{"id":83197,"date":"2017-12-17T21:03:12","date_gmt":"2017-12-18T05:03:12","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=83197"},"modified":"2025-06-03T21:20:52","modified_gmt":"2025-06-04T04:20:52","slug":"operation-dragonfly-analysis-suggests-links-to-earlier-attacks","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/","title":{"rendered":"Operation Dragonfly Analysis Suggests Links to Earlier Attacks"},"content":{"rendered":"<p>On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014.<\/p>\n<p>Moving beyond <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/operation-dragonfly-imperils-industrial-protocol\/\" target=\"_blank\" rel=\"noopener\">our 2014 analysis of Dragonfly,<\/a> our current focus looks at the attack\u2019s indicators to determine whether we can glean any further information regarding the source and possible motivations of those behind the campaign. The campaign targets energy companies around the world by leveraging spear-phishing emails that, once successful, allow the attackers to download Trojan software. The Trojans provide access to the victims\u2019 systems and networks.<\/p>\n<h2><strong>Going Beyond Energy<\/strong><\/h2>\n<p>Although initial reports showed Dragonfly attacks targeting the energy sector, investigations by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries. Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets.<\/p>\n<p>We saw the group use several techniques to get a foothold in victims\u2019 networks, including spear phishing, watering holes, and exploits of supply-chain technologies via previous campaigns. By compromising well-established software vulnerabilities and embedding within them \u201cbackdoor\u201d malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.<\/p>\n<p>Once the attackers have a foothold, they create or gain user accounts to operate stealthily. Using the remote-desktop protocol to hop among internal or external systems, they connect either to a control server if the risk is minimal or use an internal compromised server to conduct operations.<\/p>\n<p>The last wave of attacks used several backdoors and utilities. In analyzing the samples, we compared these with McAfee\u2019s threat intelligence knowledge base of attack artifacts.<\/p>\n<p>One of the starting points was a Trojan in the 2017 campaign with the following hashes:<\/p>\n<ul>\n<li>MD5: da9d8c78efe0c6c8be70e6b857400fb1<\/li>\n<li>SHA-256: fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9<\/li>\n<\/ul>\n<p>Comparing this code, we discovered another sample from the group that was used in <a href=\"https:\/\/cdn.securelist.com\/files\/2014\/07\/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf\" target=\"_blank\" rel=\"noopener\">a July 2013 attack<\/a>:<\/p>\n<ul>\n<li>MD5: 4bfdda1a5f21d56afdc2060b9ce5a170<\/li>\n<li>SHA-256: 07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4<\/li>\n<li>Filename: fl.exe<\/li>\n<\/ul>\n<p>The file was downloaded after a Java exploit executed on the victim\u2019s machine, according to the 2013 attack report. After analyzing the 2013 sample, we noticed that some of the executable\u2019s resources were in Russian.<\/p>\n<p>Comparing the code, we find the 2017 sample has a large percentage of the same code as the backdoor used in the 2013 attacks. Further, some code in the 2017 backdoor is identical to code in the application TeamViewer, a legitimate remote administration tool used by many around the world. By incorporating the code and in-memory execution, the attackers avoid detection and leave no trace on disk.<\/p>\n<p>The correlating hash we discovered that contained the same TeamViewer code was reported by Crysys, a Hungarian security company. In their <a href=\"http:\/\/www.crysys.hu\/teamspy\/teamspy.pdf\" target=\"_blank\" rel=\"noopener\">report on about \u2018\u201cTeamSpy,\u201d<\/a> they mentioned the hash we correlated as well: 708ceccae2c27e32637fd29451aef4a5. This particular sample had the following compile date details: 2011:09:07 \u2013 09:27:58+01:00<\/p>\n<p>The TeamSpy attacks were originally aimed at political and human right activists living in the Commonwealth of Independent States (the former Soviet Union) and eastern European countries. Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?<\/p>\n<p>But that\u2019s not all of interest. We also discovered that the 2017 sample contained code blocks associated with another interesting malware family: BlackEnergy. Let\u2019s look at an example of the code similarities we discovered:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-83199 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png\" alt=\"\" width=\"1228\" height=\"1198\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png 1228w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2-300x293.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2-768x749.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2-1024x999.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2-513x500.png 513w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2-32x32.png 32w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2-50x50.png 50w\" sizes=\"auto, (max-width: 1228px) 100vw, 1228px\" \/><\/p>\n<p><em>A BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017.<\/em><\/p>\n<p>Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.<\/p>\n<p>The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/updated-blackenergy-trojan-grows-more-powerful\/\" target=\"_blank\" rel=\"noopener\">in our post<\/a> on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-83198 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-1.png\" alt=\"\" width=\"1234\" height=\"740\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-1.png 1234w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-1-300x180.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-1-768x461.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-1-1024x614.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-1-834x500.png 834w\" sizes=\"auto, (max-width: 1234px) 100vw, 1234px\" \/><\/p>\n<h2><strong>Actor Sophistication<\/strong><\/h2>\n<p>Our analysis of this attack tells a story about the actors\u2019 capability and skills. Their attack precision is very good; they know whom and what to attack, using a variety of efforts. Their focus is on Windows systems and they use well-known practices to gather information and credentials. From our research, we have seen the evolution of the code in their backdoors and the reuse of code in their campaigns.<\/p>\n<p>How well do the actors cover their tracks? We conclude they are fairly sophisticated in hiding details of their attacks, and in some cases in leaving details behind to either mislead or make a statement. We rate threat actors by scoring them in different categories; we have \u00a0mentioned a few. The Dragonfly group is in the top echelon of targeting attackers; it is critical that those in the targeted sectors be aware of them.