The cyberattack on SITA that impacted multiple airlines around the world was orchestrated by a Chinese nation-state threat actor tracked as APT41, security researchers at detection and prevention firm Group-IB say.
Codenamed ColunmTK and disclosed in early March 2021, the attack affected airlines such as Air India, Air New Zealand, Finland’s Finnair, Singapore Airlines, Malaysia Airlines, and Jeju Air in South Korea. SITA has roughly 2,500 customers and provides services in over 1000 airports worldwide.
One of the affected airlines was Air India, which announced in May that approximately “4,500,000 data subjects globally,” were affected. Compromised data includes names, dates-of-birth, passport information, contact information, and additional data.
Air India revealed that the attack was related to SITA PSS, which processes personally identifiable information (PII).
[ SEE: At Least 10 APTs Targeting Microsoft Exchange Vulnerabilities ]
Group-IB’s investigation revealed that the first system within Air India’s network to communicate with the attackers’ infrastructure was named SITASERVER4 and that it hosted the Cobalt Strike implant for more than two months before that.
The attackers used their presence on the network to collect credentials and move laterally. They compromised at least 20 devices within Air India’s network and also attempted to escalate privileges. They also exfiltrated data from the network.
“The attack on Air India lasted for at least 2 months and 26 days. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline's network,” Group-IB says.
The security researchers believe that APT41, a pro ..
Support the originator by clicking the read the rest link below.
