Dragonfly

dragonfly · primary source: MITRE · first observed 2010

RU · RussiaState-sponsoredHigh confidencelast cited Mar 23, 2022 · 4y ago

Russian state-sponsored intrusion set publicly attributed by the U.S. DOJ and Treasury OFAC to FSB Center 16 (Military Unit 71330). Long-running targeting of the energy, nuclear, water, aviation, and government sectors across North America and Europe — emphasis on ICS reconnaissance and supply-chain compromise of vendors serving operational technology customers. DOJ indicted three FSB officers in 2022 for the campaign.

Aliases

Berserk BearCrowdStrikeEnergetic BearOtherDYMALLOYOtherTEMP.IsotopeMandiantIRON LIBERTYOther

Motivations

espionagepre-positioning

Target sectors

energynuclearwateraviationgovernmentics

Target countries

USGBDEUATRCAFR

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Dragonfly
Russia
espionage
pre-positioning

Capability

Infrastructure

—

Victim

energy
nuclear
water
US
GB
+1 more

MITRE ATT&CK techniques

T1190 T1566.001 T1078 T0866

Timeline

1 event

IndictmentHigh2022-03-24·U.S. Department of Justice
DOJ unseals charges against three FSB Center 16 officers (Dragonfly)
U.S. DOJ unsealed an indictment of three FSB Center 16 officers — Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov — for the long-running Dragonfly / Berserk Bear campaign against energy-sector organizations in 135 countries. Charges spanned 2012-2017 campaigns against U.S. nuclear power operators (including Wolf Creek Nuclear) and the 2017 Saudi Aramco TRITON safety-system intrusion.
indictmenticsenergyfsb

Indicators of compromise

2 indicators

defangedcsv

Type	Value	First seen	Source
Name	Triton / Havex - DOJ 2022 indictment (Akulov, Gavrilov, Tyukov) On 24 March 2022 the U.S. DOJ unsealed an indictment charging three FSB Centre 16 officers - Pavel Akulov, Mikhail Gavrilov, and Marat Tyukov - for a 2012-2017 energy-sector intrusion campaign tracked publicly as Dragonfly / Berserk Bear / Energetic Bear / Crouching Yeti, including the Wolf Creek nuclear plant compromise.	Mar 23, 2022	U.S. Department of Justice
Name	Havex (Backdoor.Oldrea) family · Havex OPC-aware RAT used by Dragonfly / Energetic Bear from 2013 in supply-chain compromises of ICS vendor websites (MESA Imaging, eWON/Talk2M, MB Connect Line). Activity is named as BERSERK BEAR in CISA / FBI joint advisory AA22-110A (20 April 2022), which attributes the group to FSB Centre 16 (Military Unit 71330).	Dec 31, 2012	CISA

Related actors

shared ATT&CK techniques

KP · DPRKAndariel2 shared techniques
- T1078
- T1190
CN · ChinaAPT32 shared techniques
- T1078
- T1190
IR · IranAPT342 shared techniques
- T1190
- T1566.001
IR · IranAPT392 shared techniques
- T1078
- T1566.001
RU · RussiaCOLDRIVER2 shared techniques
- T1078
- T1566.001
CN · ChinaFlax Typhoon2 shared techniques
- T1078
- T1190

References

cite this page

Threat Intel Tracker. (2026-05-19). Dragonfly — actor profile. Retrieved from https://threatintel.local/actors/dragonfly

latest cited activity · 2022-03-24 · 2 cataloged indicators