Skip to main content

Chinese Hackers Believed to be Behind Cyberattacks on Airlines.



Even as a massive data breach affecting Air India came to light the previous month, India's flag carrier airline appears to have suffered a separate cyber assault that lasted for a period of at least two months and 26 days, new research has revealed, which attributed the incident with moderate confidence to a Chinese nation-state threat actor called APT41.
Group-IB dubbed the campaign "ColunmTK" based on the names of command-and-control (C2) server domains that were used for facilitating communications with the compromised systems.
"The potential ramifications of this incident for the entire airline industry and carriers that might yet discover traces of ColunmTK in their networks are significant," the Singapore-headquartered threat hunting company said.
While Group-IB alluded that this may have been a supply chain attack targeting SITA, the Swiss aviation information technology company told The Hacker News that they are two different security incidents.
"The airline confirmed vis-à-vis SITA on Jun. 11 2021 that the cyber attack on Air India [...] is not the same or in any way linked to the attack on SITA PSS," SITA told our publication over email.



Also known by other monikers such as Winnti Umbrella, Axiom and Barium, APT41 is a prolific Chinese-speaking nation-state advanced persistent threat known for its campaigns centered around information theft and espionage against healthcare, high-tech, and telecommunications sectors to establish and maintain strategic access for stealing intellectual property and committing financially motivated cybercrimes.
"Their cyber crime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies, and attempted deployment of ransomware," according to FireEye. "APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance."
On May 21, Air India disclosed a data breach affecting 4.5 million of its customers over a period stretching nearly 10 years in the wake of a supply chain attack directed at its Passenger Service System (PSS) provider SITA earlier this February.


The breach involved personal data registered between Aug. 26, 2011, and Feb. 3, 2021, including details such as names, dates of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data, as well as credit card data.
FireEye's Mandiant, which is assisting SITA with the incident response efforts, has since determined that the attack was highly sophisticated and that the tactics, techniques, and procedures (TTPs) and compromise indicators point to a single entity, adding the "identity and motive of the perpetrator are not entirely conclusive."

Likely a New Attack Against Air India.

Group-IB's analysis has now revealed that at least since Feb. 23, an infected device inside Air India's network (named "SITASERVER4") communicated with a server hosting Cobalt Strike payloads dating all the way back to Dec. 11, 2020.
Following this initial compromise, the attackers are said to have established persistence and obtained passwords in order to pivot laterally to the broader network with the goal of gathering information inside the local network.
No fewer than 20 devices were infected during the course of lateral movement, the company said. "The attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and mimikatz," Group-IB Threat Intelligence Analyst, Nikita Rostovcev, said. "The attackers tried to escalate local privileges with the help of BadPotato malware."

In all, the adversary extracted 23.33 MB of data from five devices named SITASERVER4, AILCCUALHSV001, AILDELCCPOSCE01, AILDELCCPDB01, and WEBSERVER3, with the attackers taking 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline's network.
While the initial entry point remains unknown, the fact that "the first device that started communicating with the adversary-controlled C&C server was a SITA server and the fact that SITA notified Air India about its security incident give reasonable ground to believe that the compromise of Air India's network was the result of a sophisticated supply chain attack, which might have started with SITA."
Connections to Barium are grounded on the basis of overlaps between the C2 servers found in the attack infrastructure with those used in earlier attacks and tactics employed by the threat actor to park their domains once their operations are over. Group-IB also said it discovered a file named "Install.bat" that bore similarities to payloads deployed in a 2020 global intrusion campaign.
Indicators of compromise (IoC) associated with the incident can be accessed here. We have reached out to Group-IB and Air India for further clarification, and we'll update the story if we hear back.




#THN


#osutayusuf 

Comments

Popular posts from this blog

More Than 100 Angry Youths Chased Maracha District Officials Out of Site Meeting Over Corruption.

📸: Some of the angry Youths displaying placards as others walked in to stop the ongoing meeting by Maracha District officials. Story by Osuta Yusuf. Maracha District. 3-February-2025. 📸: Kololo Public Seed Secondary School whose construction project has again stalled. Photo by Osuta Yusuf, Our News Reporter. The angry youths from Vurra Parish, Tara Sub-county in Maracha East constituency, Maracha District have on Monday 3-Feb-2025 chased the entire Maracha District officials out of a site meeting in Kololo Seed Secondary over allegations of corruption stemming from the stalled seed school construction project. Key Maracha District officials who went for the site meeting on Monday 3-Feb-2025 include, the Security department headed by the deputy RDC Koliba Monica Kotevu and Assistant RDC Collins Dramani, the LC5 Chairperson Hon Obitre Stephen together with his DEC Councilors, the accounting  / technical department headed by the CAO Mr Olila Patrick, the Engi...

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...