Chinese-speaking hackers have hacked dozens of private enterprises and public organisations in the defence industry in several Eastern European countries and Afghanistan in order to steal secret documents, security researchers say.
The attacks began in January of this year and used malware called PortDoor that was also used by China-backed hackers in April 2021 to hack the systems of a defence contractor that designs submarines for the Russian Navy.
In some cases the more recent attacks were able to take over the targets’ entire IT infrastructure, including systems used to manage security software, said Kaspersky ICS CERT.
The attacks use carefully crafted phishing emails that in some cases make use of information not released to the public, and which may have been stolen from the same company earlier on or from other organisations, Kaspersky said.
The information includes the full names of employees responsible for handling sensitive information and internal codenames of projects developed by attacked organisations.
The emails contain Microsoft Word documents that exploit the CVE-2017-11882 vulnerability that exists in older versions of Microsoft Equation Editor, a Microsoft Office component.
The vulnerability allows malicious code to be executed on the target system without any further action from the user.
The attackers used the vulnerability to deploy PortDoor malware, which then installed additional malware.
The data stolen was sent in encrypted form to servers in various other countries, before being forwarded on to servers in China.
“The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan,” Kaspersky said in an advisory.
“An analysis of information obtained while investigating the incidents indicates that cyberespionage was the goal of this series of attacks.”
The company said it believes the attacks were carried out by a Chinese threat group known as TA428, known for focusing on information theft and targeting organisations in Asia and Eastern Europe.
“We believe that the attack series we have identified is an extension of known campaign described in the research of Cybereason, DrWeb, and NTTSecurity,” Kaspersky said.
“This is supported by numerous facts and a large amount of evidence we have identified, from the choice of victims to matching CnC servers.”
The company recommended the use of up-to-date security systems.
Tesla shareholders to be asked to reinstate Elon Musk's $56 billion pay package, days after…
Catching WhatsApp? Billionaire founder of Telegram claims encrypted platform will reach one billion users within…
Good news for Mark Zuckerberg as judge dismisses some claims in dozens of lawsuits alleging…
Consequences of Assembly Bill 886. Google begins removing California news websites from some search results
CEO Tim Cook during visit to Jakarta says Apple will look into building a manufacturing…
Introduction of digital services tax on tech firms will begin in 2024 Canadian government confirms,…