In the recent past, the airline industry and several airline carriers faced one of the largest supply-chain attacks. The devastating consequences of the attack on the SITA Passenger Service System (PSS), which provides services to around 90% of airlines across the globe, are now linked to a Chinese nation-state actor.
Latest discoveries
The campaign, codenamed ColunmTK, has a possible connection with a prolific Chinese-speaking nation-state threat actor APT41, according to researchers at Group-IB.
The report was released after Air India reported a massive passenger data breach on May 21, which was caused by an earlier attack against SITA.
The attack affected 4,500,000 data subjects globally, including data related to Air India's customers.
The attackers tried to escalate local privileges with the help of BadPotato malware and compromised at least 20 devices from Air India's network during lateral movement.
Attack method by APT41
The hacking group used a specific SSL certificate in the attack against Air India, which was detected by five hosts. These five hosts have been used in the APT41 group's earlier campaigns.
Hackers performed DNS tunneling and extracted data from devices such as SITASERVER4, AILCCUALHSV001, AILDELCCPOSCE01, AILDELCCPDB01, and WEBSERVER3.
In addition, they spread Cobalt Strike beacons to other devices in the airline's network.
Previous facts on the attack
SITA is responsible for operating passenger processing systems for airline carriers, and a large number of these organizations have reported an impact of the breach.
Air India published an official statement on its website about the data breach, which was caused by a February incident at the airline's IT ..
Support the originator by clicking the read the rest link below.
