An espionage group is launching cyber attacks against organisations in the maritime and defence sectors in what’s highly likely to be an effort to steal confidential information and research data.
Dubbed Leviathan, the group has been active since at least 2014 and takes particular interest in maritime industries, naval defence contractors and associated university research institutions as well as related government and legal agencies.
Organisations targeted by the campaign are mostly in the US and Western Europe, with while some targets are active in the South China Sea.
Military and defence contractors are often the target of cyber attacks and researchers at Proofpoint recently detected new campaigns targeting US shipbuilding companies and a university research centre with military ties. Researchers dubbed the threat Leviathan due to its focus on organisations related to naval technology and maritime interests.
Phishing emails distributed in mid-September used references to job applications, resumes and a “Torpedo recovery experiment” in an effort to lure targets into messages containing malicious Microsoft Excel and Word documents laced with macros.
The malicious documents leveraged CVE-2017-8759, a parser code vulnerability which allows attackers to inject code to execute Visual Basic scripts containing PowerShell commands for the installation of malware. Researchers note that the zero-day was only discovered days before the campaign, indicating the attackers are quick to exploit new attack vectors.