LinkedIn ‘Job Offers’ Targeted Aerospace, Military Firms With Malware


Level 72
Content Creator
Malware Hunter
Aug 17, 2014
Attackers are impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign leveraging LinkedIn’s messaging service. Targets are sent phony job offers that include malicious documents designed to fetch data-exfiltrating malware.

The spear-phishing messages were part of a widespread campaign, dubbed “Operation In(ter)ception,” which targeted victims at European and Middle East aerospace and military companies. Researchers believe the primary goal of the attacks, which occurred from September to December 2019, was espionage. However, in one case, attackers also tried to utilize a compromised victim’s email account in a business email compromise (BEC) attack, showing that they may also have financial motives.

The cyberattacks “were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware,” said researchers with ESET in a Wednesday analysis, shared at ESET Virtual World 2020. “To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities and impersonated legitimate software and companies. To our knowledge, the custom malware used in Operation In(ter)ception hasn’t been previously documented.”

Victims were first sent a job offer in a LinkedIn message from a “well-known company in a relevant sector.” These included Collins Aerospace (formerly Rockwell Collins), a major U.S. supplier of aerospace and defense products, and General Dynamics, another large U.S.-based corporation.