Aerospace Test and Validation Vol 2 No 2 2019

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

CYBER-SECURITY Supply Chain Under Attack

With new malware specifically designed to target the aerospace supply chain, what can the industry do to protect itself from new threats?

at IT security company, Context has given the threat the name Avivore and has been investigating how it is delivered and propagated through the industry. The organisation found that attacks against large multinational firms were used to compromise smaller engineering services and consultancy companies in the supply chain over a period of more than a year. The attackers use legitimate remote connectivity or other collaborative working methods to bypass the generally well-defended perimeters and gain access to the target. This technique, referred to as ‘Island Hopping’, has also seen the adversary make use of chains of activity or connections across multiple business units or geographical locations within victim environments. As a result of its discoveries, Context has been working closely with victims, security organisations and law enforcement agencies across Europe, including the UK’s National Cyber Security Centre (NCSC), in order to reduce the impact and prevent further compromises. In addition to aerospace and defence engineering victims, Context has seen Avivore target assets related to other sectors including automotive, consultancy, energy/nuclear and space and satellite technology.

A

STATE LEVEL INVOLVEMENT According to Context, recent incidents affecting aerospace and defence companies have been linked to the Chinese APT10 hacking group and JSSD (the Jiangsu Province Ministry of State Security). Though the nature of the activity makes attribution challenging, Context believes a new group (Avivore) is behind the attacks. Oliver Fay, Principal Threat Intelligence Analyst

at Context says: “Whilst Avivore has been observed operating in the Chinese timezone and makes use of the PlugX Remote Access Trojan shared with APT10 and other actors, the Tactics, Techniques and Procedures (TTPs), infrastructure and other tooling differ significantly. This leads us to believe that this activity is attributed to a previously untracked nation- state level adversary.”

new cyber security threat has recently been identified, which targets the aerospace and defence industries within the UK and Europe. The Threat Intelligence and Incident Response Team

❱ ❱ Cyber threat targeting aerospace industry affects all companies, test and service suppliers within the supply chain

CONCEALED THREAT The Avivore threat has shown itself to be adept at masquerading its activity within the business as usual activities of employees in its victim organisations. It has also shown a high degree of operational security awareness, including routinely clearing forensic artefacts as it progresses, making detection and investigation difficult. According to Cyber Security expert, James Allman-

Talbot, this makes detecting incidents challenging and the complex nature of the supplier relationship makes investigation, co-operation and remediation a significant issue. “When the organisation that has enabled the intrusion forms a critical part of your supply chain, the operational business risk increases dramatically and difficult decisions need to be made in a short space of time.”

• Impose access limitations such as preventing the use of communications outside of the supplier’s

MITIGATION To mitigate against these attacks, Context recommends the following measures:

business hours or from IP addresses and locations other than those pre-agreed and restrict access only to data and assets they require to perform their actions.

• Ensure that security measures, such as multifactor authentication and enhanced auditing/logging are

deployed to hosts and services into which suppliers are required to connect.

• Logs should be retained and contain enough information on the sources of inbound connections to

enable identification of anomalies, such as concurrent log-ins with impossible geography.

• Ensure that credentials for highly privileged accounts and remote services are stored securely and

their use is appropriately monitored. Aerospace Test & Validation Vol 2 No. 2 /// 5

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32