Analyzing Tactics, Techniques and Procedures Used by Cyber Threat Actors to Access US Space Industry

On 30 November 2023, the BlackBerry Research & Intelligence Team revealed that they had been tracking a long-term cyber campaign targeting the U.S. aerospace sector. The threat actor, tracked as AeroBlade, conducted multiple spearphishing campaigns targeting the same aerospace organization from September 2022 – July 2023.

This ongoing campaign is another example of highly skilled threat actors deploying curated malware to pursue high-value information collection from the U.S. aerospace sector. Due to the prolonged nature of the campaign and the sophisticated tactics, techniques and procedures (TTPs) demonstrated by AeroBlade, it is assessed that this campaign is focused on commercial cyber espionage. As aerospace becomes an increasingly enticing target for cybercriminals, it is crucial to understand how adversaries target this sector and the significance of threat groups that engage in cyber espionage.

According to BlackBerry’s malware analysis report, the AeroBlade threat actor utilized a multi-phased attack pattern, ultimately resulting in persistent access to the victim device via a Dynamic Link Library (DLL). For the initial access vector, the hackers leveraged a spearphishing email to deliver a malicious document that contained a VBA macro code enabling remote template injection. The macro script then ran an executable file to deliver the DLL payload to connect the victim to the hacker-controlled C2 server.

Following the execution, the DLL leveraged multiple sophisticated means of obfuscating detection. The executable file prevents disassembly, uses API hashing to hide the use of Windows functions and performs checks to skip execution in automated environments. The latter prevents the code from running in sandboxes and antivirus programs, impeding both analysis and detection.

Once the checks are complete, the DLL connects to the threat actor’s C2 server and transmits collected information including a list of directories, usernames, passwords, IP and MAC addresses from the victim’s device. This process enables a reverse shell attack, in which the attacker can force communication with the C2 and exfiltrate system information via Microsoft Virtual Basic (VB) and Windows API.

By analyzing the malware analysis report, we can assess the significance of this attack based on sophisticated technical capabilities, prolonged nature of operations and emphasis on persistence and defense evasion. The capability to obfuscate critical phases of the attack chain signifies the threat actor’s adept use of living off the land techniques, harnessing native tools and system functions to conceal their operations. The prevalence of reverse shell attacks, a common tool for cyber espionage campaigns, aligns with this approach of leveraging inherent system functionalities for persistent access and control. Furthermore, researchers note a considerable improvement in the DLL’s ability to detect and evade defense measures in the collected samples from 2022 – 2023, which is indicative of a refined approach. It remains to be seen if there will be follow-on ransom demands and exploitation attempts from AeroBlade, but the lack of known extortion demands is another indication of the alleged commercial espionage purpose of this campaign.

The tactics, techniques and procedures associated with AeroBlade resemble prior attacks targeting aerospace entities in 2023, particularly methods involving living off the land and command and scripting interpreters. For instance, it mirrors the exploitation of a vulnerability tracked as PowerDrop, where PowerShell served as the command and scripting interpreter, and in incidents targeting aeronautical entities, where attackers leveraged Unix shell for similar purposes.

Furthermore, this parallels the tactics seen in the Lazarus “Lightcan” operation, which was initiated through spearphishing while capitalizing on native API functionalities. Additional similarities involve motive and intent, where the impact of said attacks involved intellectual property theft, data exfiltration and commercial espionage. According to the DNI publication, Safeguarding the US Space Industry, “Foreign intelligence entities (FIEs) recognize the importance of the commercial space industry to the US economy” and “see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise.”

The AeroBlade cyber campaign targeting the U.S. aerospace sector, tracked from September 2022 to July 2023, signifies a highly skilled threat actor’s pursuit of valuable information. Utilizing sophisticated tactics, including living off the land techniques and leveraging command interpreters, AeroBlade’s prolonged and stealthy operations strongly suggest a focus on commercial cyber espionage, echoing concerns highlighted by U.S. security agencies about the value and vulnerability of the space sector to espionage activities. While spearphishing is not necessarily associated with sophisticated threats, the follow-on actions reported by The BlackBerry Research and Intelligence Team reveal unique insights for network defenders regarding the purpose, intent and execution of cyber threat actors looking to gain access to the U.S. space industry.