Threat Actor Profile
High
APT
Description
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)
Confidence Score
Known Aliases
Dragonfly
TEMP.Isotope
DYMALLOY
Berserk Bear
TG-4192
Crouching Yeti
IRON LIBERTY
Energetic Bear
Ghost Blizzard
BROMINE
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (56)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Dragonfly',
'TEMP.Isotope',
'DYMALLOY',
'Berserk Bear',
'TG-4192',
'Crouching Yeti',
'IRON LIBERTY',
'Energetic Bear',
'Ghost Blizzard',
'BROMINE'],
'created': '2017-05-31T21:32:05.217Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber '
"espionage group that has been attributed to Russia's Federal "
'Security Service (FSB) Center 16.(Citation: DOJ Russia '
'Targeting Critical Infrastructure March 2022)(Citation: UK '
'GOV FSB Factsheet April 2022) Active since at least 2010, '
'[Dragonfly](https://attack.mitre.org/groups/G0035) has '
'targeted defense and aviation companies, government entities, '
'companies related to industrial control systems, and critical '
'infrastructure sectors worldwide through supply chain, '
'spearphishing, and drive-by compromise attacks.(Citation: '
'Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July '
'2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: '
'Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk '
'Bear October 2021)(Citation: CISA AA20-296A Berserk Bear '
'December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)',
'external_references': [{'external_id': 'G0035',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0035'},
{'description': '(Citation: Dragos DYMALLOY '
')(Citation: UK GOV FSB Factsheet '
'April 2022)',
'source_name': 'DYMALLOY'},
{'description': '(Citation: Gigamon Berserk Bear '
'October 2021)(Citation: DOJ Russia '
'Targeting Critical Infrastructure '
'March 2022)(Citation: UK GOV FSB '
'Factsheet April 2022)',
'source_name': 'Berserk Bear'},
{'description': '(Citation: Mandiant Ukraine Cyber '
'Threats January 2022)(Citation: '
'Gigamon Berserk Bear October 2021)',
'source_name': 'TEMP.Isotope'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'Ghost Blizzard'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'BROMINE'},
{'description': '(Citation: Secureworks IRON LIBERTY '
'July 2019)(Citation: Gigamon Berserk '
'Bear October 2021)(Citation: DOJ '
'Russia Targeting Critical '
'Infrastructure March 2022)(Citation: '
'UK GOV FSB Factsheet April 2022)',
'source_name': 'Crouching Yeti'},
{'description': '(Citation: Secureworks IRON LIBERTY '
'July 2019)(Citation: Secureworks '
'MCMD July 2019)(Citation: '
'Secureworks Karagany July '
'2019)(Citation: UK GOV FSB Factsheet '
'April 2022)',
'source_name': 'IRON LIBERTY'},
{'description': '(Citation: Secureworks IRON LIBERTY '
'July 2019)(Citation: UK GOV FSB '
'Factsheet April 2022)',
'source_name': 'TG-4192'},
{'description': '(Citation: Symantec '
'Dragonfly)(Citation: Secureworks '
'IRON LIBERTY July 2019)(Citation: '
'Gigamon Berserk Bear October '
'2021)(Citation: DOJ Russia Targeting '
'Critical Infrastructure March '
'2022)(Citation: UK GOV FSB Factsheet '
'April 2022)',
'source_name': 'Dragonfly'},
{'description': '(Citation: Symantec '
'Dragonfly)(Citation: Secureworks '
'IRON LIBERTY July 2019)(Citation: '
'Secureworks MCMD July '
'2019)(Citation: Secureworks Karagany '
'July 2019)(Citation: Gigamon Berserk '
'Bear October 2021)(Citation: DOJ '
'Russia Targeting Critical '
'Infrastructure March 2022)(Citation: '
'UK GOV FSB Factsheet April 2022)',
'source_name': 'Energetic Bear'},
{'description': 'CISA. (2020, December 1). Russian '
'State-Sponsored Advanced Persistent '
'Threat Actor Compromises U.S. '
