This new hacking group is using 'island hopping' to target victims

This year's series of cyberattacks against the aerospace and defense industries has been attributed to China's APT10 and JSSD. But it appears that the real culprit is a previously unknown organisation.

Audit rules Victoria's public health system as 'highly vulnerable' to cyber attacks The Victorian Auditor-General's Office finds health system could suffer the same fate as the UK's National Health Service and Singapore's SingHealth.

While it was believed that hacking groups such as China's APT10 were orchestrating the attacks against European multinationals in the aerospace and defense industries this year, the threats are actually coming from previously unknown hackers, according to one security company.  

Identified by cybersecurity consultancy Context, the new organisation, which it has named Avivore, has been particularly astute in covering its tracks. Context, in fact, estimates that it could have been active as early as 2015, although most of the attacks were only exposed in the past 12 months.

Avivore is believed to be the brain behind recent threats to European aerospace giant Airbus, which were initially attributed to the already well-known Chinese groups  APT10 and Jiangsu Province Ministry of State Security (JSSD). Airbus was hit four times this year – with the most recent occurrence happening only last month. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

AFP reported that the attackers intruded Airbus's global supplier network through British engine-maker Rolls-Royce, which provides engines for Airbus planes, and French technology consultancy Expleo, in addition to two unidentified contractors working for the aerospace company.  

This is reflective of Avivore strategy: the group applies an "island hopping' technique – which consists of attacking a bigger group indirectly, through its network of weaker, less defended partner companies – in a 'horizontal' way rather than the more traditional 'vertical' one. 

What this means is that instead of targeting partners such as Managed Services Providers (MSPs), which can be easily removed and replaced in the supply chain, it attacks suppliers which are integrated in its victim's value chain.

James Allman-Talbot, head of cyber-incident response at Context, told ZDNet: "The companies it targets could be the only ones supplying a particular product, so you can't just rip them out and replace them with someone else."

"This makes the situation much more difficult to manage – it can get a lot more political than in other incidents."

Avivore has been a crafty attacker, masquerading as legitimate users to intrude suppliers' networks, particularly via VPNs and other remote or collaborative working tools. This then let it bypass the security defenses of the larger company it was targeting – before carefully hiding its activity.

Oliver Fay, threat intelligence analyst at Context, told ZDNet: "We detected Avivore from anomalies, which are harder to detect than incidents. Typically, this happened when we noticed that some employees were accessing assets or using resources they shouldn't be."  

It is presumed that the newly identified organisation is primarily after its victims' intellectual property – and in addition to aerospace and defense companies, it has also been targeting the automotive, consultancy, energy, nuclear, and space and satellite technology industries.

SEE: Iranian hackers resume credential-stealing phishing attacks against universities around the world

This, in addition to the fact that the hackers have been localised in the UTC+8 timezone, makes it easy to draw a connection to threat groups such as APT10 and JSSD. But Context found that Avivore uses different infrastructure and different tactics.

"There certainly appears to be alignment in the types of industries and technologies targeted, and it would be reasonable to assume that those groups have the same motivations," said Allman-Talbot, "but we can't say for sure."

In any case, it would seem that industries are facing attackers that are ever-more capable. But if there is any lesson to be drawn from last year's series of cyberattacks, it is that it is worth double checking security standards – and scrutinising them all along the supply chain. 

Application developers working on computers in office

Security researchers presume that the newly identified organisation is primarily after its victims' intellectual property.

Image: Getty Images/iStockphoto