Hackers Steal Documents From Defence Companies
Dozens of military-connected companies and public bodies compromised in series of attacks by China-based hackers, researchers say
Chinese-speaking hackers have hacked dozens of private enterprises and public organisations in the defence industry in several Eastern European countries and Afghanistan in order to steal secret documents, security researchers say.
The attacks began in January of this year and used malware called PortDoor that was also used by China-backed hackers in April 2021 to hack the systems of a defence contractor that designs submarines for the Russian Navy.
In some cases the more recent attacks were able to take over the targets’ entire IT infrastructure, including systems used to manage security software, said Kaspersky ICS CERT.
Spear phishing
The attacks use carefully crafted phishing emails that in some cases make use of information not released to the public, and which may have been stolen from the same company earlier on or from other organisations, Kaspersky said.
The information includes the full names of employees responsible for handling sensitive information and internal codenames of projects developed by attacked organisations.
The emails contain Microsoft Word documents that exploit the CVE-2017-11882 vulnerability that exists in older versions of Microsoft Equation Editor, a Microsoft Office component.
The vulnerability allows malicious code to be executed on the target system without any further action from the user.
PortDoor malware
The attackers used the vulnerability to deploy PortDoor malware, which then installed additional malware.
The data stolen was sent in encrypted form to servers in various other countries, before being forwarded on to servers in China.
“The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan,” Kaspersky said in an advisory.
“An analysis of information obtained while investigating the incidents indicates that cyberespionage was the goal of this series of attacks.”
Espionage
The company said it believes the attacks were carried out by a Chinese threat group known as TA428, known for focusing on information theft and targeting organisations in Asia and Eastern Europe.
“We believe that the attack series we have identified is an extension of known campaign described in the research of Cybereason, DrWeb, and NTTSecurity,” Kaspersky said.
“This is supported by numerous facts and a large amount of evidence we have identified, from the choice of victims to matching CnC servers.”
The company recommended the use of up-to-date security systems.