New Chinese Malware Targeted Russia’s Largest Nuclear Submarine Designer

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Nuclear Submarine Designer

A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.

The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous “Royal Road” Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed “PortDoor,” according to Cybereason’s Nocturnus threat intelligence team.

“Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,” the researchers said in a write-up on Friday.

password auditor

Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over 85% of submarines in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.

Nuclear Submarine Designer
Content of the weaponized RTF document

Over the years, Royal Road has earned its place as a tool of choice among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.

This newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. This email comes embedded with a malware-laced document, which, when opened, drops an encoded file called “e.o” to fetch the PortDoor implant. The encoded payload dropped by previous versions of Royal Road typically go by the name of “8.t,” implying a new variant of the weaponizer in use.

Said to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of…


Chinese hackers behind VPN attack on US defence firms: Security experts, United States News & Top Stories

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

WASHINGTON (AFP) – Chinese hackers allegedly penetrated a company’s VPN technology to break into computer networks of the US defence industry sector, security consultant Mandiant said on Tuesday (April 20).

Mandiant linked at least two hacking groups, one of them believed to be an official Chinese cyber-spying operation, to malware used to exploit vulnerabilities in VPN security devices made by Pulse Secure, owned by Utah-based Ivanti.

The group used the malware to try to hijack user and administrator identities and enter the systems of US defence industry companies between October 2020 and March 2021, Mandiant said.

It said that governments and financial firms in the US and Europe were also targeted.

It called one of the hacking groups UNC2630.

“We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,” it said, referring to a known Chinese state-sponsored hacking group.

It said a “trusted third party” also tied the hacking to APT5.

“APT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the US, Europe, and Asia,” Mandiant said.

it said it did not have enough information to identify who was behind some of the malware.

There was no assessment of how many companies were affected or what the hackers did with their access to the networks.

Pulse confirmed the main parts of the Mandiant report, saying that it had already released fixes to its products to block the malware.

Pulse said the hackers impacted “a limited number of customers.”


Facebook finds Chinese hacking operation targeting Uyghurs

Facebook says hackers in China used fake accounts and impostor websites in a bid to break into the phones of Uyghur Muslims

The company said the sophisticated, covert operation targeted Uyghur activists, journalists and dissidents from China’s Xinjiang region, as well as individuals living in Turkey, Kazakhstan, the U.S., Syria, Australia, Canada and other nations.

The accounts and sites contained malicious links. If the target clicked on one, their computer or smartphone would be infected with software allowing the network to spy on the target’s device.

The software could obtain information including the victim’s location, keystrokes and contacts, according to FireEye, a cybersecurity firm that worked on the investigation.

In all, fewer than 500 people were targeted by the hackers in 2019 and 2020, Facebook said. The company said it uncovered the network during its routine security work, and has deactivated the fictitious accounts and notified individuals whose devices may have been compromised. Most of the hackers’ activities took place on non-Facebook sites and platforms.

“They tried to create these personas, build trust in the community, and use that as a way to trick people into clicking on these links to expose their devices,” said Nathaniel Gleicher, Facebook’s head of security policy.

Facebook’s investigation found links between the hackers and two technology firms based in China but no direct links to the Chinese government, which has been criticized for its harsh treatment of Uyghurs in Xinjiang. FireEye, however, said in a statement that “we believe this…


Chinese nation state hackers linked to Finnish Parliament hack

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Chinese nation state hackers linked to Finnish Parliament hack

Chinese nation-state hackers have been linked to an attack on the Parliament of Finland that took place last year and led to the compromise of some parliament email accounts.

“Some parliament e-mail accounts may have been compromised as a result of the attack, among them e-mail accounts that belong to MPs,” Parliament officials said at the time.

The attack was detected by the Finnish Parliament’s security team and is being investigated by the Finnish National Bureau of Investigation (NBI), with the help of the Security Police and the Central Criminal Police.

“Last year, the Security Police has identified a state cyber-espionage operation against Parliament, which tried to infiltrate Parliament’s information systems,” a statement issued today reads. “According to intelligence from the Security Police, this was the so-called APT31 operation.”

Central Criminal Police Commissioner Tero Muurman added that further details regarding the attack will not be disclosed while the investigation is still ongoing.

“When the investigated criminal offenses are aggravated espionage, aggravated computer break-in, and aggravated message interception everyone understands how serious offenses we are dealing with,” Parliament Speaker Anu Vehviläinen said.

APT31 espionage campaigns

APT31 (also tracked as Zirconium and Judgment Panda) is a China-backed hacking group known for its involvement in numerous information theft and espionage operations, working at the behest of the Chinese Government.

As BleepingComputer previously reported, this APT group has also been linked to the theft and repurposing of the EpMe NSA exploit years before Shadow Brokers publicly leaked it in April 2017.

Last year, Microsoft observed APT31 attacks against international affairs community leaders and high-profile individuals associated with the Joe Biden for President campaign.

APT31 was also…