Analysts have noticed various attempts in recent years by hackers trying to breach entities in the aviation and aerospace industries, as well as related transportation fields. The operators typically use of off-the-shelf malware and deploy digital lures that refer to industry-specific topics like airline cargo conferences or machine parts.
It now appears that most of those incidents were by the same group, according to cybersecurity firm Proofpoint. Dubbing the group “TA2541,” Proofpoint said Tuesday that the trail of evidence goes back to at least 2017, and the hackers remain a “consistent, active cybercrime threat.” Hundreds of different organizations have been targeted globally, with an emphasis on North America, Europe and the Middle East, the researchers say.
Crime seems to be the main goal, says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, given TA2541’s targeting, its victims, its use of commodity malware and its high message volume. Campaigns ranging from hundreds to several thousand emails can be traced to the group, and it does not appear to be interested in espionage the way nation-state groups are, DeGrippo says.
Previous reports from other researchers have said theft and resale of credentials appears to be one possible angle. Proofpoint’s report does not speculate on what TA2541 might be stealing, or where the hackers are based. Researchers at other companies have identified some of the activity within Nigeria.
“What’s noteworthy about TA2541 is how little they’ve changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans,” DeGrippo says.
Credentials for aviation and aerospace company networks can be tempting for criminal groups because of the industry’s intellectual property, its strong links to military services and its economic power. A recent spate of ransomware attacks on European oil and transportation services, for instance, shows the value of credentials for those companies’ systems. Stolen credentials are regularly sold in online forums, with admin-level logins fetching serious cash.
The group was using macro-laden Microsoft Word attachments when Proofpoint first observed its activity in 2017, but now it more frequently sends phishing emails with links to cloud services such as Google Drive where the hackers hide the malware, according to the research. In late 2021 the group sent malicious URLs through the Discord messaging app, and it has also put its malware directly into email attachments.
Once inside a target system, the group works to maintain persistence. Proofpoint’s researchers note that TA2541’s malware and tactics can be used for information-gathering purposes and to gain remote control of an infected machine, but the firm does not make any conclusions on TA2541’s goals and objectives at that stage of an operation.
Activities associated with the group have been documented by other cybersecurity firms and independent researchers since 2019, including Mandiant, Microsoft and Cisco’s Talos threat intelligence unit. In January 2021, independent researcher William Thomas published an analysis showing infrastructure based in Nigeria, with tactics, techniques and procedures he deemed “common” and effective as part of business email compromise (BEC). In September 2021, Talos researchers also connected similar activity to Nigeria and noted the use of off-the-shelf malware.
Nevertheless, Talos’ researchers noted, victims of these attacks could suffer data theft, financial fraud or future cyberattacks “with much worse consequences.” The observed activity “shows that actors that perform smaller attacks can keep doing them for a long period of time under the radar,” and can “lead to major incidents at large organizations.” This level of hacker feeds the market of credential and cookies, Talos’ researchers noted, “which can then be used by larger groups on activities like ‘big game hunting.’”
Proofpoint’s analysis unpacks the group’s use of more than a dozen different malware payloads since 2017 that are often purchased on criminal forums or available in open-source repositories. More recent attacks have used the AsyncRAT, but other remote access trojans include NetWire, WSH RAT and Parallax.