Skip to main content

Chinese Hackers Believed to be Behind Cyberattacks on Airlines.



Even as a massive data breach affecting Air India came to light the previous month, India's flag carrier airline appears to have suffered a separate cyber assault that lasted for a period of at least two months and 26 days, new research has revealed, which attributed the incident with moderate confidence to a Chinese nation-state threat actor called APT41.
Group-IB dubbed the campaign "ColunmTK" based on the names of command-and-control (C2) server domains that were used for facilitating communications with the compromised systems.
"The potential ramifications of this incident for the entire airline industry and carriers that might yet discover traces of ColunmTK in their networks are significant," the Singapore-headquartered threat hunting company said.
While Group-IB alluded that this may have been a supply chain attack targeting SITA, the Swiss aviation information technology company told The Hacker News that they are two different security incidents.
"The airline confirmed vis-à-vis SITA on Jun. 11 2021 that the cyber attack on Air India [...] is not the same or in any way linked to the attack on SITA PSS," SITA told our publication over email.



Also known by other monikers such as Winnti Umbrella, Axiom and Barium, APT41 is a prolific Chinese-speaking nation-state advanced persistent threat known for its campaigns centered around information theft and espionage against healthcare, high-tech, and telecommunications sectors to establish and maintain strategic access for stealing intellectual property and committing financially motivated cybercrimes.
"Their cyber crime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies, and attempted deployment of ransomware," according to FireEye. "APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance."
On May 21, Air India disclosed a data breach affecting 4.5 million of its customers over a period stretching nearly 10 years in the wake of a supply chain attack directed at its Passenger Service System (PSS) provider SITA earlier this February.


The breach involved personal data registered between Aug. 26, 2011, and Feb. 3, 2021, including details such as names, dates of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data, as well as credit card data.
FireEye's Mandiant, which is assisting SITA with the incident response efforts, has since determined that the attack was highly sophisticated and that the tactics, techniques, and procedures (TTPs) and compromise indicators point to a single entity, adding the "identity and motive of the perpetrator are not entirely conclusive."

Likely a New Attack Against Air India.

Group-IB's analysis has now revealed that at least since Feb. 23, an infected device inside Air India's network (named "SITASERVER4") communicated with a server hosting Cobalt Strike payloads dating all the way back to Dec. 11, 2020.
Following this initial compromise, the attackers are said to have established persistence and obtained passwords in order to pivot laterally to the broader network with the goal of gathering information inside the local network.
No fewer than 20 devices were infected during the course of lateral movement, the company said. "The attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and mimikatz," Group-IB Threat Intelligence Analyst, Nikita Rostovcev, said. "The attackers tried to escalate local privileges with the help of BadPotato malware."

In all, the adversary extracted 23.33 MB of data from five devices named SITASERVER4, AILCCUALHSV001, AILDELCCPOSCE01, AILDELCCPDB01, and WEBSERVER3, with the attackers taking 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline's network.
While the initial entry point remains unknown, the fact that "the first device that started communicating with the adversary-controlled C&C server was a SITA server and the fact that SITA notified Air India about its security incident give reasonable ground to believe that the compromise of Air India's network was the result of a sophisticated supply chain attack, which might have started with SITA."
Connections to Barium are grounded on the basis of overlaps between the C2 servers found in the attack infrastructure with those used in earlier attacks and tactics employed by the threat actor to park their domains once their operations are over. Group-IB also said it discovered a file named "Install.bat" that bore similarities to payloads deployed in a 2020 global intrusion campaign.
Indicators of compromise (IoC) associated with the incident can be accessed here. We have reached out to Group-IB and Air India for further clarification, and we'll update the story if we hear back.




#THN


#osutayusuf 

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.