ETDA ThaiCERT
Report
Search
Home > List all groups > Berserk Bear, Dragonfly 2.0

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Berserk Bear, Dragonfly 2.0

NamesBerserk Bear (CrowdStrike)
Dragonfly 2.0 (Symantec)
Dymalloy (Dragos)
CountryRussia Russia
MotivationSabotage and destruction
First seen2015
DescriptionDragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. There is debate over the extent of overlap between Dragonfly 2.0 and Energetic Bear, Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.
ObservedSectors: Energy.
Countries: Azerbaijan, Belgium, Canada, France, Germany, Italy, Norway, Russia, Singapore, Spain, Switzerland, Turkey, UK, Ukraine, USA.
Tools usedGoodor, Impacket, Karagany, Phishery, Living off the Land.
Operations performedDec 2015Symantec has evidence indicating that the Dragonfly 2.0 campaign has been underway since at least December 2015 and has identified a distinct increase in activity in 2017.
<https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks>
May 2017Attack on nuclear facilities in the US
Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.
Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.
<https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html>
<http://fortune.com/2017/09/06/hack-energy-grid-symantec/>
May 2017Attacks on critical infrastructure and energy companies around the world
Since at least May 2017, Talos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers use to deliver critical services. Attacks on critical infrastructure are not a new concern for security researchers, as adversaries are keen to understand critical infrastructure ICS networks for reasons unknown, but surely nefarious.
<https://blog.talosintelligence.com/2017/07/template-injection.html>
<https://www.us-cert.gov/ncas/alerts/TA18-074A>
Information<https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks>
MITRE ATT&CK<https://attack.mitre.org/groups/G0074/>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Previous: Barium
Next: The Big Bang

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key