analyst@ nohacky:~/threat-actors $
cat/ threat-actors/ dragonfly-energetic-bear
analyst@nohacky:~/dragonfly-energetic-bear.html
active profile
type Nation-State
threat_level Critical
status Active
origin Russia — FSB Center 16
last_updated 2026-03-26
EB
dragonfly-energetic-bear

Dragonfly / Energetic Bear

also known as: Berserk Bear Crouching Yeti TEMP.Isotope DYMALLOY Iron Liberty Ghost Blizzard TeamSpy Koala G0035

Russia's dedicated critical infrastructure access unit, operating since at least 2010 with a singular focus: gaining and maintaining persistent access to energy grids, utilities, and industrial control systems — not to destroy them, but to understand how they work and be positioned to act. The DOJ indicted three FSB Center 16 officers in 2022 (grand jury charges returned August 26, 2021) for campaigns spanning 2012–2017 that planted Havex malware in ICS software updates reaching 17,000 devices across 135 countries, breached the Wolf Creek nuclear operating facility's business network, and acquired the operational knowledge of Western power infrastructure that would enable disruption at a future time of Russia's choosing. CISA assesses the actor has a destructive mandate. A fourth indictment unsealed the same day charged Evgeny Gladkikh separately for the Triton/Trisis safety system attack — a related but distinct case not part of the Dragonfly Havex campaign.

attributed origin Russia — FSB Center 16 / Military Unit 71330
active since At least 2010 (documented ops from 2011–2012)
doj indictment Three FSB officers indicted Aug 2021 — charges unsealed March 24, 2022
named defendants Pavel Akulov, Mikhail Gavrilov, Marat Tyukov (FSB)
reward $10M — Rewards for Justice (Dept. of State)
cisa assessment Destructive mandate assessed by CISA
havex reach 17,000 unique ICS/SCADA devices, 135 countries
notable victim Wolf Creek Nuclear Operating Corp — Burlington, KS
mitre att&ck group G0035

Overview

Dragonfly is the operational designation for an FSB Center 16 unit — the same directorate responsible for Turla — that is focused exclusively on critical infrastructure rather than traditional espionage. While Turla targets governments and diplomats for intelligence collection, Dragonfly targets power plants, electricity grids, oil and gas pipelines, nuclear facilities, and the industrial control systems that operate them. The distinction matters: Dragonfly's operational goal is not primarily to steal information but to establish and maintain persistent footholds inside critical infrastructure networks — understanding how they are architected, mapped, and controlled — so that Russia holds the capability to disrupt or damage them at a moment of its choosing.

Mandiant's John Hultquist articulated the distinction precisely in 2022: "Notably, we have never seen this actor actually carry out disruptive attacks, just burrow into sensitive critical infrastructure for some future contingency. Our concern with recent events is that this might be the contingency we have been waiting for." CISA's formal advisory used sharper language: it assessed that Dragonfly has a destructive mandate. The DOJ's 2021 indictment (unsealed March 2022) against three FSB Center 16 officers stated explicitly that their access "would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing."

This is the threat model that distinguishes Dragonfly from every other profiled actor in this series. China's APT groups seek information: source code, military specifications, diplomatic cables, intellectual property. Russia's Turla seeks intelligence and influence. Dragonfly seeks something qualitatively different: the keys to Western critical infrastructure — held in reserve, maintained over years, ready to be exercised if the geopolitical situation demands it.

The group has been active across three documented phases: an initial reconnaissance and access phase (2011–2014) using the Havex supply chain attack; a more targeted second phase (Dragonfly 2.0, 2014–2017) focused on specific ICS engineers and facility operational technology; and a broader infrastructure targeting phase (2018–present) encompassing US state and local government networks, aviation infrastructure, and election-adjacent systems. Through each phase, the operational goal has remained consistent: persistent access, operational knowledge, disruption capability held in reserve.

naming note

This actor carries more designations than almost any other documented threat group. Symantec named it Dragonfly. CrowdStrike named it Energetic Bear. Secureworks uses Iron Liberty. Dragos uses DYMALLOY. Microsoft uses Ghost Blizzard. The FBI and DOJ indictment used Berserk Bear and Energetic Bear interchangeably. CISA uses Berserk Bear as its primary designation. This profile uses Dragonfly / Energetic Bear as the most widely recognized naming pair, consistent with the hub card. All refer to the same FSB Center 16 operational unit charged in the August 2021 indictment.

