A hacking group has grown bolder and gained access to operational controls of US electric companies, according to Symantec researchers.

A hacker group linked to the Russian government has acquired an unprecedented level of access to companies that supply power to the US power grid, a cybersecurity firm says.

Symantec, a California-based firm that provides cybersecurity services and worldwide research against online threats, says the group, which it’s nicknamed Dragonfly 2.0, may have compromised more than a dozen American companies in recent months.

Dragonfly – also called Crouching Yeti, or Energetic Bear, depending on which researcher you talk to was an established hacker group that attacked energy sector targets around the world from at least 2011 until 2014, when it went quiet after its tactics were exposed by public research.

Researchers at Symantec have declined to specifically cite Russia as the culprit, though they do say it’s a state-sponsored attack. Researchers at other firms, like CrowdStrike and FireEye, have tied Dragonfly to the Russian government.

So far, though, the U.S. intrusions have been about gathering intelligence— technical diagrams, reports, passwords, crypto keys—mostly from administrative networks that don’t control equipment. In only a handful of the breaches did the intruders make their way to the plant control network. But Vikram Thakur, technical director at Symantec, points out they weren’t quick to leave.

“The ones where the attackers were able to get on the operational side of the house were the scariest to us,” says Thakur. “We’ve seen them get on these operational computers and start taking rapid-fire screenshots. Some would show maps of what’s connected to what.”

Hackers have been targeting employees using a tactic called “phishing” for several years.

They send spam emails and hope that a hapless worker might click on a link, downloading software which would allow hackers to snoop on a company’s internal systems.

In 2015, the group tried to hoodwink companies by sending emails disguised as invitations to a New Year’s Eve party. The emails contained very specific content related to the energy sector, as well as some related to general business concerns. Once opened, the attached malicious document would attempt to leak victims’ network credentials to a server outside of the targeted organisation.

These email campaigns to get into the system are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used later on.

Symantec did not name Russia in its report but noted that the attackers used code strings that were in Russian. Other code used French, Symantec said, suggesting the attackers may be attempting to make it more difficult to identify them.

Symantec’s report only describes breaches. It does not describe any evidence of actual attacks against these facilities.