China-linked APT groups are targeting the Russian defense sector with the PortDoor backdoor. The researchers who discovered this espionage campaign did not name a particular Chinese APT group accountable for the attack. However, they made some educated guesses.
What has happened?
According to the Cybereason Nocturnus Team, China-based APT groups are specifically targeting one of the main Russian centers that design submarines for the Russian Navy, known as the Rubin Design Bureau.
- The attackers sent spear-phishing messages to a general director of the Rubin Design Bureau, in Saint Petersburg.
- The spear-phishing messages utilized a malicious RTF document that had information regarding an autonomous underwater vehicle. These malicious documents deliver the PortDoor backdoor.
- The RTF documents were identified by Cybereason Nocturnus Team, when they were examining recent developments in the RoyalRoad tool or 8.t Dropper and RTF exploit builder.
- The documents are created with the exploit builder and trigger the CVE-2018-0798, CVE-2018-0802, and CVE-2017-11882 vulnerabilities in Microsoft Equation Editor.
Attribution
The attribution is based on similarities observed with TTPs associated with some Chinese APT groups. However, PortDoor is not a variant of any other previously observed malware.
- The RTF file used in the attack was created with RoyalRoad v7, which was previously used in attacks carried out by TA428, Tonto Team, and Rancor threat actors.
- Tonto Team and TA428 were previously associated with cyberattacks aimed at Russian research and defense organizations.
Conclusion
The researchers haven’t attributed the campaign to any specific threat actor due to the lack of available information so far. Though there a few hints pointing at an association with Tonto Team (aka TA428), the inclusion of an altogether new and unknown Chinese threat group cannot be denied. This implies the increasing sophistication and dominance of Chinese threat actors in the global cyberespionage realm.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5eda_shutterstock_1451291537.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_488843971.jpg)
