The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different Industrial Control System (ICS) equipment manufacturers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.
The first identified Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.
The second company to be compromised was a European manufacturer of specialist PLC type devices. In this instance, a software package containing a driver for one of its devices was compromised. Symantec estimates that the Trojanized software was available for download for at least six weeks in June and July 2013.
The third firm attacked was a European company which develops systems to manage wind turbines, bio-gas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April 2014.