Energetic Bear, Dragonfly

[2013-02] spam Campaign (the Dragonfly Group Has Used At Least Three Infection Tactics Against Targets In The Energy Sector. The Earliest Method Was An Email Spear Phishing Campaign, Which Saw Selected Executives And Senior Employees In Target Companies Receive Emails Containing A Malicious Pdf Attachment. Infected Emails Had One Of Two Subject Lines: �the Account� Or �settlement Of Delivery Problem�. (https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dragonfly_threat_against_western_energy_suppliers.pdf)

[2013-06] watering Hole Attacks Using Lightsout (in June 2013, The Attackers Shifted Their Focus To Watering Hole Attacks. They Compromised A Number Of Energy-related Websites And Injected An Iframe Into Each Of Them. This Iframe Then Redirected Visitors To Another Compromised Legitimate Website Hosting The Lightsout Exploit Kit. This In Turn Exploited Either Java Or Internet Explorer In Order To Drop Oldrea Or Karagany On The Victim�s Computer.)

[2013-09] watering Hole Attacks Using Hello (in September 2013, Dragonfly Began Using A New Version Of This Exploit Kit, Known As The Hello Exploit Kit. The Landing Page For This Kit Contains Javascript Which Fingerprints The System, Identifying Installed Browser Plugins. The Victim Is Then Redirected To A Url Which In Turn Determines The Best Exploit To Use Based On The Information Collected.)

[2013] trojanized Software (the Most Ambitious Attack Vector Used By Dragonfly Was The Compromise Of A Number Of Legitimate Software Packages. Three Different Ics Equipment Providers Were Targeted And Malware Was Inserted Into The Software Bundles They Had Made Available For Download On Their Websites.)

[2014-02] lightsout Ek Targets Energy Sector (late Last Year, The Story Broke That Threat Actors Were Targeting The Energy Sector With Remote Access Tools And Intelligence Gathering Malware. It Would Seem That The Attackers Responsible For This Threat Are Back For More. This Particular Apt Struck Late February Between 2/24-2/26. (https://www.zscaler.com/blogs/research/lightsout-ek-targets-energy-sector)

[2015-12] attack On Energy Companies In The Ukraine (according To A Statement Posted This Week On The Official Website Of The Ukrainian Security Service Sbu, Russian Special Services Allegedly Planted Malware On The Networks Of Several Regional Power Companies. The Malicious Software Is Said To Have Been Discovered By Employees Of The Sbu. (the Sbu Said The Attackers Also Flooded The Targeted Companies� Technical Support Phone Lines. The Agency Removed The Malware And Launched An Investigation. (just Before Christmas, Power Outages Were Reported In The Ivano-frankivsk Oblast Region Of Ukraine. The Outages Were Blamed On Outsiders Who Remotely Tampered With Automatic Control Systems. The Power Company Responsible For The Region Also Reported That Its Call Center Suffered A Technical Failure Caused By A Barrage Of Calls. (https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_id=39574)

[2016] this Report By Kaspersky Lab Ics Cert Presents Information On Identified Servers That Have Been Infected And Used By The Group. The Report Also Includes The Findings Of An Analysis Of Several Webservers Compromised By The Energetic Bear Group During 2016 And In Early 2017. (https://securelist.com/energetic-bear-crouching-yeti/85345/)

[2016-12] power Outage At Ukrenergo In The Ukraine (preliminary Findings Indicate That Workstations And Supervisory Control And Data Acquisition (scada) Systems, Linked To The 330 Kilowatt Sub-station �north�, Were Influenced By External Sources Outside Normal Parameters, Ukrenergo Said In Comments Emailed To Reuters. (https://www.reuters.com/article/us-ukraine-cyber-attack-energy-iduskbn1521ba (https://dragos.com/wp-content/uploads/crashoverride-01.pdf (https://dragos.com/wp-content/uploads/crashoverride.pdf)

[2017-04] breach Of Eirgrid In The Uk (the Breach Of The Vodafone Network Allowed The Hackers To Create A Type Of Wiretap Known As Generic Routing Encapsulation (gre) To Tunnel Into Eirgrid�s Vodafone Router Located In Shotton. (https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html)

[2017-05] watering Hole Attack On Turkish Critical Infrastructure (through Our Web Crawling Network, We Were Able To Determine That A Website Belonging To A Turkish Energy Company Was Being Used In A Watering Hole Attack Targeting People Associated With Turkish Critical Infrastructure. Compromised Via A Supply Chain Attack, The Site Was Injected With Smb Credential-harvesting Malware. (https://www.riskiq.com/blog/labs/energetic-bear/)

[2020-03] breach Of San Francisco Airport (https://www.zdnet.com/article/russian-state-hackers-behind-san-francisco-airport-hack/)

[2020-09] the Russian State-sponsored Apt Actor Has Targeted Dozens Of Sltt Government And Aviation Networks, Attempted Intrusions At Several Sltt Organizations, Successfully Compromised Network Infrastructure, And As Of October 1, 2020, Exfiltrated Data From At Least Two Victim Servers. (https://us-cert.cisa.gov/ncas/alerts/aa20-296a