Security News > 2021 > June > Chinese Hackers Believed to be Behind Second Cyberattack on Air India

Chinese Hackers Believed to be Behind Second Cyberattack on Air India
2021-06-15 09:50

The cyber assault on Air India that came to light last month lasted for a period of at least two months and 26 days, new research has revealed, which attributed the incident with moderate confidence to a Chinese nation-state threat actor called APT41.

On May 21, India's flag carrier airline, Air India, disclosed a data breach affecting 4.5 million of its customers over a period stretching nearly 10 years in the wake of a supply chain attack directed at its Passenger Service System provider SITA earlier this February.

The breach involved personal data registered between Aug. 26, 2011, and Feb. 3, 2021, including details such as names, dates of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data, as well as credit card data.

Group-IB's analysis into the incident has revealed that at least since Feb. 23, an infected device inside Air India's network communicated with a server hosting Cobalt Strike payloads dating all the way back to Dec. 11, 2020.

In all, the adversary extracted 23.33 MB of data from five devices named SITASERVER4, AILCCUALHSV001, AILDELCCPOSCE01, AILDELCCPDB01, and WEBSERVER3, with the attackers taking 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline's network.

While the initial entry point remains unknown, the fact that "The first device that started communicating with the adversary-controlled C&C server was a SITA server and the fact that SITA notified Air India about its security incident give reasonable ground to believe that the compromise of Air India's network was the result of a sophisticated supply chain attack, which might have started with SITA.".


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/H9QvjajTV9k/chinese-hackers-believed-to-be-behind.html