Based on timestamps showing when the malware was compiled, it appears the attackers worked 9 a.m. to 6 p.m. Monday through Friday shifts in a time zone that places them in Eastern Europe, Symantec said.
Security analysts have said that such regular working patterns often indicate that a country may be sponsoring or sanctioning such attacks.
"Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability," Symantec wrote.
Tampering with software updates is perhaps the most clever of Dragonfly's attacks, but the group also used a variety of other methods to compromise individuals close to the companies they targeted.
Those methods included sending spam emails with malicious PDF attachments and so-called "watering hole" attacks, where spam emails with malicious links aim to lead people to websites that probe computers for software vulnerabilities.
Dragonfly employed two exploit kits, called "Lightsout" and "Hello," which are hacking platforms planted on legitimate websites that try to deliver malware to computers that visit the site, Symantec wrote.
Sign up for CIO Asia eNewsletters.