Categories: CyberCrimeSecurity

Hackers Steal Documents From Defence Companies

Chinese-speaking hackers have hacked dozens of private enterprises and public organisations in the defence industry in several Eastern European countries and Afghanistan in order to steal secret documents, security researchers say.

The attacks began in January of this year and used malware called PortDoor that was also used by China-backed hackers in April 2021 to hack the systems of a defence contractor that designs submarines for the Russian Navy.

In some cases the more recent attacks were able to take over the targets’ entire IT infrastructure, including systems used to manage security software, said Kaspersky ICS CERT.

Spear phishing

The attacks use carefully crafted phishing emails that in some cases make use of information not released to the public, and which may have been stolen from the same company earlier on or from other organisations, Kaspersky said.

The information includes the full names of employees responsible for handling sensitive information and internal codenames of projects developed by attacked organisations.

The emails contain Microsoft Word documents that exploit the CVE-2017-11882 vulnerability that exists in older versions of Microsoft Equation Editor, a Microsoft Office component.

The vulnerability allows malicious code to be executed on the target system without any further action from the user.

PortDoor malware

The attackers used the vulnerability to deploy PortDoor malware, which then installed additional malware.

The data stolen was sent in encrypted form to servers in various other countries, before being forwarded on to servers in China.

“The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan,” Kaspersky said in an advisory.

“An analysis of information obtained while investigating the incidents indicates that cyberespionage was the goal of this series of attacks.”

Espionage

The company said it believes the attacks were carried out by a Chinese threat group known as TA428, known for focusing on information theft and targeting organisations in Asia and Eastern Europe.

“We believe that the attack series we have identified is an extension of known campaign described in the research of Cybereason, DrWeb, and NTTSecurity,” Kaspersky said.

“This is supported by numerous facts and a large amount of evidence we have identified, from the choice of victims to matching CnC servers.”

The company recommended the use of up-to-date security systems.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago