A recent joint Department of Homeland Security (DHS) and FBI Technical Alert warns of malicious Russian cyber actors targeting aviation and other critical industries. The report describes a sustained multi-stage cyber-attack campaign to gather information on critical systems in the U.S.
Russian activities in victim networks focused on collecting information, not disrupting operations or destroying equipment. The report did not include specifics about the information targeted within aviation companies, but the targeted data likely included the internal operations of aircraft and the connectivity of aviation networks.
Russian actors began by identifying targets and establishing a plan of attack for each type of target. They then used spear-phishing emails, which entice targets to reveal login information, and “watering-hole domains”—websites that can be compromised to download malware or steal login information—to compromise smaller organizations with fewer cybersecurity defenses, referred to in the report as "staging targets."
Aviation targets were likely highly susceptible to watering-hole domains. Once malicious cyber actors compromise a site, they redirect visitors to a website with malicious Javascript embedded that in turn likely downloads malware onto most visitors’ computers.
After establishing a foothold in the staging targets’ networks, the Russians used compromised email accounts, shared files, and virtual private networks (VPNs) at the staging targets to make contact with the intended final targets.
Once inside those targets, the Russians sought administrator passwords that would allow them complete access to the victim network. They would also download files using Microsoft’s Server Message Block (SMB) and use these files to establish communication with a command and control server outside of the victim network. They then exfiltrated targeted information through these pathways.
MROs and airports were likely common aviation staging targets because of their broad connectivity to other companies and their lower cybersecurity defenses. Russians likely used these firms to compromise airlines, engineering firms, and air traffic management systems.
Aviation companies in general likely served as useful staging targets to compromise organizations in other industries. Aviation touches most other industries, and network activity from aviation companies is unlikely to be flagged as suspicious by other companies and industries.
After the Russian actors gained access to a target, they removed evidence of their intrusion to avoid detection. The FBI and DHS are therefore encouraging network administrators in all critical industries to review the technical alert and ingest provided .csv and .stix files into their network monitoring systems.