The campaign reuses a portion of code from the Seasalt implant (circa 2010) that is linked to the Chinese hacking group Comment Crew. Oceansalt appears to have been part of an operation targeting South Korea, United States, and Canada in a well-focused attack.
The campaign mainly targets industrial control system workstations running SCADA software at energy companies in Ukraine and Poland. The operation attempts to gain access by targeting an organizations Internet facing website or by sending malicious attachments in spear phishing emails. The malware used in the attacks is similar to the BlackEnergy malware which was used against the Ukrainian energy industry back in 2015.