ATK6

Presumed Origin: Russia < Back

Alias: Crouching Yeti, CrouchingYeti, DYMALLOY, Dragonfly, Energetic Bear, Group 24, Havex, Iron Liberty, Koala Team, TG-4192

ATK6 (aka: Dragonfly) is a cyber espionage group that has been active since at least 2010. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. Dragonfly's activities can be separated into three periods:

2010-2013, the beginning of its activities using large spam campaigns
2013-2014, when it started to target the energy sector using spear-phishing
2015-2019, a re-launch of its attacks after a break.

The intrusions in energy facilities may have two objectives: steal sensitive informations to known how these systems work (intelligence gathering phase) and prepare the nertwork for future sabotages operations.

REFERENCES

- MITRE, Dragonfly 2.0, https://attack.mitre.org/groups/G0074/
- 17/12/2010, Symantec, Dream Loader: the new bot C&C engine of your dreams
- 07/07/2014, Symantec, Dragonfly: Cyberespionage Attacks Against Energy Suppliers
- 27/10/2014, Netresec, Full Disclosure of Havex Trojans
- 20/10/2017, Symantec, Dragonfly: Western energy sector targeted by sophisticated attack group
- 20/10/2017, US-CERT, Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
- 16/03/2018, Cylance, Energetic DragonFly DYMALLOY Bear 2.0
- 04/04/2018, NCSC, Hostile state actors compromising UK organisations with focus on engineering and industrial control companies
- 11/07/2019, Dell Secureworks. MCMD Malware Analysis
- 11/07/2019, Dell Secureworks, Updated Karagany Malware Targets Energy Sector
- 24/07/2019, Dell Secureworks, Resurgent Iron Liberty Targeting Energy Sector

Target sector

Aviation
Defense
Energy

Target countries

Belgium
Canada
France
Germany
Greece
Italy
Norway
Poland
Serbia
Spain
Switzerland
Turkey
United Kingdom Of Great Britain And Northern Ireland
United States Of America

Attack pattern

T1002 - Data Compressed
T1003 - Credential Dumping
T1005 - Data from Local System
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1023 - Shortcut Modification
T1033 - System Owner/User Discovery
T1036 - Masquerading
T1043 - Commonly Used Port
T1053 - Scheduled Task
T1059 - Command-Line Interface
T1060 - Registry Run Keys / Startup Folder
T1064 - Scripting
T1069 - Permission Groups Discovery
T1070 - Indicator Removal on Host
T1071 - Standard Application Layer Protocol
T1074 - Data Staged
T1076 - Remote Desktop Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1086 - PowerShell
T1087 - Account Discovery
T1089 - Disabling Security Tools
T1098 - Account Manipulation
T1100 - Web Shell
T1105 - Remote File Copy
T1107 - File Deletion
T1110 - Brute Force
T1112 - Modify Registry
T1113 - Screen Capture
T1114 - Email Collection
T1133 - External Remote Services
T1135 - Network Share Discovery
T1136 - Create Account
T1187 - Forced Authentication
T1189 - Drive-by Compromise
T1192 - Spearphishing Link
T1193 - Spearphishing Attachment
T1204 - User Execution
T1221 - Template Injection
T1271 - Identify personnel with an authority/privilege
T1276 - Identify supply chains
T1279 - Conduct social engineering
T1313 - Obfuscation or cryptography
T1345 - Create custom payloads
T1346 - Obtain/re-use payloads
T1351 - Remote access tool development

Motivation

Espionage

Malwares

CrackMapExec
Dorshel
Goodor
Havex
Karagany
Lightsout exploit kit
MCMD
Mimikatz
Oldrea

ATK6

Target sector

Target countries

Attack pattern

Motivation

Malwares

Vulnerabilities

Would you like a customized presentation?

ATK6

Description

Target sector

Target countries

Attack pattern

Motivation

Malwares

Vulnerabilities