>samit_hota
Back to adversary profiles
G0035CriticalActive

Threat Actor Profile: Dragonfly (G0035) – Russia’s Critical Infrastructure Espionage Group

Samit Hota·
Suspected Origin
Russia
Motivation
Espionage, Reconnaissance, Potential Sabotage
Aliases
TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE
Target Sectors
Energy, Industrial Control Systems, Critical Infrastructure, Defense, Aviation, Government, Communications, Financial Services, Healthcare, Transportation
Associated Malware
Backdoor.Oldrea (Havex), Trojan.Karagany, Trojan.Heriplor, Backdoor.Goodor, Backdoor.Dorshel, SYNful Knock, Mimikatz, CrackMapExec, PsExec, Hydra, SecretsDump, Phishery toolkit
#threat-actor#g0035

Overview

Dragonfly, known in the cybersecurity community by numerous aliases including Energetic Bear, Berserk Bear, and TEMP.Isotope, is a highly capable and persistent cyber espionage group with a clear nexus to Russia’s Federal Security Service (FSB) Center 16, also identified as Military Unit 71330. Active since at least 2010, the group’s primary motivation is intelligence gathering and cyber espionage, with a long-standing focus on strategically vital sectors globally. While initially focused on reconnaissance, later campaigns, notably Dragonfly 2.0, demonstrated an evolving capability and potential for disruptive or destructive operations, particularly against industrial control systems (ICS). This aligns with broader Russian geopolitical objectives.

Dragonfly’s targeting has consistently concentrated on critical infrastructure across the globe. Key sectors include energy, industrial control systems (ICS) and SCADA systems, defense and aviation companies, and various government entities. Historically, their initial operations targeted defense and aviation firms in the US and Canada before shifting focus to energy organizations in the US and Europe in 2013. Over time, their scope expanded to encompass communications, financial services, healthcare, defense industrial base, transportation systems, and water and wastewater systems sectors. Some campaigns have even touched upon the pharmaceutical and accounting industries, showcasing a broader intelligence mandate. Geographically, victims have been observed worldwide, with notable concentrations in the US, UK, Canada, Spain, France, Italy, Germany, Turkey, Poland, and Switzerland.

Tactics & Techniques

Dragonfly employs a diverse array of tactics and techniques to gain and maintain access, reflecting a sophisticated and adaptive adversary. Initial access is frequently achieved through highly tailored spearphishing campaigns. These often involve malicious attachments, PDF documents containing malicious links, or emails embedding SMB URLs designed for forced authentication. These emails are meticulously crafted, sometimes disguised as invitations or incorporating content highly relevant to the target’s industry.

Another hallmark of Dragonfly’s initial access strategy is the use of watering hole attacks. This involves compromising legitimate websites likely frequented by personnel in target sectors, then redirecting visitors or injecting malicious iframes to deliver malware. A more audacious method observed is supply chain compromise, where Dragonfly has trojanized legitimate software packages offered by ICS equipment providers, embedding malware within seemingly innocuous software updates. The group also actively exploits vulnerabilities in common services like Citrix and Microsoft Exchange, and has been observed targeting poorly configured networking devices globally, leveraging legacy unencrypted protocols such as Simple Network Management Protocol (SNMP) versions 1 and 2, and exploiting vulnerabilities like CVE-2018-0171 in Cisco Smart Install (SMI). Brute-force credential attempts are also part of their repertoire.

Once inside a network, Dragonfly leverages a mix of custom and off-the-shelf tools for execution, including batch scripts, PowerShell scripts, and Python scripts, sometimes installing Python 2.7 on victim systems. They establish persistence by adding registry values to the Run key, creating disguised accounts (e.g., backup, service, email administration accounts), and using VPNs and Outlook Web Access (OWA) for sustained access. For defense evasion, they have utilized the Shellter evasion framework to develop trojanized applications and often rely on stealthy living-off-the-land binaries (LOLBins) in addition to their custom malware.

