I'll comment on it since I spent the better part of 4 months working on the issue:
-First, Symantec's timeline is wrong. I know of at least two very large chemical companies that were hit as early as August last year. Same MO. Same emails. Same malware. Same targeted data.
-Second, yes, PoinsonIvy, but a highly modified one. We recovered original versions of it and it was modified enough from the original form that AV and IDS didn't pick it up. VirusTotal only had 2 products that flagged it. It was also VM aware as we couldn't get the emails to dump the payload in our vmworkstations. We actually had to have the client put one of their images on a laptop in order to get the malware samples.
-Third, the attackers were persistent. Every time they were pushed out of the environment they'd use information they'd gathered to find a new way back in. Note to admins: don't be cute and use the same password for web apps and remote access as you do for AD and systems.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER