Table of Contents
New research had revealed that at the same time as Air India was the victim of a massive data breach the month before, the airline appeared to have suffered a separate cyber assault that lasted at least two months and 26 days. It was attributed to Chinese regional threat actor APT41.
The campaign was named “ColunmTK” by Group-IB based on the names of servers used to facilitate communication with compromised systems that were used as command and control (C2) servers.
The Singapore-headquartered threat hunting company said:
“The potential ramifications of this incident for the entire airline industry and carriers that might yet discover traces of ColunmTK in their networks are significant.”
SITA spokesperson told The Hacker News that they were two separate security incidents, although Group-IB suggested it may be a supply chain attack.
The Chinese-speaking APT41 campaign is devoted to information theft and espionage against the healthcare, high-tech, and telecommunication sectors. You can also find it called Winnti Umbrella, Axiom, or Barium. It facilitates theft of intellectual property and financial cybercrime by establishing and maintaining a strategic access point.
“Their cybercrime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies and attempted deployment of ransomware. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance.”
An Air India supply chain attack directed at its Passenger Service System (PSS) provider SITA earlier this month resulted in a data breach affecting 4.5 million of its customers dating back nearly ten years on May 21.
Among the data breached were name, date of birth, contact information, passport information, ticket information, frequent flyer data, and credit card information, which covered the period between Aug. 26, 2011, and Feb. 3, 2021.
FireEye’s Mandiant, which assists SITA in responding to the attacks, has determined that the attacks were highly sophisticated and that the tactics, techniques, and procedures point to a single entity, although the operator’s identity and motive are not now clear.
New Attack Against Air India
Based on its analysis, Group-IB has now found that there have been connections between an infected device inside Air India’s network (named “SITASERVER4”) and a server hosting Cobalt Strike payloads dating out to Dec. 11, 2020.
As a result of this initial compromise, the attackers could establish persistence and obtain passwords to pivot laterally to a broader network and gather information in the local network.