The group was named "Energetic Bear" because the vast majority of its victims were oil and gas companies. And CrowdStrike's researchers believed the hackers were backed by the Russian government given their apparent resources and sophistication and because the attacks occurred during Moscow working hours.
A report released Monday by Symantec, a computer security company based in Mountain View, Calif., detailed similar conclusions and added a new element — the Stuxnet-like remote control capability.
In addition to basic hacking techniques, like sending mass emails containing malicious links or attachments, the group infected websites frequented by energy workers and investors in what is known as a "watering hole attack."
In this attack, instead of targeting a victim's computer network directly, hackers infect websites their targets visit often — like an online menu for a Chinese restaurant — with malicious software. Without knowing it, workers visiting that site inadvertently download the so-called malware and help the hackers get inside their computer network.
The Russian hackers were careful to cover their tracks, the researchers said. They hid their malware using encryption techniques that made it difficult to identify their tools and where they came from. In some cases, researchers found evidence that the hackers were probing the core of victims' machines, the part of the computer known as the BIOS, or basic input/output system. Unlike software, which can be patched and updated, once a computer's hardware gets infected, it typically becomes unusable.
Read MoreHow a Russian hacker snatched $100M from banks
F-Secure, the Finnish security firm, also told its clients last week about the Russian hacking group, which Symantec has named "Dragonfly."
In the past six months, researchers say the group has become more aggressive and sophisticated.
The Russian hackers have been breaking into the networks of industrial control software, or I.C.S., makers, inserting so-called Trojans into the software used by many oil and energy firms to allow employees to remotely get access to industrial control systems. So when oil and gas companies downloaded the latest version of the software, they inadvertently downloaded the hackers' malware as well.
At least three industrial control software developers were affected, according to researchers at Symantec, F-Secure and CrowdStrike. The first was a maker of remote access tools for industrial control systems; the second, a European manufacturer of specialized industrial control devices; and the third, a European company that develops systems to manage wind turbines, natural gas plants and other energy infrastructure. They were not named by the security companies because of confidentiality agreements.
Security researchers estimate that more than 250 companies downloaded the infected software updates.
"These infections not only gave the attackers a beachhead in the targeted organizations' networks, but also gave them the means to mount sabotage operations against infected I.C.S. computers," Symantec wrote in its report Monday.
Hackers are coming after your medical records
There was no evidence the Russian group intended to use its toehold in some networks to inflict damage, like blowing up an oil rig or power facility, said Kevin Haley, the director of security response at Symantec, in an interview. The apparent motive, Mr. Haley said, was to learn more about energy companies' operations, strategic plans and technology. "But the potential for sabotage is there," he added.
More from the NYT:
PotentialIraqi leader with a tarnished past
Facebook says it's sorry. We've heard that before
A father's resolve helps expose illegal bank deal
More recently, Energetic Bear has been targeting companies in the financial sector, said Adam Meyers, CrowdStrike's head of threat intelligence. In particular, the group has been attacking, with the watering hole technique, some websites frequented by firms that invest in the energy sector.
Once someone visits an infected site, Mr. Meyers said, attackers will infect their system, scan their device to see if it is worth hacking, and then install sophisticated hacking tools. For devices deemed uninteresting, the attackers simply clean up their tools and move along.
"They are very aggressive," Mr. Meyers said. "And very careful to cover their tracks."
Industrial espionage that has hit over 1,000 organizations in 84 countries.