New details appeared about a massive cyberattack on global IT provider SITA, which is operating 90 percent of the world’s airlines. This campaign is proving to be the largest supply-chain attack on the airline industry in history.
The massive cloud data breach that affected 4.5 million passengers was traced back by researchers to China’s state-sponsored actor APT41.
The aviation technology company SITA first announced that its networks were attacked in March, saying the attack exposed the personal data of some of its customers.
After Singapore, Malaysia Airlines, and Air India revealed that they had suffered massive security breaches, too, it became apparent that analysts were looking at the biggest supply-chain attack that has ever affected the aviation industry, according to Group-IB analyst Nikita Rostovcev.
The campaign is codenamed ColunmTK, the name combined the first two domains used for the DNS tunneling in the attack: ns2[.]colunm[.]tk and ns1[.]colunm[.]tk.
The attack on Air India was traced to SITA attack by the company’s data processing partner, Group-IB. According to the company’s report, the breach affected about 4.5 million customers.
The attack lasted for almost three months and involved the use of Cobalt Strike beacons. According to researchers, it only took the threat actors about 24 hours to spread the devices across the airlines’ entire network. They used a variety of malware tools:
“The attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and Mimikatz,” Group-IB reported. “The attackers tried to escalate local privileges with the help of BadPotato malware. BadPotatoNet4.exe was uploaded to one of the devices inside the victim’s network under the name SecurityHealthSystray.exe.”
Later, a database containing the details of Air India customers was put up for sale on the surface web for $3,000. Initially, Group-IB analysts thought that the database was fake but then realized it was posted by a nation-state actor, which was not connected to a financial crime group.
The researchers were able to link with “moderate confidence” the addresses of the Air India attack to those of the APT41 group, saying the incident showed similarities with the SITA attack and others carried out by APT41 (a.k.a. Wicked Panda, Wicked Spider, Winnti and Barium).