Security News > 2021 > April > Suspected Chinese state hackers target Russian submarine designer
Hackers suspected to work for the Chinese government have used a new malware called PortDoor to infiltrate the systems of an engineering company that designs submarines for the Russian Navy.
Threat researchers at Cybereason Nocturnus found that the attacker lured the recipient to open the malicious document with a general description for an autonomous underwater vehicle.
The use of RoyalRoad has been linked in the past to several threat actors working on behalf of the Chinese government, like Tick, Tonto Team, TA428, Goblin Panda, Rancor, Naikon.
The researchers attributed PortDoor to a Chinese state-sponsored hacker group based on similarities in tactics, techniques, and procedures with other China-linked threat actors.
Based on work from security researcher nao sec, Cybereason was able to determine that the malicious RTF document was created with RoaylRoad v7 with a header encoding associated with operations from Tonto Team, Rancor, and TA428.
"Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor. We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete" - Cybereason.
News URL
Related news
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Russian hackers attack Western military mission using malicious drive (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- France ties Russian APT28 hackers to 12 cyberattacks on French orgs (source)
- Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool (source)
- Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware (source)
- Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell (source)
- Chinese hackers behind attacks targeting SAP NetWeaver servers (source)