The Two-Phase Energy Sector Campaign (2012–2017)

The DOJ indictment against Akulov, Gavrilov, and Tyukov describes the most detailed public record of a sustained nation-state campaign against energy sector ICS infrastructure. The campaign unfolded in two distinct phases, each building on the access and knowledge acquired in the previous phase.

  • Phase 1 — Dragonfly / Havex Supply Chain Attack (2012–2014): Rather than targeting energy companies directly, the conspirators attacked the software vendors that energy companies trusted. They compromised the computer networks of ICS and SCADA system manufacturers and software providers — companies whose products were used in power generation, oil and gas, and nuclear facilities worldwide — and then injected Havex malware into legitimate software update packages. When energy sector organizations downloaded and installed what they believed were routine software updates from trusted vendors, they unknowingly installed Havex on their operational networks. The Havex RAT (also known as Backdoor.Oldrea) created backdoors into infected systems and included a specific OPC scanning module designed to enumerate ICS devices on the victim's network — identifying SCADA controllers, their configurations, and how they were connected. In total, Havex was installed on over 17,000 unique devices across the United States and abroad, including ICS and SCADA controllers used directly in energy production facilities. Dragos estimated the campaign targeted over 2,000 sites. The supply chain approach meant a single compromised software vendor could reach hundreds of downstream energy sector customers simultaneously.
  • Phase 2 — Dragonfly 2.0 Targeted Campaign (2014–2017): Following Phase 1's broad reconnaissance, the conspirators shifted to surgical targeting of specific energy sector entities and the individual engineers who operated ICS and SCADA systems. The transition represented an intelligence exploitation phase: using the network maps, device inventories, and operational understanding acquired via Havex to identify the highest-value targets and the specific humans responsible for controlling them. Tactics expanded to include spear-phishing of more than 3,300 users at over 500 U.S. and international companies, watering-hole attacks on energy-sector websites visited by ICS engineers (capturing their credentials when they browsed to compromised sites), and trojanized software downloads. The phase included targeting U.S. government agencies including the Nuclear Regulatory Commission. In the documented case of Wolf Creek Nuclear Operating Corporation in Burlington, Kansas, the conspirators successfully compromised the business network — the administrative IT infrastructure, not the directly air-gapped plant control systems — through spear-phishing. Symantec documented that by 2017, Dragonfly 2.0 had gained operational access to 20 target company networks including control of interfaces for circuit breakers, giving the attackers the theoretical ability to interrupt the flow of electricity.

Target Profile

Dragonfly's targeting has expanded in scope across its documented operational lifetime, moving from a narrow focus on energy ICS to a broader mandate encompassing any networked infrastructure that supports Western government and economic function.

  • Electric Power Generation and Transmission: The primary and original target category. Power plants, electricity transmission companies, grid operators, and utility companies in Western Europe and North America are the core focus. By 2017, Dragonfly had gained access to control interfaces for circuit breakers in at least 20 target company networks — the functional capability to interrupt power delivery. The targeting spans from large utilities to regional power distributors and transmission operators.
  • Nuclear Power Plants: The Wolf Creek Nuclear Operating Corporation breach (business network) is the most prominently documented nuclear sector intrusion. The conspirators also targeted the Nuclear Regulatory Commission — the U.S. agency responsible for licensing and overseeing nuclear facilities — in spear-phishing campaigns. Nuclear facilities are high-priority targets: access to NRC databases and internal communications provides operational knowledge about nuclear plant security procedures and configurations that would inform any physical attack planning.
  • Oil and Gas Companies: Oil and gas firms are explicitly named in both the DOJ indictment and the CISA advisory as Dragonfly targets. Petroleum pipelines, refineries, and extraction operations are targeted for the same reason as electric grids: understanding their ICS architecture provides the capability to cause physical disruption at scale.
  • ICS and SCADA Manufacturers and Software Vendors: Phase 1's supply chain attack specifically targeted the vendors whose products serve the energy sector — a second-order targeting approach that multiplied reach enormously. By compromising a single ICS software vendor, the conspirators reached every customer who subsequently downloaded software updates. This supply chain thinking is Dragonfly's most strategically distinctive contribution to the ICS threat landscape.
  • State, Local, Territorial, and Tribal (SLTT) Government Networks: A significant expansion documented in 2020 CISA/FBI advisories. From at least September 2020, Dragonfly targeted dozens of U.S. SLTT government networks and aviation infrastructure, successfully compromising network infrastructure and exfiltrating data from at least two victim servers. Documents accessed in one SLTT compromise included network configurations, passwords, multi-factor authentication procedures, vendor and purchasing information, and physical access badge printing instructions. The proximity of SLTT network activity to election infrastructure prompted CISA/FBI disclosure, though no evidence of election data compromise was found.
  • Aviation Networks: Included alongside SLTT government networks in the 2020 advisory. Aviation control and communication systems are critical infrastructure with both safety significance and strategic value in contingency planning.
  • Defense and Aerospace Companies: MITRE ATT&CK documents Dragonfly targeting of defense and aviation companies alongside energy sector targets. Defense sector access provides additional operational intelligence relevant to any scenario where energy infrastructure attack would accompany a broader military action.

