Dragonfly 2.0

Dragonfly is a Russian-speaking Advanced Persistent Threat APT group that has been active since 2011 and have recently been observed targeting companies in the US and Europe.

Threat ID:: CC-1631
Category:
Threat Severity:: Low
Threat Vector:
Published:: 11 September 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Dragonfly is a Russian-speaking Advanced Persistent Threat APT group that has been active since 2011 and have recently been observed targeting companies in the US and Europe.

Threat details

Dragonfly has recently used a variety of different attack vectors including phishing, watering hole attacks and malware. Dragonfly use phishing emails to collect user credentials from a targeted organisation. Phishing emails include an attachment, which once opened, present a legitimate looking dialog box asking the user to log-in. If the user enters their credentials, they are sent to a remote server controlled by the attackers.

Following a successful attack, Dragonfly will use the credentials for their follow-up attack, which relies heavily on users reusing passwords across multiple accounts. Once into the organisations network they will insert a backdoor for remote access by using tools such as PowerShell.

Dragonfly also uses watering hole attacks to take credentials by compromising a website commonly used by staff from a targeted organisation. The compromised website will attempt to download a Flash Player update and if accepted, a backdoor will be installed on the user's device.

Remediation steps

Type	Step
	Never open email attachments or click on links in emails from untrusted sources. Where your role requires you to do so, try to first make contact with the sender to verify that they are who they say they are. Make sure that malware definitions are kept up-to-date. Ensure secure and complex passwords are used and are not reused for other accounts. Make sure a defence-in-depth approach to security is taken to ensure multiple layers of defence. Ensure cyber-awareness training is kept up-to-date.

Type

Step

Never open email attachments or click on links in emails from untrusted sources. Where your role requires you to do so, try to first make contact with the sender to verify that they are who they say they are.
Make sure that malware definitions are kept up-to-date.
Ensure secure and complex passwords are used and are not reused for other accounts.
Make sure a defence-in-depth approach to security is taken to ensure multiple layers of defence.
Ensure cyber-awareness training is kept up-to-date.

Last edited: 17 February 2020 11:30 am