Years of hacking against aviation transport industries linked to group, researchers say
Written by AJ Vicens
Analysts have noticed various attempts over the past few years by hackers trying to break into entities in the aviation and aerospace industries, as well as related transportation domains. Operators typically use ready-made malware and deploy digital decoys that reference industry-specific topics such as air cargo conferences or machine parts.
It now appears that most of these incidents were committed by the same group, according to cybersecurity firm Proofpoint. Dubbing the group “TA2541”, Proofpoint says the trail of evidence dates back to at least 2017, and that the hackers remain a “constant and active cybercrime threat”. According to the researchers, hundreds of different organizations were targeted around the world, with a focus on North America, Europe and the Middle East.
Crime seems to be the main focus, says Sherrod DeGrippo, vice president of research and threat detection at Proofpoint, given the targeting of TA2541, its victims, its use of basic malware, and its high volume of messages. Campaigns ranging from hundreds to thousands of emails can be traced to the group, and it doesn’t appear to be interested in spying like nation-state groups are, DeGrippo says.
Earlier reports from other researchers have indicated that stealing and reselling credentials appears to be a possible angle. Proofpoint’s report does not speculate on what TA2541 might fly.
“What is remarkable about TA2541 is how little they have changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace and transportation, to distribute remote access Trojans,” says DeGrippo.
References from aviation and aerospace corporate networks can be tempting to criminal groups due to the industry’s intellectual property, close ties to the military, and economic power. A recent spate of ransomware attacks against European oil and transportation services, for example, shows the value of credentials to these companies’ systems. Stolen credentials are regularly sold on online forums, with admin-level logins fetching big bucks.
The group was using macro-laden Microsoft Word attachments when Proofpoint first observed its activity in 2017, but now it more frequently sends phishing emails with links to cloud services such as Google Drive where hackers hide the malware, according to research. In late 2021, the group sent malicious URLs through the Discord messaging app, and it also placed its malware directly into email attachments.
Once inside a target system, the group strives to maintain persistence. Proofpoint researchers note that TA2541 malware and tactics can be used for information gathering purposes and to take remote control of an infected machine, but the company draws no conclusion on the goals and objectives. of TA2541 at this stage of an operation.
Activities associated with the group have been documented by other cybersecurity firms and independent researchers since 2019, including Mandiant, Microsoft and Cisco’s Talos threat intelligence unit. In January 2021, independent researcher William Thomas published an analysis showing a Nigeria-based infrastructure with tactics, techniques, and procedures that he deemed “common” and effective in compromising business emails ( BEC). In September 2021, Talos researchers also connected similar activity in Nigeria and noted the use of off-the-shelf malware.
Nonetheless, Talos researchers noted that victims of these attacks could suffer data theft, financial fraud, or future cyberattacks “with much worse consequences.” The observed activity “shows that actors performing smaller attacks can continue to do so for a long time under the radar” and can “lead to major incidents in large organizations”. This level of hacking fuels the market for credentials and cookies, Talos researchers noted, “which can then be used by larger groups for activities such as ‘big game hunting’.”
Proofpoint’s analysis unpacks the group’s use of more than a dozen different malware payloads since 2017 that are often purchased from crime forums or available in open source repositories. More recent attacks have used AsyncRAT, but other remote access Trojans include NetWire, WSH RAT, and Parallax.