Cyberespionage: malware targets Russia’s biggest nuclear submarine designer

We do not see it but it roars in the networks: cyber warfare is silent and one of its most feared weapons of States is that of cyber espionage. Knowing the secret plans of states is to ensure a certain superiority in the event of conflict. In this area, the clues often point to groups of hackers affiliates to the Kremlin or to the Chinese state. And precisely, it seems that the latter sought to know more about the submarines nuclear Russian.

Researchers from the Cybereason Vampire Team have in fact identified a malware with a door entry (backdoor) having specifically targeted a large Russian company responsible for the design of nuclear submarines for the Russian Navy since 1991. The attack by Phishing specifically targeted the director of the design and engineering office of the Rubin submarine design center, located in St. Petersburg. The attackers certainly wanted to reach by this means, the Gidropribor consortium of which Rubin is a part. It is this center that designs the torpedoes and missiles submarines.

RoyalRoad: a militarized malware

The viral load was filed by RoyalRoad, a known cyber weapon that exploits infected RTF files and allows attacker to sneak in via older versions of Word. It turns out that RoyalRoad has been customized in a military way according to the researchers, in order to deposit a backdoor unpublished baptized PortDoor. With it, hackers can add additional payloads, elevate their privileges, and exfiltrate data.

While the type of phishing attack remains basic, the use of RoyalRoad and its customization has allowed specialists to focus their suspicions on Chinese APT groups usually sponsored by the Chinese state. As always in this type of attack, the security company could not however attribute with certainty this maneuver of cyber espionage.