Not only the US: Chinese hackers attack Russian defense contractor
The attackers tried to carry out spear phishing by sending emails with a malicious attachment to a general director at the largest submarine design center in Russia. Investigators believe that it was a Chinese attack because of the similarity in tactics and technology to known Chinese groups
Mandi Kogosowski
| 05/05/2021
A diagram of an autonomous underwater vehicle from the malicious RTF file. Photo from the report by Cybereason on the company website
An APT group linked to China tried to attack a Russian defense contractor that designs nuclear submarines for Russia's Navy, researchers from cybersecurity company Cybereason revealed. According to the report, the hackers tried to carry out spear phishing by sending emails to a general director at the Rubin Design Bureau in St. Petersburg, the largest of three submarine design centers in Russia, which designed more than two thirds of the country's nuclear submarines.
The Cyber Defense Magazine website said that the spear-phishing messages were sent in a malicious RTF document, including descriptions of an autonomous underwater vehicle, which was attached to emails sent to the general director. The file created a backdoor, which researchers had not known about previously, capable of facilitating many disruptive actions. The researchers attribute the operation to China because the tactics, technologies and procedures (TTPs) were similar to those of a number of known Chinese APT groups.
"When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style," the Cybereason report said, adding that "The newly discovered backdoor does not seem to share significant code similarities with previously known malware used by the abovementioned groups, other than anecdotal similarities that are quite common to backdoors, leading us to the conclusion that it is not a variant of a known malware, but is in fact novel malware that was developed recently."
At the time that this report was published, the extent of damage from the attack was not known.
The attackers tried to carry out spear phishing by sending emails with a malicious attachment to a general director at the largest submarine design center in Russia. Investigators believe that it was a Chinese attack because of the similarity in tactics and technology to known Chinese groups
A diagram of an autonomous underwater vehicle from the malicious RTF file. Photo from the report by Cybereason on the company website
An APT group linked to China tried to attack a Russian defense contractor that designs nuclear submarines for Russia's Navy, researchers from cybersecurity company Cybereason revealed. According to the report, the hackers tried to carry out spear phishing by sending emails to a general director at the Rubin Design Bureau in St. Petersburg, the largest of three submarine design centers in Russia, which designed more than two thirds of the country's nuclear submarines.
The Cyber Defense Magazine website said that the spear-phishing messages were sent in a malicious RTF document, including descriptions of an autonomous underwater vehicle, which was attached to emails sent to the general director. The file created a backdoor, which researchers had not known about previously, capable of facilitating many disruptive actions. The researchers attribute the operation to China because the tactics, technologies and procedures (TTPs) were similar to those of a number of known Chinese APT groups.
"When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style," the Cybereason report said, adding that "The newly discovered backdoor does not seem to share significant code similarities with previously known malware used by the abovementioned groups, other than anecdotal similarities that are quite common to backdoors, leading us to the conclusion that it is not a variant of a known malware, but is in fact novel malware that was developed recently."
At the time that this report was published, the extent of damage from the attack was not known.
