Proofpoint has identified spearphishing emails that hit at least three US companies in the utilities sector in mid-to-late July. The email domain was designed to be mistaken for one belonging to the US National Council of Examiners for Engineering and Surveying. An attached Microsoft Word document contained malicious macros that carried a malware package Proofpoint calls "LookBack." LookBack is a remote access Trojan accompanied by a command-and-control proxy mechanism. The researchers believe there's enough evidence to indicate that a nation-state was responsible, but not enough for further attribution, although there are some similarities to the Chinese group APT10.
RiskIQ took a look at the recent phishing campaign targeting Bellingcat, and they've conclude that it was indeed closely focused on a small number of investigative journalists who've proven annoying gadflies to the Russian government. The campaign made adroit use of ProtonMail infrastructure, which lent more plausibility than the phishing attempts might otherwise have enjoyed.
Russia isn't the only government Bellingcat scrutinizes, the Daily Beast notes. The investigative site's reports led Facebook to take down three-hundred-fifty pages and accounts for "coordinated inauthenticity" organized by the Kingdom of Saudi Arabia.