The perpetrators in the attacks have perfected a two-pronged approach. In some hacks, they send fake resumes or party invitations to engineers and their managers as Microsoft Word files, specially crafted to leak the victim’s Windows credentials to the attacker’s machine. The second, more insidious approach, involves hacking third-party websites frequented by control system engineers, such as industry journals and magazines. By planting a single line on the website’s code, the attackers can target any of the site’s visitors with malware. Called a “watering hole” attack, one security expert says at least 60 engineering-related sites have been used in the energy attacks so far.

The attackers are professional and well-organized, but because they make copious use of open source code and tools available in the computer underground it was difficult to link them strongly to previously known operations. In its new report, Symantec says it finally got the goods on the hackers, in part because they were caught deploying a version of a backdoor program called Heriplor previously used by only one other group, Dragonfly.