Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Researchers Attribute Airline Cyberattack to Chinese Hackers

A cyberattack targeting Air India was orchestrated by a Chinese nation-state threat actor tracked as APT41, according to cybersecurity firm Group-IB.

A cyberattack targeting Air India was orchestrated by a Chinese nation-state threat actor tracked as APT41, according to cybersecurity firm Group-IB.

It came to light in early March 2021 that a cyberattack aimed at SITA, a multinational company that specializes in air transport communications and IT, affected multiple airlines, including Air India, Air New Zealand, Finland’s Finnair, Singapore Airlines, Malaysia Airlines, and Jeju Air in South Korea. SITA has roughly 2,500 customers and provides services in over 1,000 airports worldwide.

Air India later announced that approximately “4,500,000 data subjects globally” were affected. Compromised data included names, dates of birth, passport information, and contact information. The airline said at the time that the attack was related to SITA PSS, which processes personally identifiable information (PII).

[ SEE: At Least 10 APTs Targeting Microsoft Exchange Vulnerabilities ]

An investigation launched by Group-IB into the Air India incident revealed that a system within Air India’s network, named “SITASERVER4,” communicated with attacker infrastructure that hosted the Cobalt Strike implant for more than two months.

The name “SITASERVER4” initially led Group-IB to believe that this attack was related to the attack on SITA’s PSS system, but further investigation revealed that it was a separate attack on Air India, possibly conducted by a threat actor previously linked to China.

Group-IB updated its blog post after SITA claimed that there was “no substance in the suggestion of Group-IB that the attack on SITA PSS and the separate attack on Air India were linked or carried out by the same threat actor.”

The hackers who targeted Air India used their presence on the airline’s network to collect credentials and move laterally. They compromised at least 20 devices within Air India’s network and also attempted to escalate privileges. They also exfiltrated data from the network.

“The attack on Air India lasted for at least 2 months and 26 days. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline’s network,” Group-IB says.

The cybersecurity firm believes that APT41, a prolific Chinese state-sponsored threat actor, was behind the attack on Air India. Active since at least 2007, the group is also tracked as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, and is known for frequently targeting Indian organizations.

In this attack, the threat actor used a specific SSL certificate that was detected on five hosts only, and which the researchers linked to APT41. Furthermore, the adversary used IP addresses and file contents that they employed in previous attacks and, after the campaign was over, domains were parked at IP address, a tactic APT41 is well known for.

*updated on August 17 to clarify that APT41 has targeted Air India, not SITA, and that the two incidents involving Air India do not appear to be linked. Changes have been made to the headline, first paragraph, and throughout the article to reflect this.

Related: At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.