Tactics, Techniques & Procedures

mitre id technique description
T1195.002 Supply Chain Compromise — Software Updates The defining technique of Phase 1. Dragonfly compromised ICS/SCADA software vendors and injected Havex RAT into legitimate software update packages. Energy sector organizations that downloaded and installed routine updates from trusted vendors unknowingly deployed Havex on their operational technology networks. The Havex OPC scanning module then enumerated ICS devices, generating detailed network maps of industrial control infrastructure. Over 17,000 devices were infected across 135 countries through this supply chain vector — the first large-scale supply chain attack specifically targeting industrial control systems documented by western intelligence.
T1566.001 Spear-Phishing — ICS Engineer Targeting Phase 2 (Dragonfly 2.0) used precisely targeted spear-phishing against the specific individuals responsible for operating ICS/SCADA systems at energy facilities. Emails used energy sector-themed content, including a documented December 2015 campaign disguised as a New Year's Eve party invitation, as well as Phishery toolkit-generated messages designed to steal credentials via template injection. Spear-phishing targeted over 3,300 users at more than 500 organizations, including the Nuclear Regulatory Commission. The focus on ICS engineers specifically — not generic corporate employees — reflects the operational intelligence goal: understanding who controls what, and obtaining their credentials for later use.
T1189 Drive-by Compromise — Energy Sector Watering Holes Dragonfly compromised websites specifically frequented by energy sector professionals and ICS engineers — industry portals, technical forums, and vendor sites relevant to the target population. When engineers browsed to compromised websites, hidden scripts captured Windows NTLM credentials via forced authentication attempts or deployed malware via the Hello exploit kit and other exploit delivery mechanisms. The captured credentials were used to authenticate to the victim organizations' networks using legitimate user accounts. In the 2020 SLTT campaign, the actor specifically configured infrastructure to receive NTLM credentials stolen from government organization employees browsing compromised sites.
T1078 Valid Accounts — Credential Harvesting and Reuse Across all documented Dragonfly phases, credential theft and reuse is a primary technique for establishing and maintaining access. The 2020 SLTT campaign specifically used stolen administrator credentials for initial access and lateral movement. Havex's Karagany companion tool collected passwords and screenshots from infected hosts. The 2020 advisory documented successful Microsoft Office 365 account compromises. Dragonfly's preference for operating through valid credentials significantly complicates detection — intrusion activity appears as legitimate authenticated access rather than exploit traffic.
T1190 Exploit Public-Facing Application The 2020 SLTT campaign exploited publicly known vulnerabilities in internet-facing infrastructure: CVE-2020-0688 (Microsoft Exchange Server remote code execution), CVE-2019-19781 (Citrix ADC and Gateway directory traversal), CVE-2018-13379 (Fortinet SSL VPN path traversal — credential file exposure), CVE-2019-10149 (Exim Mail Agent RCE), and CVE-2020-1472 (Zerologon — Windows Server privilege escalation). The exploitation of Zerologon was specifically used for lateral movement to gain domain controller privileges and extract Active Directory credentials after initial access was achieved. None of these were zero-days — all were publicly disclosed and patched before Dragonfly exploited them, targeting organizations that had not applied available patches.
T0840 Network Connection Enumeration — OPC Scanning (ICS) Havex's most operationally significant module: an OPC (Open Platform Communications) scanner that enumerates ICS devices on victim networks. OPC is the standard communication protocol used between ICS applications and industrial hardware devices — PLCs, RTUs, sensors, and actuators. The OPC scanner traverses the network identifying all connected ICS devices, their configurations, and their connectivity — creating a complete map of the industrial control environment. This device inventory data was exfiltrated back to FSB infrastructure, providing Russian intelligence with detailed knowledge of exactly what hardware controls Western energy infrastructure and how it is connected. This information would be directly usable in planning targeted disruption operations.
T1021.002 Remote Services — SMB/Windows Admin Shares Dragonfly 2.0 communicated with C2 infrastructure over TCP ports 445 and 139 (SMB) and UDP 137/138 — blending C2 traffic with legitimate Windows file sharing and network communications that most enterprise firewalls permit internally. Accessed workstations and servers within corporate networks contained data from power generation control system environments, including vendor names, ICS reference documents, wiring diagrams, and panel layouts — all exfiltrated via SMB channels.
T1003 Credential Dumping — Active Directory In the 2020 SLTT campaign, after exploiting CVE-2020-1472 (Zerologon) to gain domain controller access, Dragonfly dumped Windows Active Directory credentials — obtaining usernames and password hashes for all domain accounts. This provides comprehensive credential material for lateral movement across the entire domain and, for organizations without strong AD segmentation, across the enterprise. Extracted credentials were used to access and exfiltrate sensitive network configuration documents, MFA procedures, and physical security information from SLTT government networks.

