Cybereason Nocturnus Team cybersecurity researchers have found a powerful backdoor in malware deposited in the heart of a Russian research center responsible for the design of the country’s nuclear submarines. Researchers suspect Chinese hacker groups linked to the state are in the driver’s seat.
We do not see it but it roars in the networks: cyber warfare is silent and one of its most feared weapons of States is that of cyber espionage. Knowing the secret plans of states is to ensure a certain superiority in the event of conflict. In this area, the clues often point to groups of hackersto the Kremlin or to the Chinese state. And precisely, it seems that the latter sought to know more about the Russian.
Researchers from thehave in fact identified a malware with a entry (backdoor) having specifically targeted a large Russian company responsible for the design of nuclear submarines for the Russian Navy since 1991. The attack by specifically targeted the director of the design and engineering office of the Rubin submarine design center, located in St. Petersburg. The attackers certainly wanted to reach by this means, the Gidropribor consortium of which Rubin is a part. It is this center that designs the torpedoes and submarines.
RoyalRoad: a militarized malware
Thewas filed by RoyalRoad, a known cyber weapon that exploits infected RTF files and allows attacker to sneak in via older versions of Word. It turns out that RoyalRoad has been customized in a military way according to the researchers, in order to deposit a unpublished baptized PortDoor. With it, hackers can add additional payloads, elevate their privileges, and exfiltrate data.
While the type of phishing attack remains basic, the use of RoyalRoad and its customization has allowed specialists to focus their suspicions on Chinese APT groups usually sponsored by the Chinese state. As always in this type of attack, the security company could not however attribute with certainty this maneuver of cyber espionage.