Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0074: Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. [1] [2] There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. [3][4]

EnterpriseG0074GroupObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Historical object

This ATT&CK object is revoked or deprecated in the current MITRE ATT&CK release.

It remains available for historical context and inbound links. Use current ATT&CK relationships and replacement guidance before basing detection or reporting work on this page.

Glexia's Take

Analyst summary pending validation

Glexia publishes ATT&CK takes only after source-hash and schema validation. Until then, use the official MITRE definition below and the defensive relationship context on this page.

Official MITRE ATT&CK definition

Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. [1] [2] There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. [3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Enterprise

G0035: Dragonfly

Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]

Relationship explorer

All related ATT&CK context

revoked by · Group G0035: Dragonfly Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
7d26e6e7255df603...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle Revoked 7d26e6e7255d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    US-CERT TA18-074A

    US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

    Open source URL
  2. [2]
    Symantec Dragonfly Sept 2017

    Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.

    Open source URL
  3. [3]
    Fortune Dragonfly 2.0 Sept 2017

    Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.

    Open source URL
  4. [4]
    Dragos DYMALLOY

    Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.

    Open source URL
  5. [5]
    Berserk Bear

    (Citation: Fortune Dragonfly 2.0 Sept 2017)

  6. [6]
    DYMALLOY

    (Citation: Dragos DYMALLOY )

  7. [7]
    Dragonfly 2.0

    (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)

  8. [8]
    IRON LIBERTY

    (Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)

  9. [9]
    Secureworks IRON LIBERTY

    Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020.

    Open source URL
  10. [10]
    Secureworks MCMD July 2019

    Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.

    Open source URL
  11. [11]
    mitre-attack G0074
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use