This group is highly sophisticated and seems to engage in industrial scale corporate espionage. They use some very targeted spear phishing to get users to click on malware. The initial emails tend to appear to come from HR and tend to be sent to entire groups at a time since this seems to make it more likely to get someone to actually click. Take note, fellow practitioners, just because everyone on your team got an email does not make it a legitimate email! Start tweaking your awareness training now.

Once that happens, power shell scripts run that replace items on shared corporate drivers with specially crafted links that then infect more computers. The goal here to is lay low and harvest as much data as possible. They seem to target HR records, financial records, trade secrets, and items like facility blue prints.

None of the data seems to have shown up for sale anywhere so the big question is what is the pay off. If I had to place bets, this is either a Russian organized crime doing some sort of a hacker for hire scheme but the more likely scenario has to do with all the hacking around energy production and consumption in an effort to drive up fossil fuel prices since both coal and oil prices have really bottomed out. The Russian economy is heavily dependent on both.