As per a new cybersecurity threat report, a suspected hacking group from China has been attacking airline companies for the past few years. The report also claimed that the objective behind the campaign was to obtain passenger data to track specific people.
The report by Taipei based security company claimed that between 2018 and 2019 they detected several attacks in various semiconductor vendors located at Taiwan's Hsinchu Science-based Industrial Park. "As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Chimera APT Group, were actually conducted by the same threat actor," added the threat report by CyCraft. This was the first description of the hacking group's activities.
Last week, another report was published by the IT security company NCC Group and its subsidiary Fox-IT. The report said that the actions taken by these Chinese hackers are broader than initially thought and the threat actors have targeted the airline industry.
"NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020," the report added.
According to NCC and Fox-IT, believed to be operating in the interests of the Chinese state, not only in Asia but also these hackers have targeted semiconductor and airline companies from different regions. It was also said that in the case of some of the targets, the threat actors stayed hidden inside networks for almost three years before being discovered.
NCC and Fox-IT said, "The goal of targeting some victims appears to be to obtain Passenger Name Records (PNR)." According to both companies, how the PNR data was obtained likely differed on the victim. But the researchers observed, "Several custom DLL (Dynamic-link library) files used to continuously retrieve PNR data from the memory of systems where such data is typically processed, such as flight booking servers."
The report by both the companies described the hacker group's typical process of conducting cyberattacks, which usually begins with collecting user login details leaked in public domains after data breaches at other companies.
However, after gaining access to an internal network, the invaders usually deploy Cobalt Strike, which is a threat emulation software and helps to search for intellectual property, as well as passenger details. After a large amount of data is compressed, encrypted and staged, the data is exfiltrated using a custom-built tool.
"This tool exfiltrates specified files to cloud storage web services. The following cloud storage web services are supported by the malware: Dropbox, Google Drive and OneDrive," said the report.
NCC and Fox-IT report did not specifically say why the threat actors targeted airline industry and why they stole passenger data. But the reasons are obvious, as it is very common for state-backed hackers to target airlines and hotel chains to track movements, as well as communications of specific people.
For example, Chinese hackers developed malware—named MessageTap—to target telco's network and steal SMS messages. As reported, it was a part of China's efforts to track down Uyghur minority.