Targeted Trident cyber-attack against defence company

Filed Under: Malware, PDF, Spam

Targeted attacks occur when cybercriminals launch malware against a specific organisation, industry or government department. In recent years we've often seen these distributed in the form of booby-trapped Word documents or malformed Adobe PDF files.

Overnight we intercepted an attack against a firm working in the defence industry (which we will not name for obvious reasons). The emails carried a malicious PDF file claiming to be about the Trident D-5 missile, launched from nuclear submarines.

Malicious targeted attack email about Trident D5 missile

The emails we saw read as follows:

Subject: TRIDENT D-5 MISSILE TECHNICAL REPORT

Message body:
Dear all,

Attached Trident D-5 Missile Explosive Propellant Hazards.

(Please note that this summary does not discuss the conventional explosive material inside the Trident W76 and W88 nuclear warheads, which is an additional hazard.This previously unpublished report was prepared in support of our environmental lawsuit against the Trident D-5 missile upgrade at Bangor, filed in federal court on June 11,2009)

Attached file: TRIDENT D-5 MISSILE.zip

As is normal, the malicious hackers behind the attack forged the "from:" address, pretending that the email was a communication from an employee of another defense contractor. In this case they used the real name, email addresss and phone number of one of this contractor's PR team - details which can be found easily on the web - to make the message appear more plausible.

Opening the ZIP attachment is, of course, a very bad idea. It contains a file called "TRIDENT D-5 MISSILE.PDF", which itself contains embedded JavaScript and SWF code to exploit vulnerabilities and deliver a malicious payload to the recipient's computer. The purpose appears to be to open a backdoor on the infected computer through which the hacker will be able to remotely access sensitive information.

There are two bits of good news. The first is that Sophos detects the attack as Troj/PDFJs-KY. :) The second is that unless you work at the targeted company (or one that works in a similar industry) you are unlikely to encounter this particular targeted email.

Of course, the same exploit could be used with a variety of other disguises and it is possible that your firm - whether it be big or small - may be in the gunsights for other targeted attacks.

So ensure that you keep your computers and servers up-to-date with appropriately configured security software, that you make it a habit of rolling out security updates for commonly used applications such as your browser, Adobe Flash, PDF Reader and Microsoft Office products, and teach your staff to always be suspicious of unsolicited attachments and unexpected links.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.