Credential access is critical to Dragonfly’s operations, often involving the Phishery toolkit for credential harvesting via template injection attacks, as well as dumping password hashes using tools like SecretsDump, and cracking passwords with Hydra and CrackMapExec. Their discovery tactics are extensive, including enumerating users and administrators, mapping domain trusts and zones using batch scripts, scanning for vulnerable services, and actively identifying and browsing file servers for ICS/SCADA-related information. Recent activity shows them collecting configuration files for networking devices and conducting reconnaissance with a specific interest in ICS protocols and applications. Lateral movement is facilitated through RDP and the use of SMB for command and control (C2), often utilizing compromised valid accounts. C2 infrastructure often involves acquired VPS and registered domains for targeting. Exfiltration typically involves compressing data into .zip files, and evidence suggests they take highly specific screen captures, sometimes naming them to indicate machines with access to operational control systems (e.g., including “cntrl” in the filename).

Notable Campaigns

Dragonfly’s operations can generally be categorized into distinct phases. The initial campaigns, active from at least 2011 to 2014, often referred to as “Dragonfly” or “Havex,” focused heavily on cyber espionage and pre-positioning within critical infrastructure. A significant aspect of this phase was a widespread supply chain attack, where the group compromised the networks of ICS/SCADA system manufacturers and software providers. They then embedded their Havex malware into legitimate software updates, which unsuspecting customers downloaded, establishing backdoors and enabling network reconnaissance for additional ICS/SCADA devices. This campaign infected hundreds of business computers across the United States and Europe.

Following exposure in 2014, the group experienced a period of relative quiet before re-emerging with renewed vigor in late 2015, marking the beginning of what is known as “Dragonfly 2.0.” This updated campaign, active through 2017, shifted to more targeted compromises, specifically honing in on energy sector entities and engineers working with ICS/SCADA systems. Dragonfly 2.0 notably leveraged sophisticated spearphishing techniques, including emails disguised as “New Year’s Eve party” invitations, and expanded its use of watering hole attacks. Crucially, this phase demonstrated a potential shift from pure reconnaissance to gaining access to operational systems, raising concerns about the group’s capability for disruptive or destructive actions. Targets during this period included organizations in the US, Turkey, and Switzerland, among others.

Associated Malware & Tools

Dragonfly utilizes a blend of custom-developed malware and commercially available or modified tools. Their custom arsenal includes:

  • Backdoor.Oldrea: Also known as Havex or the Energetic Bear RAT, this is a favored back door providing remote access, data extraction, and the ability to install further malware. It is believed to be custom-written by or for the group.
  • Trojan.Heriplor: This backdoor appears to be exclusively used by Dragonfly, serving as a strong indicator of the group’s continuity and custom development capabilities.

In addition to their custom tools, Dragonfly effectively integrates and modifies widely available malware and legitimate utilities:

  • Trojan.Karagany: While version 1’s source code was leaked in 2010, Dragonfly is thought to have modified and utilized it in their operations.
  • Backdoor.Goodor and Backdoor.Dorshel: These backdoors were observed in Dragonfly 2.0 campaigns, with Dorshel delivered as a trojanized version of standard Windows applications and Goodor providing remote access, often installed via PowerShell.
  • Exploit Kits: The Lightsout and Hello exploit kits were leveraged in early campaigns.
  • Credential Theft Tools: The Phishery toolkit is frequently used for credential harvesting through template injection attacks.
  • Network Reconnaissance and Exploitation Tools: They employ tools like Mimikatz, CrackMapExec, PsExec, Hydra for password cracking, and SecretsDump for dumping password hashes.
  • Evasion Frameworks: The Shellter evasion framework has been used to develop trojanized applications.
  • SYNful Knock: This custom malicious implant, deployed to Cisco devices, has been linked to the FSB Center 16 unit.

Current Status

Dragonfly remains an active and significant threat, continuously evolving its tactics and targeting. Recent advisories underscore its ongoing malicious activity. A joint cybersecurity advisory issued in July 2026 by multiple international intelligence agencies, including the US NSA, CISA, FBI, and others, warned about the continued targeting of poorly configured networking devices worldwide by FSB Center 16, which encompasses Dragonfly. The advisory highlighted the group’s exploitation of legacy unencrypted protocols like SMI and SNMP versions 1 and 2, as well as vulnerabilities such as CVE-2018-0171 in Cisco Smart Install. The FBI, in an August 2025 warning, also detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors and modifying them to enable unauthorized access for reconnaissance, particularly showing interest in industrial control systems protocols and applications. This consistent and current intelligence indicates that Dragonfly is actively engaged in cyber espionage and pre-positioning within critical infrastructure, maintaining its status as a persistent and severe threat.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call