Security Experts:

United Airlines Hack Highlights Need for Improved Information Sharing

United Airlines Breached by China Hackers

Same China-Based Attackers that Breached U.S. Government Also Hacked United Airlines, Sources Say - Shows Need for Better Threat Information Sharing

The same cyber-attackers who breached the Office of Personnel Management and healthcare giant Anthem appear to have also stolen flight manifests containing passenger information from United Airlines earlier this year, according to reports.

Sharing details of the breach would help other organizations identify if they have also been targeted by this group, security experts said.

"It would be naive to think that we have found the only three compromised," Paul Kurtz, former cybersecurity advisor to the White House and current CEO of TruSTAR Technology, told SecurityWeek.

The airline detected the attack in May or early June, but there are signs the attackers were in the networks as far back as April 2014, Bloomberg reported Wednesday, citing unnamed sources familiar with the investigation. The system outages which grounded flights for two hours in early July were not related to this attack, according to the report.  

United Airlines has yet to confirm the breach, and says the report is based on speculation.

"These reports are based on pure speculation, and we can assure our customers that their personal information is secure," a United Airlines spokesperson told SecyrityWeek. "We remain vigilant in protecting against unauthorized access and use top advisors and best practices on cyber-security to maintain our effectiveness."

The group is believed to already have Social Security numbers for current and formal federal workers, contractors, friends, and families, and other types of sensitive information of 21.5 million people from the OPM breach.

Data stolen from United reportedly included identifying information about passengers, along with their travel details. The information could potentially be cross-referenced to track individuals—such as government staff and military officials—and their travel plans. And that's not even considering what other nuggets of information could be mined when cross-referencing these records against the information stolen from Anthem.

"Analyzing the travel habits of US government personnel can somewhat harmlessly provide insight into the development of new alliances or business partnerships, but can also be an invaluable tool in the never-ending effort by intelligence agencies to compromise those with access to classified information," Jeff Hill, channel marketing manager with STEALTHbits, told SecurityWeek.

The same group is believed to have targeted at least 10 companies and organizations, including other travel providers and health insurers, FireEye told Bloomberg.

This latest breach should drive home the importance of sharing actionable incident reports, Kurtz said. There needs to be a more systematic way for organizations to collaborate. Even if the details uncovered during the investigations don't make it into news reports—such as unique IP addresses, the servers the data was copied to, and details of the exploit or malware used, to name a few—a more systematic approach towards sharing these attack indicators would help organizations identify breaches and stop them sooner.

For example, one Web domain used in this attack,, was registered by a James Rhodes, which happens to be the alias of War Machine from Marvel Comics’ Iron Man. This group has been known to references to Marvel comic book characters in their attacks, security experts said.

"If security teams work together the way scientists come together to collectively find cures and manage health risks, we would have a better chance of stopping cascading attacks across multiple sectors," Kurtz said.

Shortly after the breach at OPM was disclosed, there were reports of legacy government systems and outdated processes. Security professionals often chide the public sector for not maintaining the security standards of the private sector, but this attack indicates the group's sophistication, Carl Herberger, vice-president of security solutions at Radware and former cybersecurity officer in the US Air Force, told SecurityWeek. "This group has proven itself to be adept at infiltrating both public and private organizations," Herberger said.

"All organizations in today's market need to stop and reassess the standards at which they operate and the systems they once thought were sufficient, across the board, or we will only continue to read about more and more companies who join this rapidly expanding list of damaging hacks and breaches," Herberger added.

“I’m sure this is a wake-up call to all airlines. It’s been reported the same investigators that worked on the OPM breach helped United Airlines discover this latest breach,” Jason Polancich, founder and chief architect at SurfWatch Labs and former government intelligence analyst, told SecurityWeek. “Unfortunately, UA was reacting. They weren’t proactively pursuing intelligence; they were waiting for someone to tell them where to look. To be most effective, cyber should intersect with physical and operational security and so many companies aren’t thinking that way. The value of intelligence is critically missing.”

“More and more foreign governments are being connected to cyber attacks against private corporations in order to gain strategic advantage and influence important outcomes,” added Monzy Merza, chief security evangelist at Splunk. “This is uncharted territory from a policy perspective. We can expect to see an escalation of these types of attacks across the globe. Mitigating these attacks will take greater visibility into organizational infrastructure and a policy component designed to deal with this evolving cyber war landscape.”

News of the breach comes just days after the air carrier announced its highest-ever quarterly profit of $1.3 billion in the second quarter of 2015.

*Updated with response from United Airlines

Additional reporting by Mike Lennon

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.