VERY IMPORTANT

Proofpoint researchers recently observed a campaign targeting telecom and military in Russia. Beginning in July 2015 (and possibly earlier), the attack continued into August and is currently ongoing. As a part of this campaign, we also observed attacks on Russian-speaking financial analysts working at global financial firms and covering telecom corporations in Russia, likely a result of collateral damage caused by the attackers targeting tactics. The attacks employed PlugX, a Remote Access Trojan (RAT) widely used in targeted attacks. Proofpoint is tracking this attacker, believed to operate out of China, as TA459 . This same attacker is also reported to have targeted various military installations in Central Asia in the past [1]. While the current campaign from this attacker has been active for a couple of months, there is evidence of activity by this attacker as far back as 2013, employing other backdoors such as Saker, Netbot and DarkStRat .