Context identifies new threat

The Threat Intelligence and Incident Response Team at Context Information Security (www.contextis.com) has identified a new threat group behind a series of incidents targeted at the aerospace and defence industries in the UK and Europe.

Named by Context as AVIVORE, the group is not previously publicly known or reported and Context believes it is responsible for the recently reported cyber attacks within the aerospace and defence supply chain: www.france24.com/en/20190926-airbus-hit-by-series-of-cyber-attacks-on-suppliers

Context has been investigating attacks against large multinational firms that compromise smaller engineering services and consultancy companies in the supply chain for more than 12 months.  The attackers use legitimate remote connectivity or other collaborative working solutions to bypass the generally well-defended perimeters and gain access to the target.  This technique, referred to as ‘Island Hopping’, has also seen the adversary leverage chains of activity or connections across multiple business units or geographical locations within victim environments.

“Previous reporting into recent incidents affecting aerospace and defence have linked this activity to APT10 and JSSD (Jiangsu Province Ministry of State Security).  Though the nature of the activity makes attribution challenging, our experience of the campaign suggests a new group that we have codenamed AVIVORE,” says Oliver Fay, Principal Threat Intelligence Analyst at Context.

“Whilst AVIVORE has been observed operating in the UTC+8 timezone and makes use of the PlugX Remote Access Trojan shared with APT10 and other actors, the Tactics, Techniques and Procedures (TTPs), infrastructure and other tooling differ significantly.  This leads us to believe that this activity is attributed to a previously untracked nation-state level adversary,” says Fay.

AVIVORE has shown itself to be a highly capable threat actor, adept at both ‘living-off-the-land’ and masquerading its activity within the ‘business as usual’ activities of employees in its victim organizations.  It has also shown a high degree of operational security awareness, including routinely clearing forensic artefacts as it progresses, making detection and investigation difficult.

“The capability of the threat actor makes detecting these incidents challenging, however the complex nature of the supplier relationship makes investigation, co-operation and remediation a significant issue.  When the organization that has enabled the intrusion forms a critical part of your value chain, the operational business risk increases dramatically and difficult decisions need to be made in a short space of time,” adds James Allman-Talbot, Head of Cyber Incident Response at Context.  

As a result of its discoveries, Context has been working closely with victims, security organizations and law enforcement agencies across Europe, including the UK’s National Cyber Security Centre (NCSC), in order to reduce the impact and prevent further compromises.  In addition to aerospace and defence engineering victims, Context has seen AVIVORE target assets related to other verticals including automotive, consultancy, energy/nuclear and space and satellite technology.  Context also assesses with moderate confidence that the objective of the campaign is intellectual property theft.