State‑Sponsored Cyber Espionage Group HeartlessSoul Harvests GIS Data from Russian Aviation Firms
What Happened – The HeartlessSoul threat‑espionage group has been running a multi‑vector campaign against Russian government agencies and aviation companies, using phishing emails, malicious advertising, and counterfeit software on platforms such as SourceForge to deliver spyware. The malware exfiltrates geographic information system (GIS) files, screenshots, keystrokes, browser data, Telegram credentials and device location.
Why It Matters for TPRM – • GIS data reveals critical infrastructure layouts that can be weaponized or sold to adversaries.
• The use of legitimate software‑hosting sites shows how supply‑chain trust can be subverted, increasing third‑party risk.
• Persistent state‑backed actors indicate a long‑term espionage campaign that may target other sectors in the supply chain.
Who Is Affected – Aviation and aerospace manufacturers, air traffic control agencies, satellite‑navigation service providers, and related government bodies in Russia.
Recommended Actions – • Review all third‑party software download policies and enforce verification of source integrity.
• Conduct phishing‑resilience training and implement email‑gateway sandboxing.
• Inventory and monitor GIS data repositories; apply encryption and strict access controls.
Technical Notes – Attack vector: phishing emails with malicious archives, malicious ad campaigns, counterfeit download sites, and abuse of SourceForge to host a fake “GearUP” installer. Malware capabilities: keylogging, screenshot capture, file exfiltration, Telegram credential theft, and geolocation harvesting. Source: The Record