ATK6

Presumed Origin: Russia < Back

Alias: Crouching Yeti, CrouchingYeti, DYMALLOY, Dragonfly, Energetic Bear, Group 24, Havex, Iron Liberty, Koala Team, TG-4192

ATK6 (aka: Dragonfly) is a cyber espionage group that has been active since at least 2010. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. Dragonfly's activities can be separated into three periods:

 

  • 2010-2013, the beginning of its activities using large spam campaigns
  • 2013-2014, when it started to target the energy sector using spear-phishing
  • 2015-2019, a re-launch of its attacks after a break.

 

The intrusions in energy facilities may have two objectives: steal sensitive informations to known how these systems work (intelligence gathering phase) and prepare the nertwork for future sabotages operations.

 

Target sector

  • Aviation
  • Defense
  • Energy

Target countries

  • Belgium
  • Canada
  • France
  • Germany
  • Greece
  • Italy
  • Norway
  • Poland
  • Serbia
  • Spain
  • Switzerland
  • Turkey
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America

Attack pattern

  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1012 - Query Registry
  • T1016 - System Network Configuration Discovery
  • T1018 - Remote System Discovery
  • T1023 - Shortcut Modification
  • T1033 - System Owner/User Discovery
  • T1036 - Masquerading
  • T1043 - Commonly Used Port
  • T1053 - Scheduled Task
  • T1059 - Command-Line Interface
  • T1060 - Registry Run Keys / Startup Folder
  • T1064 - Scripting
  • T1069 - Permission Groups Discovery
  • T1070 - Indicator Removal on Host
  • T1071 - Standard Application Layer Protocol
  • T1074 - Data Staged
  • T1076 - Remote Desktop Protocol
  • T1078 - Valid Accounts
  • T1083 - File and Directory Discovery
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1089 - Disabling Security Tools
  • T1098 - Account Manipulation
  • T1100 - Web Shell
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1110 - Brute Force
  • T1112 - Modify Registry
  • T1113 - Screen Capture
  • T1114 - Email Collection
  • T1133 - External Remote Services
  • T1135 - Network Share Discovery
  • T1136 - Create Account
  • T1187 - Forced Authentication
  • T1189 - Drive-by Compromise
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1204 - User Execution
  • T1221 - Template Injection
  • T1271 - Identify personnel with an authority/privilege
  • T1276 - Identify supply chains
  • T1279 - Conduct social engineering
  • T1313 - Obfuscation or cryptography
  • T1345 - Create custom payloads
  • T1346 - Obtain/re-use payloads
  • T1351 - Remote access tool development

Motivation

  • Espionage

Malwares

  • CrackMapExec
  • Dorshel
  • Goodor
  • Havex
  • Karagany
  • Lightsout exploit kit
  • MCMD
  • Mimikatz
  • Oldrea

Vulnerabilities