'Government Targets. Retrieved '
'December 9, 2021.',
'source_name': 'CISA AA20-296A Berserk Bear December '
'2020',
'url': 'https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions'},
{'description': 'Department of Justice. (2022, March '
'24). Four Russian Government '
'Employees Charged in Two Historical '
'Hacking Campaigns Targeting Critical '
'Infrastructure Worldwide. Retrieved '
'April 5, 2022.',
'source_name': 'DOJ Russia Targeting Critical '
'Infrastructure March 2022',
'url': 'https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical'},
{'description': 'Dragos. (n.d.). DYMALLOY. Retrieved '
'August 20, 2020.',
'source_name': 'Dragos DYMALLOY ',
'url': 'https://www.dragos.com/threat/dymalloy/'},
{'description': 'Hackett, R. (2017, September 6). '
'Hackers Have Penetrated Energy Grid, '
'Symantec Warns. Retrieved June 6, '
'2018.',
'source_name': 'Fortune Dragonfly 2.0 Sept 2017',
'url': 'http://fortune.com/2017/09/06/hack-energy-grid-symantec/'},
{'description': 'Hultquist, J. (2022, January 20). '
'Anticipating Cyber Threats as the '
'Ukraine Crisis Escalates. Retrieved '
'January 24, 2022.',
'source_name': 'Mandiant Ukraine Cyber Threats '
'January 2022',
'url': 'https://www.mandiant.com/resources/ukraine-crisis-cyber-threats'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'Secureworks. (2019, July 24). MCMD '
'Malware Analysis. Retrieved August '
'13, 2020.',
'source_name': 'Secureworks MCMD July 2019',
'url': 'https://www.secureworks.com/research/mcmd-malware-analysis'},
{'description': 'Secureworks. (2019, July 24). '
'Resurgent Iron Liberty Targeting '
'Energy Sector. Retrieved August 12, '
'2020.',
'source_name': 'Secureworks IRON LIBERTY July 2019',
'url': 'https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector'},
{'description': 'Secureworks. (2019, July 24). '
'Updated Karagany Malware Targets '
'Energy Sector. Retrieved August 12, '
'2020.',
'source_name': 'Secureworks Karagany July 2019',
'url': 'https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector'},
{'description': 'Slowik, J. (2021, October). THE '
'BAFFLING BERSERK BEAR: A DECADE’S '
'ACTIVITY TARGETING CRITICAL '
'INFRASTRUCTURE. Retrieved December '
'6, 2021.',
'source_name': 'Gigamon Berserk Bear October 2021',
'url': 'https://vblocalhost.com/uploads/VB2021-Slowik.pdf'},
{'description': 'Symantec Security Response. (2014, '
'July 7). Dragonfly: Western energy '
'sector targeted by sophisticated '
'attack group. Retrieved September 9, '
'2017.',
'source_name': 'Symantec Dragonfly Sept 2017',
'url': 'https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers'},
{'description': 'Symantec Security Response. (2014, '
'June 30). Dragonfly: Cyberespionage '
'Attacks Against Energy Suppliers. '
'Retrieved April 8, 2016.',
'source_name': 'Symantec Dragonfly',
'url': 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments'},
{'description': 'Symantec. (2017, October 7). '
'Dragonfly: Western energy sector '
'targeted by sophisticated attack '
'group. Retrieved April 19, 2022.',
'source_name': 'Symantec Dragonfly 2.0 October 2017',
'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks'},
{'description': "UK Gov. (2022, April 5). Russia's "
'FSB malign activity: factsheet. '
'Retrieved April 5, 2022.',
'source_name': 'UK GOV FSB Factsheet April 2022',
'url': 'https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet'}],
'id': 'intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1',
'modified': '2024-01-08T20:40:31.822Z',
'name': 'Dragonfly',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Dragos Threat Intelligence'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '4.0'}