Cybersecurity experts have uncovered highly targeted malware attacks against aerospace and military companies in Europe and the Middle East, highlighting how effective spear phishing can be when targeting individuals.
The spear-phishing attacks, which the Slovakian internet security company ESET has dubbed Operation In(ter)ception, involved the attackers directly contacting executives on LinkedIn.
Spear phishing is the practice of sending emails from a known or trusted sender in order to induce the targeted victim to reveal confidential information.
The In(ter)ception attacks – which take their name from a related malware sample named “Inception.dll” – were found to have taken place from September to December 2019, with the aim of stealing both information and money from military and aerospace executives.
Initially, hackers would pose as recruiters from well-known existing companies in the aerospace and defense industry and offer lucrative jobs to their victims. The LinkedIn or email conversation would begin as a friendly overture, but the attackers would quickly increase the pace of questions to the target, pressuring them to answer and reveal key information, such as what system the executive was using.
The hackers would then sneak malicious files disguised as documents relevant to the ‘job’ with the expectation that the victim would download them. For example, the attacker would send a PDF containing salary information for the reputed job positions. This decoy, once downloaded, would actually execute a command prompt on the target’s computer, which would set off a chain reaction allowing the hackers to secure a foothold on the machine from which to spy.
According to the report, “the primary goal of the operation was espionage,” yet in one instance, the hackers attempted to monetize access to a victim’s account through a BEC (business email compromise) attack. The report suggests that this final play would signal the end of the attack.
ESET admits that there was not enough evidence to pin the attacks on a known threat actor. However, there were several hints suggesting a possible link to Lazarus Group – the collective behind the infamous 2014 Sony Pictures hack, and known for targeting defense companies and using fake LinkedIn accounts.
While still inconclusive, the Sony Pictures hack was thought to be in retaliation for the company’s role in the production of “The Interview,” a comedy that satirizes the leader of North Korea and depicts him being assassinated.
The Sony attack was “far more destructive than any seen before on American soil,” and led to the cancellation of the film’s intended release.