Hacker attacks are nothing new, sadly, and there’s a new one that came up late last week that potentially involves a Chinese threat actor trying to gain access to Russian nuclear submarine designs.
Uncovered by the Cybereason Nocturnus Team, and shared on April 30, the alleged cyberattack only targeted one specific person, a general director at the Rubin Design Bureau, a Russian-based defense contract that designs nuclear submarines for the country’s Navy.
The reason the Cybereason team believes this to be a Chinese cyberattack is that the ‘RoyalRoad weaponizer’ tool used for the attack is one that’s previously been used in a number of other Chinese-led hacks. Their tactic involves using RoyalRoad for spear-phishing high-value targets.
This tool delivers a previously undocumented Windows backdoor called PortDoor. PortDoor can be used in different ways, for instance for carrying our reconnaissance, target profiling, delivering extra payloads, and more.
In this case, the general director Igor Vladimirovich of Rubin Design Bureau received a spear-phishing email with a malicious RTF (rich text format) document weaponized with a RoyalRoad payload. The email content might have looked harmless enough, as it contained an autonomous underwater vehicle’s renderings (see image above).
After the document is opened, a Microsoft Word add-in file is then dropped, which can bypass detection of automatic execution persistence.
The team that uncovered the threat also stated that this particular new version of the RoyalRoad payload uses a different kind of file name than regular ones.
It’s unsure what exact information was extracted, but it’s great to see cyber threat security companies like Cybereason keeping a close eye on the goings-on of the internet. The FBI in the U.S., for example, uses hackers’ own tactics to get hackers out of Microsoft exchange servers,
As we previously mentioned, cyber threats only seem to keep growing, and a number appear to be relatively regularly linked to China, and Russia. For instance, in March, Microsoft believed its email exchange servers had been hacked by China-linked actors, and again in March, Chinese and Russian hackers were believed to be behind the cyberattacks to steal data on COVID-19 vaccines.