Researchers Attribute Airline Cyberattack to Chinese Hackers

A cyberattack targeting Air India was orchestrated by a Chinese nation-state threat actor tracked as APT41, according to cybersecurity firm Group-IB.

It came to light in early March 2021 that a cyberattack aimed at SITA, a multinational company that specializes in air transport communications and IT, affected multiple airlines, including Air India, Air New Zealand, Finland’s Finnair, Singapore Airlines, Malaysia Airlines, and Jeju Air in South Korea. SITA has roughly 2,500 customers and provides services in over 1,000 airports worldwide.

Air India later announced that approximately “4,500,000 data subjects globally” were affected. Compromised data included names, dates of birth, passport information, and contact information. The airline said at the time that the attack was related to SITA PSS, which processes personally identifiable information (PII).

[ SEE: At Least 10 APTs Targeting Microsoft Exchange Vulnerabilities ]

An investigation launched by Group-IB into the Air India incident revealed that a system within Air India’s network, named “SITASERVER4,” communicated with attacker infrastructure that hosted the Cobalt Strike implant for more than two months.

The name “SITASERVER4” initially led Group-IB to believe that this attack was related to the attack on SITA’s PSS system, but further investigation revealed that it was a separate attack on Air India, possibly conducted by a threat actor previously linked to China.

Group-IB updated its blog post after SITA claimed that there was “no substance in the suggestion of Group-IB that the attack on SITA PSS and the separate attack on Air India were linked or carried out by the same threat actor.”

The hackers who targeted Air India used their presence on the airline’s network to collect credentials and move laterally. They compromised at least 20 devices within Air India’s network and also attempted to escalate privileges. They also exfiltrated data from the network.

“The attack on Air India lasted for at least 2 months and 26 days. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline’s network,” Group-IB says.

The cybersecurity firm believes that APT41, a prolific Chinese state-sponsored threat actor, was behind the attack on Air India. Active since at least 2007, the group is also tracked as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, and is known for frequently targeting Indian organizations.

In this attack, the threat actor used a specific SSL certificate that was detected on five hosts only, and which the researchers linked to APT41. Furthermore, the adversary used IP addresses and file contents that they employed in previous attacks and, after the campaign was over, domains were parked at IP address 127.0.0.1, a tactic APT41 is well known for.

*updated on August 17 to clarify that APT41 has targeted Air India, not SITA, and that the two incidents involving Air India do not appear to be linked. Changes have been made to the headline, first paragraph, and throughout the article to reflect this.

Related: At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign