Researchers from Invincea Labs and ThreatGrid discovered what seems like a cyber espionage campaign against some 163 key executives, including presidents and CEOs of key defense contractors, who attended a recent Intelligence Advanced Research Projects Activity event.

The whole thing was picked up thanks to an e-mail that was directed to Anup Ghosh, CEO of Invincea, by a friend in the industry.

DarkReading.com cited the exec:

“He said he has been a nonstop target of a lot of spear-phishing attempts, but this one was very compelling because it was purported to have names of attendees to a recent IARPA meeting,” Ghosh says. “It appears that the attackers sent the same email and malicious attachment to the other 163 event attendees, he says.”

The embedded URL in the message directed users to a ZIP file hosted on a subdomain that is connected to the legitimate research project site. However, what looks like a .XLS list of the attendees is actually an executable HTTP client.

The file was sent to ThreatGrid for analysis, and the firm laid out how the hackers would obtain access to sensitive data once an unsuspecting recipient unzips the file. The client connects to an external server, making it look like regular browser activity, and waits for the victim to reboot their machine. At that point the client reaches out to a control-and-command server and acts as Trojan that takes full control of the compromised computer.

This is likely the method, or at least similar to the one used by hackers to obtain sensitive files from the Pentagon in an earlier breach, presumably from a defense contractor. That breach, too, may have been the result of an e-mail scam.

Defense contractors are a very big target for hackers, and this have been particularly evident lately. A separate case that involved the now confirmed braech of EMC’s RSA security division led to attacks on two government contractors: Lockheed Martin and Northop Grumman.

It now seems that the actual number of incidents is beginning to match the media hype, though the proper implementation of security measures is still lagging behind.