Researchers have uncovered a malware campaign that gave attackers the ability to sabotage the operations of energy grid owners, electricity generation firms, petroleum pipelines, and industrial equipment providers.

Called Dragonfly, the hacking group managed to install one of two remote access trojans (RATs) on computers belonging to energy companies located in the US and at least six European countries, according to a research report published Monday by Symantec. One of the RATs, called Havex , was spread by hacking the websites of companies selling software used in industrial control systems (ICS) and waiting for companies in the energy and manufacturing industries to install booby-trapped versions of the legitimate apps.

"This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems," the Symantec report stated. "While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."

Dubbed Energetic Bear by other researchers, Dragonfly has been in operation since at least 2011. It initially targeted US and Canadian companies in the defense and aviation industries before shifting its focus to energy concerns. The group bears the hallmarks of a state-sponsored operation, mainly in its organization and high degree of technical sophistication. Its primary motive appears to be espionage, although additional capabilities suggest that sabotage is also of interest. Fingerprints left inside the malware show the attackers mostly worked Monday through Friday during a nine-hour period that corresponded to 9am to 6pm in Eastern Europe, leading Symantec researchers to theorize that was the region where the most Dragonfly members worked.

The Havex RAT gathers information about the infected computers and the networks they are connected to and sends it to servers under the control of the attackers. Among other things, it extracts data from a victim's Outlook address book and virtual private networking (VPN) programs. A program that appears to be have been developed in-house, Havex is also known as Backdoor.Oldrea and the Energetic Bear RAT. Dragonfly members also infected some computers with Trojan.Karagany, a RAT available in underground markets that has most likely been modified. It's capable of collecting passwords, taking screenshots, and cataloging documents stored on infected computers.

Dragonfly operators hacked websites of at least three different companies providing ICS software. The first provided a product used to provide VPN access to programmable logic controller devices (PLC). The unnamed provider discovered the attack shortly after it was mounted, but by then there had already been 250 downloads of the trojanized software. The second provider was a European manufacturer of specialist PLC devices. Symantec estimated that a compromised package containing a computer driver was available for download for at least six weeks last June and July. The last firm was also based in Europe and develops systems to manage wind turbines, biogas plants, and other energy infrastructure. The compromised software was available for about 10 days in April, Symantec said.

In addition to trojanizing legitimate software used by its victims, Dragonfly has relied on traditional methods of infecting its targets. Those include spam campaigns that trick recipients into installing malicious applications and so-called watering hole attacks, which plant exploits on websites known to be frequented by targets. The discovery that the group has more recently begun infecting suppliers underscores the evolution that's typical in many malware operations.

"The Dragonfly group is technically adept and able to think strategically," the Symantec report stated. "Given the size of some of its targets, the group found a 'soft underbelly' by compromising their suppliers, which are invariably smaller, less protected companies."