Known Campaigns

Dragonfly / Havex — ICS Supply Chain Attack 2012 – 2014

The first documented large-scale supply chain attack specifically targeting industrial control systems for energy infrastructure. Dragonfly compromised the software update systems of ICS and SCADA manufacturers — companies that built and maintained the hardware and software controlling power plants, oil facilities, and utilities — and injected the Havex RAT into legitimate software update packages distributed to those companies' customers. The Havex RAT included both a standard backdoor capability and a dedicated OPC scanning module that mapped industrial control device inventories on victim networks. Symantec's June 2014 disclosure and ICS-CERT's contemporaneous advisories provided the first public documentation of the campaign. By the time of public disclosure, Havex had been installed on over 17,000 devices worldwide. The DOJ indictment confirmed this was a deliberate Phase 1 reconnaissance operation to understand the architecture of Western energy ICS infrastructure and identify the most valuable targets for Phase 2.

Dragonfly 2.0 — Targeted Energy Sector Intrusions Late 2015 – 2017

Following Symantec's 2014 public disclosure of Dragonfly / Havex, the group went quiet and then re-emerged in late 2015 with a sharper, more targeted campaign. Symantec re-documented the group's activity in October 2017 under the Dragonfly 2.0 designation. The second phase used intelligence from Phase 1 to focus on specific energy companies and the engineers who operated their ICS systems. Documented initial access techniques included spear-phishing emails with energy sector content (including a New Year's Eve party invitation lure), watering-hole attacks on industry websites with Phishery toolkit credential capture, and trojanized software installers disguised as Flash updates that delivered the Karagany.B backdoor. Symantec documented successful compromise of at least 20 target company networks, including access to circuit breaker control interfaces. The Wolf Creek Nuclear Operating Corporation's business network was compromised via spear-phishing. ICS reference documents, wiring diagrams, panel layouts, and vendor information were systematically collected from corporate networks adjacent to plant control systems. Robert M. Lee of Dragos described the campaign as preparation for a potential attack.

US Nuclear Regulatory Commission — Spear-Phishing Campaign 2014 – 2017

The DOJ indictment specifically named the U.S. Nuclear Regulatory Commission as a target of Dragonfly 2.0 spear-phishing attacks — the federal agency responsible for licensing and overseeing all U.S. commercial nuclear facilities. Compromising NRC employee accounts would provide access to facility license documentation, security inspection records, emergency response procedures, and internal communications about nuclear plant vulnerabilities and configurations. This targeting is particularly significant: the NRC's database contains detailed technical and security information about every commercial nuclear reactor in the United States that would be of direct operational value in planning any action against nuclear infrastructure.

