Security News > 2022 > February > Hackers use simple methods to target orgs in the aviation sector
For years, a low-skilled attacker has been using off-the-shelf malware in malicious campaigns aimed at companies in the aviation sector as well as in other sensitive industries.
Tracked as TA2541 by cybersecurity company Proofpoint, the adversary is believed to operate from Nigeria and its activity has been documented before in analysis of separate campaigns.
Given TA2541's choice of targets, its activity has not gone unnoticed and security researchers from other companies have analyzed its campaigns [1, 2, 3] in the past, but without connecting all the dots.
Cisco Talos published a report last year about a TA2541 campaign targeting the aviation industry with AsyncRAT. The researchers concluded that the actor had been active for at least five years.
"While researching the actor's activities, using passive DNS telemetry, we compiled the list of IPs used by the domain akconsult.linkpc.net. The chart below shows that roughly 73 percent of the IPs were based in Nigeria, further strengthening the theory that the actor in question is based in Nigeria." - Cisco Talos.
Even if TA2541's tactics, techniques, and procedures describe an adversary that is not technically sophisticated, the actor managed to deploy malicious campaigns for more than five years without raising too many flags.