Airbus Supplier Attacks Part of Multi-Vertical Campaign

Security researchers have identified a new state-backed threat group they believe to be behind the recently disclosed attacks on European aerospace supply chain companies and organizations in other verticals.

Reports had suggested the attacks — which affected UK engine-maker Rolls Royce, French tech supplier Expleo and two other French Airbus suppliers — had been carried out either by China’s APT10 group or a regional branch of the country’s Ministry of State Security, known as JSSD.

However, security researchers at Context believe the attacks are the work of another nation state hacking group. Although the firm falls short of blaming China, it admits that the “Avivore” group does operate in the same time zone, and shares some similarities with APT10/JSSD.

The group’s attack methodology follows a set pattern. After using compromised user credentials and legitimate remote access tools to infiltrate targeted networks, hackers escalate privileges by abusing legitimate tools and/or highly privileged accounts.

Next, they conduct account and host enumeration using “net” commands, schedule execution of scripts and tooling run in the context of the “SYSTEM” user, and remove any traces of scripts, tooling and event logs following execution. RDP is also used for lateral movement.

While many supply chain attacks are “vertical” in nature, involving an initial compromise of MSPs or software vendors, the Avivore campaigns are more “horizontal” — relying on island hopping techniques.

The group abused the commercial VPNs and other collaborative solutions used by large multi-nationals and smaller engineering or consultancy firms in their supply chain. Other legitimate tools leveraged by Avivore include network scann ..

Support the originator by clicking the read the rest link below.