Cybersecurity firm BlackBerry discovered that a previously unknown threat actor conducted a cyber espionage campaign against a US aerospace organization in September 2022 and July 2023. The early stage appeared to be a ‘testing phase’, while the later phase included updated tools.
- Both stages used the same lure documents and IP addresses for the command-and-control server. They both presented the lure document to targets through a spear-phishing email and both delivered a reverse shell as the final payload. The second stage was stealthier and utilized improved evasion techniques.
- BlackBerry discerned that the target of the operation was a US aerospace organization based on the content of the lure message. The toolkit presented in the attacks indicates the unknown threat actor has been active for at least a year. BlackBerry assessed with high confidence that the purpose of the operation was commercial espionage, likely evaluating targets for future ransom demands.