"Energetic Bear" has roared its way into the Western oil and gas sector: Over the past year and a half, more than 1,000 companies in 84 countries have been hit by the malware, which was first uncovered in August 2012 and further described in a report released yesterday by Symantec. In the report, Symantec notes the hackers (a group it calls "Dragonfly") have "all the markings of being state-sponsored"; it sees them as likely "based in Eastern Europe," with the Financial Times reporting they have "apparent" ties to Russia and the New York Times more explicitly calling them "Russian hackers." Most of the attacks have been on companies in Spain and the US, followed by France, Italy, and Germany.
The hackers appear to be engaging in industrial espionage, but, as Symantec newly reveals, they can also take over industrial control systems remotely—an ability that makes the Energetic Bear malware similar to the Stuxnet computer worm. The New York Times notes the Dragonfly hackers are said have become more "aggressive and sophisticated" over the past six months, and Symantec details the new "attack vector" that enables their remote-control capability. The hackers infiltrated three top manufacturers of industrial control systems and inserted their malware into the software updates those companies' clients used; upon download, the clients' systems were infected. While there's no evidence the hackers intend to do physical damage, "the potential for sabotage is there," says a Symantec director.