Dragonfly is one of the most well-known Russian APT groups, which for years has focused its operations on the energy sector and industrial control systems.

In this report, we examine the group’s history, tooling, known operations, and reported links to Russian state structures. Particular attention is given to campaigns targeting U.S. energy companies, including the attack on Wolf Creek Nuclear Operating Corporation.

The Dragonfly case is particularly interesting because it illustrates a pattern commonly associated with state-sponsored APT activity. The objective is often not immediate disruption, but the long-term acquisition of access, credential collection, network reconnaissance, and the identification of pathways to critical systems. In Dragonfly’s case, this involved years of activity directed at environments associated with ICS and SCADA technologies.

The report also analyzes publicly identified members of the group, attack infrastructure, malware used in operations, and tactics mapped to the MITRE ATT&CK framework.