Attackers are impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign leveraging LinkedIn’s messaging service. Targets are sent phony job offers that include malicious documents designed to fetch data-exfiltrating malware.
The spear-phishing messages were part of a widespread campaign, dubbed “Operation In(ter)ception,” which targeted victims at European and Middle East aerospace and military companies. Researchers believe the primary goal of the attacks, which occurred from September to December 2019, was espionage. However, in one case, attackers also tried to utilize a compromised victim’s email account in a business email compromise (BEC) attack, showing that they may also have financial motives.
The cyberattacks “were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware,” said researchers with ESET in a Wednesday analysis, shared at ESET Virtual World 2020. “To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities and impersonated legitimate software and companies. To our knowledge, the custom malware used in Operation In(ter)ception hasn’t been previously documented.”
Victims were first sent a job offer in a LinkedIn message from a “well-known company in a relevant sector.” These included Collins Aerospace (formerly Rockwell Collins), a major U.S. supplier of aerospace and defense products, and General Dynamics, another large U.S.-based corporation.
Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies | WeLiveSecurity
ESET research uncovers attacks against several high-profile aerospace and military companies in Europe and the Middle East, with several hints suggesting a possible link to the Lazarus group.