Insecurity experts have detected an ongoing series of attacks targeting SCADA security companies, universities and defence contractors.
The attacks use customised malicious files to entice targeted users into opening them and are using a series of hacked servers as command-and-control points.
Tactics and tools used by the attackers indicates that they may be located in China.
The first target was Digitalbond, a company that provides security services for ICS systems, but the others followed a similar pattent.
The attack begins with a spear phishing email sent to employees of the targeted company and containing a PDF attachment which, if opened, installs a Trojan downloader called spoolsvr.exe.
This connects to a C&C server located at hxxp://hint.happyforever.com and downloads instructions and a payload. Another file is loaded called tanghi.exe that is not widely recognised by anti-malware products and is a remote access tool that gives the attacker a persistent presence on the compromised machine.
AV expert Jaime Blasco of AlienVault said users at Carnegie Mellon University, Purdue University and the University of Rhode Island have been hit.
Chertoff Group, which is a consultancy headed by former secretary of Homeland Security Michael Chertoff, and NJVC, another defense contractor, have been targeted.
Alienvault said the approach was similar to the Shady Rat attacks that were first publicized by McAfee in August, 2011 and are probably the same people.
The attacks are not random and it appears that the targets are being selected carefully.