SLTT Government and Aviation Networks — Pre-Election Targeting February – October 2020

From at least February 2020, Dragonfly (operating as Berserk Bear in this period) targeted dozens of U.S. state, local, territorial, and tribal government networks alongside aviation networks. The CISA/FBI joint advisory published October 22, 2020 documented that the group had successfully compromised network infrastructure and exfiltrated data from at least two victim servers as of October 1, 2020. In at least one compromised SLTT network, accessed documents included network configuration data and passwords, MFA procedures, vendor and purchasing information, physical badge printing procedures, and IT security instructions. The campaign exploited a chain of publicly known, unpatched vulnerabilities: CVE-2018-13379 (Fortinet VPN), CVE-2019-10149 (Exim), CVE-2020-0688 (Exchange), CVE-2019-19781 (Citrix), and CVE-2020-1472 (Zerologon for AD credential dumping). The CISA/FBI advisory noted that while the group had not disrupted any elections, education, aviation, or government operations, it "may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities."

Static Tundra — Network Device Compromise Campaign 2021 – Present (disclosed August 2025)

On August 20, 2025, the FBI and Cisco Talos jointly disclosed an ongoing FSB Center 16 campaign operating under the sub-cluster designation Static Tundra. Cisco Talos assessed with high confidence that Static Tundra is a sub-cluster of Energetic Bear / Berserk Bear, corroborated by the FBI, based on overlapping TTPs and victimology. The campaign, active since at least 2021, specifically targets unpatched and end-of-life Cisco networking devices running CVE-2018-0171 — a critical flaw in Cisco's Smart Install (SMI) feature, first patched in 2018, that allows unauthenticated remote code execution. The FBI reported that it had observed Static Tundra collecting configuration files from thousands of networking devices associated with U.S. entities across critical infrastructure sectors. Cisco Talos identified the group's two primary objectives: (1) harvesting device configuration data — exposing credentials and SNMP community strings for use in future operations; and (2) establishing long-term persistent access to network environments. Primary targets include telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe, with intensified focus on Ukraine and allied nations following Russia's 2022 invasion. The group uses publicly available scan tools such as Shodan and Censys to identify vulnerable devices, exploits CVE-2018-0171 via custom automation to extract startup configurations, then deploys the SYNful Knock firmware-level implant for persistence that survives device reboots. Static Tundra disables TACACS+ logging and modifies ACLs to hide its presence. This campaign demonstrates that Dragonfly's Center 16 unit has expanded its mandate from energy-specific ICS reconnaissance to broad network device compromise across critical infrastructure sectors globally.

DOJ Indictment — The Named Officers

On August 26, 2021, a federal grand jury in Kansas City, Kansas (District of Kansas) returned an indictment against three FSB Center 16 officers for their roles in the 2012–2017 energy sector campaigns. The indictment was unsealed on March 24, 2022, alongside a companion advisory from CISA, FBI, and the Department of Energy. The Department of State simultaneously announced a $10 million Rewards for Justice reward — the first time RFJ had named foreign government security personnel under its critical infrastructure reward offer. On the same day, a separate indictment against Evgeny Gladkikh was unsealed for the Triton/Trisis safety system attack on a Middle Eastern petrochemical facility; Gladkikh's charges are distinct from the Dragonfly campaign covered here.

