Cyber Espionage Targeting Russian Defense Contractor: New Backdoor Detected
Recent cybersecurity reports reveal that a threat actor, suspected to be part of state-sponsored Chinese interests, has been actively targeting a major defense contractor in Russia. This contractor, the Rubin Design Bureau, plays a pivotal role in the design of nuclear submarines for the Russian Armed Forces, underscoring the strategic importance of this breach.
The incident involved a sophisticated phishing attack specifically aimed at the general director of the Rubin Design Bureau. The attackers utilized the infamous “Royal Road” Rich Text Format (RTF) weaponizer to deploy a previously unidentified Windows backdoor known as “PortDoor.” Analysts from Cybereason’s Nocturnus threat intelligence team provided insights into the attack, identifying the advanced capabilities of PortDoor, which include reconnaissance, privilege escalation, and the ability to evade detection by antivirus software.
PortDoor’s functionality allows it to execute various malicious operations, such as downloading additional payloads and exfiltrating data using AES encryption. Researchers emphasized that this new malware variant reflects a broader trend often observed among Chinese cyber threat groups, known for their tactical persistence and innovation in exploiting vulnerabilities.
The Rubin Design Bureau, based in Saint Petersburg, has been integral to the Soviet and Russian naval forces since its establishment in 1901. With a remarkable history of designing over 85% of the submarines in the Russian fleet, the firm is a prime target for cyber espionage, especially given its involvement in strategic military technologies.
The Royal Road weaponizer has gained notoriety among several Chinese threat groups, including Goblin Panda and TA428. Historically, these groups have exploited multiple vulnerabilities in Microsoft’s Equation Editor, utilizing spear-phishing campaigns to deliver malicious RTF documents to high-value targets. In the recent incident, an email containing a weaponized document served as the initial infection vector, coinciding with trends seen in prior attacks employing similar methodologies.
Upon activation, the compromised document delivered an encoded file known as “e.o,” which facilitated the download of the PortDoor backdoor. This suggests that the adversary has evolved their tactics, indicating the possibility of a new variant of the Royal Road weaponizer being employed.
The PortDoor backdoor exhibits several characteristics typical of advanced persistent threats, including robust obfuscation techniques designed to maintain persistence on the victim’s system. Once installed, it can perform various functions, such as gathering information, escalating privileges, and communicating with a server controlled by the attackers.
In sum, this attack aligns closely with known tactics present in the MITRE ATT&CK framework. Specifically, the initial access via spear-phishing, the use of social engineering, and the deployment of backdoors for persistent access showcase a well-coordinated operation reflective of state-sponsored motives. As businesses continue to face escalating threats, maintaining awareness of such incidents and the techniques employed is essential for bolstering cybersecurity measures.
Keep informed about the latest in cybersecurity by following credible news sources, ensuring that your organization is prepared to tackle potential vulnerabilities in an ever-evolving threat landscape.
