Posted on January 20, 2021 at 4:21 PM
A recent report by the NCC Group and its subsidiary Fox-IT revealed that threat actors are infiltrating airline servers to steal passenger data. According to the threat report, the threat actors are reportedly sponsored by China
The reconnaissance campaign, touted as Chimera, has been going on for three years, but they were first discovered last year when they after attacking semiconductor companies.
Although the report didn’t reveal why the hackers are interested in airline passengers’ data, it is known that threat actors can track certain targeted persons when they gain passenger details.
Threat actors operate globally
The researchers also stated that the hacking syndicate doesn’t base their attack only in Asia, as they have been discovered attacking other organizations in other regions.
The security threats organizations face today have expanded both in intensity and scope. When information security is not handled carefully, millions or even billions of dollars can be at risk.
In the Black Hat Presentation report about the hackers’ activities last year, there were series of coordinated attacks against the Taiwanese superconductor industry mentioned in the report.
But the Fox-IT and NCC Group report published last week revealed that the hacking activities of the group have expanded than initially believed, after targeting the airline industry.
“Threat actor during various incident response engagements performed between October 2019 until April 2020,” the two firms revealed.
The attacks targeted airline and semiconductor companies in various geographical locations, and not only in Asia, both firms also noted.
The threat actors hid inside networks for at most three years in some victims’ systems before they are discovered.
User-Data scraped from the RAM
The two attacks on the semiconductor industry and the airline passengers have different target motives. For the former, the threat actors were looking for intellectual materials they can steal.
However, the attack on the airline industry focused on something different.
The goal of the attack seems to be the theft of Passenger Name Records (PNR), according to the two firms.
However, the hackers may not have obtained the PRN data from individuals through the same process. One clear observation the companies pointed out is the retrieval of PRN data using several custom DLL files.
The joint report also describes the typical operational method of the Chimera group. According to the report, the group’s modus operandi generally starts with the collection of stolen user login details received from public domains posted by other hackers.
The data is then used for password spraying and credential stuffing attacks against their targets’ employee services. After registering the malware in the target system, the threat actors look for login credentials of corporate systems like VPN applications and Citrix systems.
After getting control of the server, the threat actors utilize Cobalt Strike to move many systems as much as possible.
According to the security companies, the threat actors were very thorough and patient in their attack. They kept on searching until there were able to get avenues to move across segmented networks to reach their systems of interest.
After collecting the targeted data, they send the details to a public cloud service such as Google Drive, Dropbox, or OneDrive, since traffic coming from these services will not be blocked or inspected.
Targeting persons of interests
This is not the first time state-sponsored hacking groups are targeting telcos, hotel chains, or airline companies in search of data.
They have an interest in these organizations because they want to monitor the communications and movements of persons of interest.
In the past, hacking groups such as APT41 have been involved in similar hacking activities. The group targeted telcos using special malware that can steal SMS messages.
The attack seems to be part of China’s campaign to track the Uyghur minority, as they tried to monitor Uyghur travelers’ movement.
Also, the Chinese state-sponsored hackers have a hand in the Mainnet hack, as they stole lots of hotel reservation details.
However, China is not the only state-backed hackers that are currently several breaches. The Iranian APT39 hacking syndicate has been blamed for several other attacks as well.