In the recent past, the airline industry and several airline carriers faced one of the largest supply-chain attacks. The devastating consequences of the attack on the SITA Passenger Service System (PSS), which provides services to around 90% of airlines across the globe, are now linked to a Chinese nation-state actor.

Latest discoveries

The campaign, codenamed ColunmTK, has a possible connection with a prolific Chinese-speaking nation-state threat actor APT41, according to researchers at Group-IB.
  • The report was released after Air India reported a massive passenger data breach on May 21, which was caused by an earlier attack against SITA.
  • The attack affected 4,500,000 data subjects globally, including data related to Air India's customers.
  • The attackers tried to escalate local privileges with the help of BadPotato malware and compromised at least 20 devices from Air India's network during lateral movement.

Attack method by APT41

  • The hacking group used a specific SSL certificate in the attack against Air India, which was detected by five hosts. These five hosts have been used in the APT41 group's earlier campaigns.
  • Hackers performed DNS tunneling and extracted data from devices such as SITASERVER4, AILCCUALHSV001, AILDELCCPOSCE01, AILDELCCPDB01, and WEBSERVER3.
  • In addition, they spread Cobalt Strike beacons to other devices in the airline's network.

Previous facts on the attack

SITA is responsible for operating passenger processing systems for airline carriers, and a large number of these organizations have reported an impact of the breach.
  • Air India published an official statement on its website about the data breach, which was caused by a February incident at the airline's IT service provider, SITA PSS.
  • Later, Air India’s database was put up for sale on an underground market and various other data leak websites at USD $3,000.
  • Between March and May, various airline companies, including Singapore Airlines, Malaysia Airlines, SAS - Scandinavian Airlines, and Lufthansa, disclosed data breaches.

Conclusion

As in the case of several other recent supply-chain attacks, this breach is revealing its impact slowly. It is possible that more SITA customers could identify and reveal the breach on their ends in the coming few weeks. And due to the worldwide reach of SITA, a majority of organizations in this sector are expected to be impacted - directly or indirectly - due to this sophisticated supply-chain attack.

Cyware Publisher

Publisher

Cyware