The energy business, including oil and gas producers, was hit by more targeted malware attacks from April to September last year than any other industry, said the Council on Foreign Relations (CFR) report, citing data from a Houston-based security company, Alert Logic.
The Stuxnet virus, said to have been created by the United States and Israel to attack Iran's nuclear program, is an example of a campaign that ended up escaping from its intended target at the risk of causing harm to a U.S. company. Chevron Corp said late last year it had been infected by Stuxnet, but said without elaborating the virus was quickly controlled.
An attack dubbed Shamoon last year on Saudi Aramco, Riyadh's state oil company, ultimately disabled some 30,000 computers. The company said the attack was aimed at stopping oil and gas output at the biggest OPEC crude exporter.
Oil production was apparently unaffected, but damage could have been more severe had the attack penetrated further into the network, the report said.
Hackers from a group called "Cutting Sword of Justice," suspected to be insiders, claimed responsibility for the attack, which was believed to have been delivered using a USB drive.
(Reporting by Timothy Gardner; Editing by Matt Driskill)