<\/p>\n<p>The Dragonfly group is most likely after intellectual property or insights into the sector they target, with the ability to take offensive disruptive and destructive action, as <a href=\"http:\/\/www.silicon.co.uk\/security\/blackenergy-trojan-ukraine-power-183050?inf_by=5a291109671db830108b4a17\" target=\"_blank\" rel=\"noopener\">was reported<\/a> in the 2015 attack on the Ukrainian power grid by a BlackEnergy malware family.<\/p>\n<p>&nbsp;<\/p>\n<p><em>We would like to thank the team at Intezer for their assistance and support during our research.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack&#8230;<\/p>\n","protected":false},"author":653,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1411,76,180,4185,4140],"coauthors":[3576,1359],"class_list":["post-83197","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-advanced-persistent-threats","tag-cybercrime","tag-malware","tag-phishing","tag-quarterly-threats-report"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Operation Dragonfly Analysis Suggests Links to Earlier Attacks<\/title>\n<meta name=\"description\" content=\"On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Operation Dragonfly Analysis Suggests Links to Earlier Attacks\" \/>\n<meta property=\"og:description\" content=\"On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-12-18T05:03:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T04:20:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1228\" \/>\n\t<meta property=\"og:image:height\" content=\"1198\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Christiaan Beek, Raj Samani\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ChristiaanBeek\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christiaan Beek, Raj Samani\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/\"},\"author\":{\"name\":\"Christiaan Beek\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79\"},\"headline\":\"Operation Dragonfly Analysis Suggests Links to Earlier Attacks\",\"datePublished\":\"2017-12-18T05:03:12+00:00\",\"dateModified\":\"2025-06-04T04:20:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/\"},\"wordCount\":934,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png\",\"keywords\":[\"advanced persistent threats\",\"cybercrime\",\"malware\",\"Phishing\",\"Quarterly Threats Report\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/\",\"name\":\"Operation Dragonfly Analysis Suggests Links to Earlier Attacks\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png\",\"datePublished\":\"2017-12-18T05:03:12+00:00\",\"dateModified\":\"2025-06-04T04:20:52+00:00\",\"description\":\"On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Operation Dragonfly Analysis Suggests Links to Earlier Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79\",\"name\":\"Christiaan Beek\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/09179574bcf76b6304ed08e621f59379\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png\",\"caption\":\"Christiaan Beek\"},\"description\":\"Christiaan Beek is the Lead Scientist &amp; Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and collaborate to make the (cyber) world safer and a better place. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee\u2019s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs and envision threat intelligence systems and new research techniques. Christiaan speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides contributed to the best-selling security book \\\"Hacking Exposed\\\", he wrote a comic book about Ransomware, is a contributor to the MITRE ATT&amp;CK framework and holds multiple patents.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/christiaanbeek\/\",\"https:\/\/x.com\/ChristiaanBeek\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/christiaan-beek\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Operation Dragonfly Analysis Suggests Links to Earlier Attacks","description":"On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Operation Dragonfly Analysis Suggests Links to Earlier Attacks","og_description":"On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-12-18T05:03:12+00:00","article_modified_time":"2025-06-04T04:20:52+00:00","og_image":[{"width":1228,"height":1198,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png","type":"image\/png"}],"author":"Christiaan Beek, Raj Samani","twitter_card":"summary_large_image","twitter_creator":"@ChristiaanBeek","twitter_site":"@McAfee","twitter_misc":{"Written by":"Christiaan Beek, Raj Samani","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/"},"author":{"name":"Christiaan Beek","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79"},"headline":"Operation Dragonfly Analysis Suggests Links to Earlier Attacks","datePublished":"2017-12-18T05:03:12+00:00","dateModified":"2025-06-04T04:20:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/"},"wordCount":934,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png","keywords":["advanced persistent threats","cybercrime","malware","Phishing","Quarterly Threats Report"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/","name":"Operation Dragonfly Analysis Suggests Links to Earlier Attacks","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png","datePublished":"2017-12-18T05:03:12+00:00","dateModified":"2025-06-04T04:20:52+00:00","description":"On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/12\/20171213-DragonFly-2.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-dragonfly-analysis-suggests-links-to-earlier-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Operation Dragonfly Analysis Suggests Links to Earlier Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79","name":"Christiaan Beek","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/09179574bcf76b6304ed08e621f59379","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png","caption":"Christiaan Beek"},"description":"Christiaan Beek is the Lead Scientist &amp; Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and collaborate to make the (cyber) world safer and a better place. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee\u2019s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs and envision threat intelligence systems and new research techniques. Christiaan speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides contributed to the best-selling security book \"Hacking Exposed\", he wrote a comic book about Ransomware, is a contributor to the MITRE ATT&amp;CK framework and holds multiple patents.","sameAs":["https:\/\/www.linkedin.com\/in\/christiaanbeek\/","https:\/\/x.com\/ChristiaanBeek"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/christiaan-beek\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/83197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/653"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=83197"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/83197\/revisions"}],"predecessor-version":[{"id":215030,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/83197\/revisions\/215030"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=83197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=83197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=83197"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=83197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}