Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Researchers Attribute Airline Cyberattack to Chinese Hackers

A cyberattack targeting Air India was orchestrated by a Chinese nation-state threat actor tracked as APT41, according to cybersecurity firm Group-IB.

A cyberattack targeting Air India was orchestrated by a Chinese nation-state threat actor tracked as APT41, according to cybersecurity firm Group-IB.

It came to light in early March 2021 that a cyberattack aimed at SITA, a multinational company that specializes in air transport communications and IT, affected multiple airlines, including Air India, Air New Zealand, Finland’s Finnair, Singapore Airlines, Malaysia Airlines, and Jeju Air in South Korea. SITA has roughly 2,500 customers and provides services in over 1,000 airports worldwide.

Air India later announced that approximately “4,500,000 data subjects globally” were affected. Compromised data included names, dates of birth, passport information, and contact information. The airline said at the time that the attack was related to SITA PSS, which processes personally identifiable information (PII).

[ SEE: At Least 10 APTs Targeting Microsoft Exchange Vulnerabilities ]

An investigation launched by Group-IB into the Air India incident revealed that a system within Air India’s network, named “SITASERVER4,” communicated with attacker infrastructure that hosted the Cobalt Strike implant for more than two months.

The name “SITASERVER4” initially led Group-IB to believe that this attack was related to the attack on SITA’s PSS system, but further investigation revealed that it was a separate attack on Air India, possibly conducted by a threat actor previously linked to China.

Group-IB updated its blog post after SITA claimed that there was “no substance in the suggestion of Group-IB that the attack on SITA PSS and the separate attack on Air India were linked or carried out by the same threat actor.”

The hackers who targeted Air India used their presence on the airline’s network to collect credentials and move laterally. They compromised at least 20 devices within Air India’s network and also attempted to escalate privileges. They also exfiltrated data from the network.

Advertisement. Scroll to continue reading.

“The attack on Air India lasted for at least 2 months and 26 days. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline’s network,” Group-IB says.

The cybersecurity firm believes that APT41, a prolific Chinese state-sponsored threat actor, was behind the attack on Air India. Active since at least 2007, the group is also tracked as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, and is known for frequently targeting Indian organizations.

In this attack, the threat actor used a specific SSL certificate that was detected on five hosts only, and which the researchers linked to APT41. Furthermore, the adversary used IP addresses and file contents that they employed in previous attacks and, after the campaign was over, domains were parked at IP address 127.0.0.1, a tactic APT41 is well known for.

*updated on August 17 to clarify that APT41 has targeted Air India, not SITA, and that the two incidents involving Air India do not appear to be linked. Changes have been made to the headline, first paragraph, and throughout the article to reflect this.

Related: At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...