Cyber Incident Victim: JSC Makeyev Design Bureau
Date:
Sep 2021
Location:
Russia
Summary
A suspected cyber-espionage operation targeted Russian defense and telecommunications entities through spear-phishing emails containing malicious Office documents exploiting a recently patched vulnerability (CVE-2021-40444). The attack leveraged boobytrapped files posing as HR forms or government fines, triggering malware deployment when recipients enabled editing. Exploitation involved abusing an Internet Explorer component to execute arbitrary code, leading to the installation of a heavily obfuscated payload with anti-analysis protections. The primary victim was a major developer of ballistic missile and rocket propulsion systems, indicating potential state-sponsored involvement. While the final payload's functionality wasn't detailed, the operation aimed to compromise sensitive defense infrastructure. Attribution remains unclear, though the sophistication and targeting align with advanced threat actors. Microsoft had issued a patch for the vulnerability shortly before these attacks were observed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-September 2021, cybersecurity researchers identified a spear-phishing campaign targeting Russian organizations, including JSC GREC Makeyev, a defense contractor specializing in liquid and solid fuel development for ballistic missiles and space rockets. The campaign involved malicious Microsoft Office documents masquerading as internal HR department communications, instructing employees to enable editing to fill out an attached form. Enabling editing triggered an exploit for CVE-2021-40444, a zero-day vulnerability in the Internet Explorer MHTML component that allowed execution of arbitrary code via specially crafted ActiveX controls embedded within the documents. Security firm Malwarebytes first documented these attacks on September 16, 2021, noting the final payload deployed a Themida-packed DLL downloader implementing multiple anti-analysis techniques. Additional malicious documents impersonated fines issued by Russia’s Ministry of the Interior, though specific targets for these variants remained unconfirmed.
The exploitation of CVE-2021-40444 enabled attackers to install additional malware on unpatched Windows systems. Microsoft had released a patch for this vulnerability on September 14, 2021, during its monthly Patch Tuesday update cycle. Malwarebytes assessed the targeting of a strategic defense entity suggested potential state-sponsored involvement but could not attribute the attacks to a specific threat group. The incident represented a rare example of cyber operations against Russian entities, following an FSB report in May 2021 alleging breaches of government agencies by foreign-linked actors. Beyond JSC Makeyev, the same exploit was observed targeting Russian telecommunications providers. Security researchers also noted experimentation with the exploit by an individual associated with the Ryuk/Conti ransomware operation, indicating broader adoption of the attack vector by cybercriminal entities following its public disclosure.