Airbus Supplier Attacks Part of Multi-Vertical Campaign
Security researchers have identified a new state-backed threat group they believe to be behind the recently disclosed attacks on European aerospace supply chain companies and organizations in other verticals.
Reports had suggested the attacks — which affected UK engine-maker Rolls Royce, French tech supplier Expleo and two other French Airbus suppliers — had been carried out either by China’s APT10 group or a regional branch of the country’s Ministry of State Security, known as JSSD.
However, security researchers at Context believe the attacks are the work of another nation state hacking group. Although the firm falls short of blaming China, it admits that the “Avivore” group does operate in the same time zone, and shares some similarities with APT10/JSSD.
The group’s attack methodology follows a set pattern. After using compromised user credentials and legitimate remote access tools to infiltrate targeted networks, hackers escalate privileges by abusing legitimate tools and/or highly privileged accounts.
Next, they conduct account and host enumeration using “net” commands, schedule execution of scripts and tooling run in the context of the “SYSTEM” user, and remove any traces of scripts, tooling and event logs following execution. RDP is also used for lateral movement.
While many supply chain attacks are “vertical” in nature, involving an initial compromise of MSPs or software vendors, the Avivore campaigns are more “horizontal” — relying on island hopping techniques.
The group abused the commercial VPNs and other collaborative solutions used by large multi-nationals and smaller engineering or consultancy firms in their supply chain. Other legitimate tools leveraged by Avivore include network scanning and certificate extractions tools, and Windows SysInternals tools such as ProcDump.
Binaries were disguised as Windows DLLs, with tools executed remotely using scheduled tasks and then removed, according to Context.
“Avivore showed themselves to be highly capable; adept at both ‘living-off-the-land’ and in their operational security awareness; including forensically covering their tracks. They demonstrated detailed knowledge of key individuals associated with projects of interest, and were able to successfully mirror working times and patterns of these users to avoid arousing suspicions,” explained the report.
“They were also able to manipulate victim environments and security controls to facilitate and obfuscate their activities: e.g. modifying firewall rules to accept RDP over alternate ports; establishing hosts within the victim environment as remote access proxies.”
Although most Avivore activity has taken place since early 2018, the researchers claimed that the PlugX Remote Access may have been deployed on victim networks as early as October 2015.
Other verticals thought to have been targeted include automotive, consulting, energy/nuclear and satellite/space technology.