Operation In(ter)ception: Hackers target aerospace companies via LinkedIn recruitment messages

Hackers first sent an exciting job offer via LinkedIn to aerospace executives while posing themselves as recruiters from well-known firms, such as General Dynamics and Collins Aerospace

Researchers from cyber security firm ESET have uncovered a new cyber espionage operation that targeted European aerospace and military firms via LinkedIn spear-phishing messages.

Named Operation In(ter)ception, the campaign continued from September to December 2019, with threat actors impersonating as recruiters for US defence firms General Dynamics and Collins Aerospace to infiltrate the networks of European defence contractors.

The cyber attacks were highly targeted and relied on social engineering over LinkedIn and custom malware. Hackers first sent an exciting job offer via LinkedIn to aerospace executives while posing themselves as recruiters from well-known firms, such as General Dynamics and Collins Aerospace. But their "job offer" contained multiple malicious documents, which the targets were tricked into opening.

"Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools," ESET researchers stated.

"Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation and impersonating legitimate software and companies."

According to ESET's head of threat research, Jean-Ian Boutin, the conversation between the attacker and the executives usually started out in a friendly way, but later the attacker would pressure the executives to answer the questions more quickly. They would also ask executives what machines they were using in order to determine the configurations.

The cyber actors behind the campaign were able to infiltrate the systems of at least two aerospace and defence firms in Central Europe, according to ESET. The researchers did not disclose the identity of the victims citing client privacy, and said that it was not clear if any data was stolen.

The primary aim of the campaign was espionage, but in one case, hackers were seen noticed trying to monetise their access to a victim's email account.

While the identity of the hackers could not be determined, many hints several suggested their possible link to North Korea-backed Lazarus group, the researchers said.

This group became widely known in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

Earlier this year, researchers from cyber security firm Kaspersky warned that Lazarus has significantly updated its attack tactics in an effort to remain undetected during cryptocurrency stealing campaigns.

In March, Malwarebyes researchers said that they had identified a new variant of the Dacls Remote Access Trojan (RAT), specifically designed by Lazarus to target devices running Mac operating system (macOS).