  • Pavel Aleksandrovich Akulov, 36: FSB officer, Center 16. Charged with conspiracy to cause damage to the property of an energy facility, conspiracy to commit wire fraud, wire fraud, and computer fraud related to unlawfully obtaining information from computers and causing damage to computers. Named as a central operator in both Phase 1 (Havex supply chain) and Phase 2 (Dragonfly 2.0) campaigns.
  • Mikhail Mikhailovich Gavrilov, 42: FSB officer, Center 16. Charged with the same counts as Akulov. Named as a co-conspirator across the energy sector campaign phases.
  • Marat Valeryevich Tyukov, 39: FSB officer, Center 16. Charged with conspiracy to cause damage to the property of an energy facility and conspiracy to commit computer fraud. Named alongside Akulov and Gavrilov in the coordinated campaign against energy sector ICS.
  • Charges Summary: All three defendants face conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse (maximum five years) and conspiracy to commit wire fraud (maximum twenty years). Akulov and Gavrilov also face substantive wire fraud and computer fraud counts carrying five to twenty years, plus three counts each of aggravated identity theft — which carry a mandatory minimum of two years consecutive to any other sentence imposed. All three defendants are Russian nationals residing in Russia. Russia and the United States do not have an extradition treaty, and all three are treated as fugitives unable to travel to allied countries without risk of arrest.

Tools & Malware

  • Havex RAT (Backdoor.Oldrea): Dragonfly's signature ICS-targeting implant, active from 2012 through the Phase 1 campaign. Havex is one of only five known malware families specifically tailored for industrial control systems — alongside Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and Triton/TRISIS. Its standard backdoor functionality provides remote access, file upload/download, and command execution. Its distinctive capability is an OPC scanning module that enumerates ICS/SCADA devices on connected networks, collecting device identifiers, configurations, and connectivity maps. Havex often delivered a companion payload, Karagany, which added credential theft, screenshot capture, and file staging for exfiltration.
  • Karagany (Trojan.Karagany): An information-gathering companion to Havex. Collects passwords, takes screenshots, lists documents on the infected system, and communicates with Dragonfly C2 servers. Karagany.B, a second-generation variant used in Dragonfly 2.0, added additional data collection capability and was deployed via trojanized Flash update installers.
  • MCMD (McAfee-themed C2 tool): A custom Dragonfly tool documented by Secureworks as part of the Iron Liberty activity cluster. Uses legitimate-appearing naming and traffic patterns to blend C2 communications.
  • Backdoor.Goodor: A backdoor used in Dragonfly 2.0 watering-hole campaigns, delivered via PowerShell after victim credential capture through compromised energy sector websites.
  • Phishery Toolkit: An open-source Office document credential-harvesting framework used in Dragonfly 2.0 to conduct template injection attacks that captured victims' Windows credentials when they opened spear-phishing documents connected to attacker-controlled servers.
  • VPNFilter / Legitimate Network Management Tools: Dragonfly's 2020 SLTT campaign used publicly available exploitation code against known CVEs in commercial networking gear. No novel custom tools were required for initial access — the group exploited unpatched, publicly documented vulnerabilities in Fortinet, Citrix, Exchange, and Exim servers using available public exploit code.
  • SYNful Knock: A firmware-level implant for Cisco routers, first publicly documented by FireEye/Mandiant in 2015 and associated with FSB Center 16 activity. SYNful Knock survives device reboots and allows remote access via specially crafted network packets, making it significantly harder to detect and remediate than software-based implants. It operates at the router firmware level, meaning standard OS reinstallation does not remove it. Cisco Talos' August 2025 Static Tundra report assesses with moderate confidence that Static Tundra uses SYNful Knock as part of its persistent network device compromise operations, consistent with decade-long Center 16 tradecraft.
  • Hello Exploit Kit / LightsOut Exploit Kit: Exploit delivery frameworks used in early watering-hole campaigns to exploit Java and browser vulnerabilities, delivering either Havex or Karagany to visitors of compromised energy-sector websites.

Indicators of Compromise

IOCs from the joint CISA/FBI/DOE advisory (March 2022), CISA advisory AA20-296A (October 2020), and vendor research from Symantec, Dragos, and Secureworks. ICS-specific IOCs should be validated in coordination with OT security expertise — Dragos CEO Robert Lee cautioned that some of CISA's mitigation advice for ICS environments requires careful OT context before application.

ot environment warning

Standard IT incident response procedures can be harmful when applied to operational technology (OT) environments. Before applying CISA mitigation recommendations to ICS/SCADA systems, consult with OT security specialists. Isolating or rebooting ICS components without proper planning can cause operational disruptions equivalent to or worse than the intrusion being remediated. The IT-OT security gap is itself a target: Dragonfly specifically harvests ICS documentation from corporate IT networks adjacent to plant control systems.

