We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Mapping To Dragonfly

Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus to include the energy sector in early 2013. They have also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups. Disclaimer: We present this mapping to stimulate thinking about engagement activities to take advantage of the historically observed behavior of adversary, not to present all possibilities. We invite you to use this as a guide, understanding that adversary behavior is constantly changing and evolving.

Note: All ATT&CK Group sub-activity mappings have been remapped to their parent activity and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0035
Associated Groups:  Dragonfly, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear
Note:  This page uses Adversary Group data from MITRE ATT&CK.

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Drive-by Compromise When the adversaries maintain drive-by sites, they provide a pathway for beginning engagements. They may be unable to differentiate real from deceptive victims. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Drive-by Compromise When the adversaries maintain drive-by sites, they may reveal information about their targetting capabilities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Drive-by Compromise When the adversaries maintain drive-by sites and collect information about potential victims, they may reveal information about their targetting preferences by selecting or rejecting an arbitrary victim. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Phishing When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with the environment or personas, they are vulnerable to collecting, or in someway interact with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Phishing When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence Email Manipulation Modify the flow of email in the environment.
Phishing When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Phishing When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user Personas Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.
Supply Chain Compromise When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfiet control over when and where the product is connected in the target network Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Supply Chain Compromise When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfiet control over when and where the product is connected in the target network Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.