Campaigns targeting the aerospace industry in Russia
Key findings
- Multiple intrusion sets, that we believe with a high level of confidence to be hacktivists aligned with Ukraine’s interests, are currently engaged in spearphishing campaigns directly targeted at Russian compagnies mostly operating in the aerospace industry, and in a lesser extent in electronic warfare, military supply, and energy. Most of the targets are currently under sanctions by Western countries and allies of Ukraine for materially supporting the Russian army.
- The campaigns techniques were a mix of credential phishing pages abusing legitimate page hosting solutions like IPFS, Vercel; Contabo S3 buckets, and Cloudflare’s publicly exposed S2 buckets. This was in addition to malware campaigns like the ones operated by Head Mare or Hive0117, two intrusion sets aligned with Ukraine that both deploy custom made malwares. For Head Mare, it notably continues to leverage email servers of compromised Russian companies to send weaponized emails.
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
- Digital risk monitoring:
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
For more information, go to intrinsec.com/en/cyber-threat-intelligence/.
