Targeted Trident cyber-attack against defence company

Targeted attacks occur when cybercriminals launch malware against a specific organisation, industry or government department. In recent years we’ve often seen these distributed in the form of booby-trapped Word documents or malformed Adobe PDF files.

Overnight we intercepted an attack against a firm working in the defence industry (which we will not name for obvious reasons). The emails carried a malicious PDF file claiming to be about the Trident D-5 missile, launched from nuclear submarines.

Malicious targeted attack email about Trident D5 missile

The emails we saw read as follows:

Sign up to our free newsletter.
Security news, advice, and tips.

Subject: TRIDENT D-5 MISSILE TECHNICAL REPORT

Message body:
Dear all,

Attached Trident D-5 Missile Explosive Propellant Hazards.

(Please note that this summary does not discuss the conventional explosive material inside the Trident W76 and W88 nuclear warheads, which is an additional hazard.This previously unpublished report was prepared in support of our environmental lawsuit against the Trident D-5 missile upgrade at Bangor, filed in federal court on June 11,2009)

Attached file: TRIDENT D-5 MISSILE.zip

As is normal, the malicious hackers behind the attack forged the “from:” address, pretending that the email was a communication from an employee of another defense contractor. In this case they used the real name, email addresss and phone number of one of this contractor’s PR team – details which can be found easily on the web – to make the message appear more plausible.

Opening the ZIP attachment is, of course, a very bad idea. It contains a file called “TRIDENT D-5 MISSILE.PDF”, which itself contains embedded JavaScript and SWF code to exploit vulnerabilities and deliver a malicious payload to the recipient’s computer. The purpose appears to be to open a backdoor on the infected computer through which the hacker will be able to remotely access sensitive information.

There are two bits of good news. The first is that Sophos detects the attack as Troj/PDFJs-KY. :) The second is that unless you work at the targeted company (or one that works in a similar industry) you are unlikely to encounter this particular targeted email.

Of course, the same exploit could be used with a variety of other disguises and it is possible that your firm – whether it be big or small – may be in the gunsights for other targeted attacks.

So ensure that you keep your computers and servers up-to-date with appropriately configured security software, that you make it a habit of rolling out security updates for commonly used applications such as your browser, Adobe Flash, PDF Reader and Microsoft Office products, and teach your staff to always be suspicious of unsolicited attachments and unexpected links.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.