Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits. Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cybercriminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years.

Over the past weekend, US officials solved at least part of that mystery, revealing to the Washington Post that the hackers behind the utility attacks worked for the Russian government. But that attribution raises a new question: Which of the Kremlin's hackers groups attempted the power grid intrusions?

Russia, after all, is perhaps the only nation in the world with multiple known hacker teams that have targeted energy utilities for years. Each has its own techniques, broader focus, and motivation---and deciphering which group is behind the attacks could help determine the intended endgame of this latest infrastructure hacking spree, too.

As the cybersecurity world's Kremlinologists seek those answers, here's what we know about the groups that may have pulled it off.

Energetic Bear

The prime candidate among Russia's array of hacker teams is a group of cyberspies most widely identified as Energetic Bear, but also known by names including DragonFly, Koala, and Iron Liberty. First spotted by the security firm Crowdstrike in 2014, the group initially seemed to indiscriminately hack hundreds of targets in dozens of countries since as early as 2010, using so-called "watering hole" attacks that infected websites and planted a Trojan called Havex on visitors' machines. But it soon became clear that the hackers had a more specific focus: They also used phishing emails to target vendors of industrial control software, sneaking Havex into customer downloads. Security firm FireEye found in 2014 that the group breached at least four of those industrial control targets, potentially giving the hackers access to everything from power grid systems to manufacturing plants.

The group seemed at least in part focused on broad surveillance of the oil and gas industry, says Adam Meyers, Crowdstrike's vice president of intelligence. Energetic Bear's targets included everything from gas producers to firms that transported liquid gas and oil to energy financing companies. Crowdstrike also found the group's code contained Russian-language artifacts, and that it operated during Moscow business hours. All of that suggests, Meyers argues, that the Russian government may have used the group to protect its own petrochemical industry and better wield its power as a fuel supplier. "If you threaten to turn off the gas to a country, you want to know how severe that threat is and how to properly leverage it," Meyers says.

But security firms noted that the group's targets included electric utilities, too, and some versions of Energetic Bear's malware had the capacity to scan industrial networks for infrastructure equipment, raising the possibility that it could have not just collected industry intelligence, but performed reconnaissance for future disruptive attacks. "We think they were after control systems, and we don’t think there was a compelling intelligence reason for that," says John Hultquist, who leads a research team at FireEye. "You’re not doing that to learn the price of gas."

After security firms including Crowdstrike, Symantec, and others released a series of analyses of Energetic Bear's infrastructure in the summer of 2014, the group abruptly disappeared.

Sandworm

Only one Russian hacker group has actually caused real-world blackouts: Cybersecurity analysts widely believe the hacker team called Sandworm, also known as Voodoo Bear and Telebots, carried out attacks on Ukrainian electric utilities in 2015 and 2016 that cut off power to hundreds of thousands of people.