005Scheduled Task
exfiltration1
T1041Exfiltration Over C2 Channel
initial-access5
T1566.002Spearphishing Link
T1078Valid Accounts
T1133External Remote Services
T1566.001Spearphishing Attachment
T1190Exploit Public-Facing Application
lateral-movement2
T1021.001Remote Desktop Protocol
T1021.002SMB/Windows Admin Shares
persistence4
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1133External Remote Services
T1053.005Scheduled Task
privilege-escalation4
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1055Process Injection
T1053.005Scheduled Task
stealth5
T1078Valid Accounts
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1055Process Injection
T1027Obfuscated Files or Information
Indicators of compromise
No IOCs linked to this campaign yet.