behavioral and technical indicators
malware Havex / Backdoor.Oldrea — RAT with OPC scanning module; OPC device enumeration from non-historian processes is anomalous and warrants investigation in any ICS environment
behavior OPC/DCOM enumeration activity from IT network hosts scanning toward ICS/SCADA segments — Havex OPC scanner traversal; baseline OPC communication patterns and alert on unexpected sources
network Outbound SMB (TCP 445/139, UDP 137/138) from corporate workstations to non-standard destinations — Dragonfly 2.0 C2 communication channel; block external SMB at network boundary
cve chain CVE-2018-13379 (Fortinet VPN) + CVE-2020-1472 (Zerologon) combination — documented 2020 SLTT campaign lateral movement chain from VPN initial access to AD credential dump
ip (2020) 51.159.28[.]101 — configured to receive stolen NTLM credentials in 2020 SLTT campaign; monitor for SMB/WebDAV connections to this IP from internal hosts
ip (2020) 213.74.101[.]65, 213.74.139[.]196, 212.252.30[.]170 — Turkish IPs used by actor to connect to victim web servers and brute-force web application logins in 2020 campaign
tool Phishery toolkit presence — Office document template injection credential harvesting framework; presence in email gateway logs or endpoint file system indicates targeted credential collection operation
behavior ICS reference document access from IT-side corporate accounts — Dragonfly collects wiring diagrams, panel layouts, and vendor documents from corporate file servers; DLP alerts on access to ICS documentation by non-engineering accounts
cve (2025) CVE-2018-0171 — Cisco IOS / IOS XE Smart Install unauthenticated RCE; unpatched or end-of-life Cisco devices with Smart Install enabled are active Static Tundra targets; disable Smart Install immediately (show vstack config to verify) and apply patch where supported
behavior (2025) Unexplained gaps or decrease in TACACS+ logging on network devices — Static Tundra modifies TACACS+ configuration to disable logging as a defense evasion technique; gaps in AAA logs on routers and switches warrant immediate investigation
network (2025) Unexpected SNMP write activity or spoofed SNMP source addresses on networking devices — Static Tundra uses compromised or default SNMP community strings ("public", "anonymous") with read-write permissions to push configuration changes and exfiltrate device configs via TFTP/FTP
network (2025) Unauthorized GRE tunnel creation on networking devices — Static Tundra establishes Generic Routing Encapsulation tunnels to mirror and redirect traffic to attacker-controlled infrastructure; unexplained GRE tunnel configuration on perimeter or core routing devices is a high-fidelity indicator

Mitigation & Defense

Dragonfly is active and assessed as having a destructive mandate. The group's documented shift from pure ICS reconnaissance to broader government network access suggests an expanding operational mandate alongside continued energy sector presence. Organizations in energy, utility, nuclear, aviation, and state/local government sectors face a persistent, patient adversary that has demonstrated willingness to maintain footholds for years before any overt action.

