Cisco detected a targeted phishing campaign aimed at the aviation industry for two years, which was potentially organized by cyber threat actor(s) operating out of Nigeria.
The actor(s) have been targeting the aviation industry for the last two years, while managing other campaigns at the same time. Researchers found that they do not seem to be technically sophisticated as they’re using off-the-shelf malware since the beginning of their activities without developing their own malware.
The operators also bought crypters that enable the usage of such malware without being detected. Throughout the years they used several different cryptors, mostly bought on online forums and are believed to have been active since 2013.
The cyber attacks involve emails containing specific lure documents centered around the aviation or cargo industry that purport to be PDF files but link to a VBScript file, which ultimately leads to the delivery of remote access trojans (RATs), leaving organizations vulnerable to an array of security risks.
Actors that perform smaller incidents can keep doing them for a long period of time under the radar. However, their activities can lead to major incidents at large organizations. These are the operators that feed the underground market of credentials and cookies, which can then be used by larger groups on activities.
Commenting on the targeted attacks, Fady Younes, Cybersecurity Director at Cisco Middle East and Africa said: “Many operators can have limited technical knowledge but still be able to operate RATs or information-stealers – posing a significant risk to large corporations given the right conditions. In this case, what appeared to be a simple campaign was, in fact, a continuous operation that has been active for years – targeting a whole industry with commodity malware hidden with different crypters.”
“Even though cybersecurity is not a threat specific to aviation, in the last few years the sector has been at the forefront of several cyber attacks. It is crucial to be careful with weak links that could lead to flawed conclusions. The weak links shouldn’t be discarded — it would be wise to view them as one more piece of information that, together with other links, can yield to a much stronger relationship between two pieces of information,” Younes added.
