- Overt Operator
- How AeroBlade Hacked the Aerospace Industry
How AeroBlade Hacked the Aerospace Industry
Details of the Attacks Emerge
In a nearly yearlong commercial cyberespionage campaign, a US aerospace company fell victim to a relentless attack carried out by a newly identified threat actor known as "AeroBlade," according to researchers.
Unlike the high-stakes aerospace espionage typically associated with nation-states and ransomware groups, this particular campaign followed a familiar playbook, employing tactics such as phishing, template injection, and VBA macro code.
Although these techniques may seem outdated, the campaign, which consisted of a testing phase in September 2022 and an execution phase in July 2023, managed to evade detection for almost a year thanks to robust anti-analysis protections.
The full extent of the campaign's success and the exact nature of any compromised data are still unknown.
The Attacks Unfold
The two-pronged attack began with phishing emails containing lure documents. Upon opening the attachments, victims were greeted with scrambled text within Microsoft Word documents. A suspicious header accompanied the scrambled text, stating: "Something went wrong. Enable content to load the document."
Taking advantage of the familiarity of old macro notifications, this false flag enticed victims to enable content, unknowingly initiating the retrieval and execution of a malicious Microsoft Word template (DOTM) file. Embedded within the template was a readable decoy document and instructions for a second-stage infection.
The final payload in this intricate attack chain was a dynamic link library (DLL) file functioning as a reverse shell. This payload gathered and exfiltrated sensitive system information and directories, establishing persistence by creating a task within the Windows Task Scheduler set to trigger every morning at 10:10 AM local time.
Following an initial "test" attack, AeroBlade returned with a series of more sophisticated techniques. These advancements allowed the threat actor to maintain their covert operations and avoid detection for an extended period. The campaign's success can be attributed to the careful integration of anti-analysis protections, making it difficult for security researchers and analysts to uncover and mitigate the attack.
The investigation into this cyberespionage campaign remains ongoing, with researchers working tirelessly to determine the potential impact on the targeted aerospace company. The incident serves as a reminder that even seemingly outdated attack methods can still pose a significant threat to organizations, emphasizing the need for robust cybersecurity measures.
As the aerospace industry continues to face evolving threats from both nation-states and independent actors, companies must remain vigilant and prioritize the implementation of advanced security protocols. By staying one step ahead of cyber adversaries, organizations can better protect their sensitive data, intellectual property, and overall operational integrity.