Categories: CyberCrimeSecurity

Hackers Steal Documents From Defence Companies

Chinese-speaking hackers have hacked dozens of private enterprises and public organisations in the defence industry in several Eastern European countries and Afghanistan in order to steal secret documents, security researchers say.

The attacks began in January of this year and used malware called PortDoor that was also used by China-backed hackers in April 2021 to hack the systems of a defence contractor that designs submarines for the Russian Navy.

In some cases the more recent attacks were able to take over the targets’ entire IT infrastructure, including systems used to manage security software, said Kaspersky ICS CERT.

Spear phishing

The attacks use carefully crafted phishing emails that in some cases make use of information not released to the public, and which may have been stolen from the same company earlier on or from other organisations, Kaspersky said.

The information includes the full names of employees responsible for handling sensitive information and internal codenames of projects developed by attacked organisations.

The emails contain Microsoft Word documents that exploit the CVE-2017-11882 vulnerability that exists in older versions of Microsoft Equation Editor, a Microsoft Office component.

The vulnerability allows malicious code to be executed on the target system without any further action from the user.

PortDoor malware

The attackers used the vulnerability to deploy PortDoor malware, which then installed additional malware.

The data stolen was sent in encrypted form to servers in various other countries, before being forwarded on to servers in China.

“The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan,” Kaspersky said in an advisory.

“An analysis of information obtained while investigating the incidents indicates that cyberespionage was the goal of this series of attacks.”

Espionage

The company said it believes the attacks were carried out by a Chinese threat group known as TA428, known for focusing on information theft and targeting organisations in Asia and Eastern Europe.

“We believe that the attack series we have identified is an extension of known campaign described in the research of Cybereason, DrWeb, and NTTSecurity,” Kaspersky said.

“This is supported by numerous facts and a large amount of evidence we have identified, from the choice of victims to matching CnC servers.”

The company recommended the use of up-to-date security systems.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

1 day ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

1 day ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

1 day ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

1 day ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

1 day ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

1 day ago