  • Patch Known-Exploited Vulnerabilities Immediately: Every documented Dragonfly intrusion in the 2020 SLTT campaign relied on publicly known, patched vulnerabilities — CVE-2018-13379 (Fortinet SSL VPN), CVE-2019-10149 (Exim), CVE-2020-0688 (Exchange), CVE-2019-19781 (Citrix), CVE-2020-1472 (Zerologon). None were zero-days. Dragonfly specifically targets organizations that have not applied available patches. Enroll all internet-facing systems in a structured vulnerability management program with priority on CISA Known Exploited Vulnerability (KEV) catalog entries. The 2020 SLTT campaign would have been stopped by timely application of patches that had been available for months or years.
  • IT/OT Network Segmentation: Dragonfly's strategy of accessing ICS documentation and device configurations from corporate IT networks exploits the common absence of hard network segmentation between IT and OT environments. Implement strict network segmentation between corporate IT and operational technology networks — not logical separation but physical separation with tightly controlled jump servers for any necessary cross-network access. OPC communications should only originate from authorized historian and SCADA servers, not from general IT workstations. Any traffic that crosses the IT/OT boundary should be logged, inspected, and treated as high-priority security telemetry.
  • Software Supply Chain Integrity: Havex was delivered through trojaned software updates from trusted vendors. Verify the cryptographic integrity of all ICS/SCADA software updates before installation — download directly from vendor sites, verify digital signatures, and compare hashes against vendor-published checksums. For critical ICS updates, obtain installation media on isolated portable media rather than downloading directly to connected systems. Consider a test environment where ICS software updates are installed and run in network-monitored isolation before deployment to production systems. Establish out-of-band communication channels with key ICS vendors to receive direct notification of any supply chain security incidents.
  • Disable or Restrict NTLM Authentication: Dragonfly's 2020 campaign specifically configured infrastructure to harvest Windows NTLM credentials from employees browsing to compromised websites. Disable NTLMv1 entirely and restrict NTLMv2 to prevent outbound NTLM authentication to external servers. Block outbound SMB (TCP 445/139, UDP 137/138) at network perimeters. Configure Windows to require mutual authentication (Kerberos) for domain resources. Monitor for outbound SMB and WebDAV connections leaving the network as potential credential-theft exfiltration channels.
  • ICS Documentation Access Controls: Dragonfly collects wiring diagrams, panel layouts, vendor documentation, and ICS configuration files from corporate IT file servers. Implement data loss prevention controls on sensitive ICS documentation — restrict access to engineering accounts with documented operational need, enable access logging for all ICS document repositories, and alert on access to ICS-related files by accounts outside the engineering team. Consider storing the most sensitive ICS operational documentation on systems that are completely air-gapped from the corporate IT network.
  • Network Device Lifecycle and Legacy Protocol Hardening: The August 2025 FBI / Cisco Talos disclosure confirmed that FSB Center 16 has been compromising end-of-life and unpatched Cisco networking devices via CVE-2018-0171 (Cisco Smart Install, patched 2018) since at least 2021. Organizations that have not applied this patch — or that run end-of-life devices that will never receive it — are providing persistent access to the same unit responsible for the Havex supply chain campaign. Disable Smart Install on all Cisco IOS and IOS XE devices immediately (verify with show vstack config). Restrict SNMP: disable SNMPv1 and SNMPv2c entirely where possible, migrate to SNMPv3 with authentication and encryption, change all default community strings, and restrict SNMP access to management subnets only. Enforce device lifecycle policies — end-of-life networking equipment with no available security patches should be treated as a critical vulnerability exposure requiring replacement, not just monitoring. The FBI reported collecting configuration files from thousands of U.S. infrastructure devices in this campaign: the entry vector is consistently one unpatched, decade-old flaw on forgotten hardware.
  • Multi-Factor Authentication on Remote Access: Dragonfly's credential harvesting techniques — watering holes capturing NTLM credentials, Phishery template injection, spear-phishing — are designed to obtain username/password pairs for VPN and remote access systems. Implement phishing-resistant MFA (FIDO2 hardware keys) on all VPN, remote desktop, and cloud application access for any organization in the energy, nuclear, utility, or government sectors. Standard TOTP-based MFA provides some protection; hardware keys eliminate the credential-replay attacks that standard MFA tokens remain vulnerable to.
analyst note

Dragonfly's most important analytical characteristic is what it has not done. In over a decade of documented activity, this group has not caused a power outage, blown up a refinery, or triggered a nuclear incident — despite documented access to circuit breaker interfaces and ICS control systems. This restraint is not incompetence. It is strategic positioning. Russia maintains the Dragonfly foothold as a geopolitical lever — a capability held in reserve that can be exercised if Western governments push too hard on sanctions, weapons transfers to Ukraine, or other pressure points. The implicit message is not "we will attack your grid" but "we could." As John Hultquist noted in early 2022 as Russia prepared its invasion of Ukraine, the concern was specifically that the contingency Dragonfly had been building toward for a decade might be the moment they had been waiting for. The energy sector indictment's DOJ framing — that the access "would have provided the Russian government the ability to disrupt and damage such computer systems at a future time of its choosing" — is the clearest public statement of what Dragonfly represents: a loaded weapon held by a government that has shown it is willing to use offensive cyber capabilities when it judges the moment right.

Sources & Further Reading

Primary government advisories, court documents, and vendor research used to build this profile. All claims in this profile trace to at least one source listed here.

— end of profile