China Backed APT41 Behind SITA And Air India Cyber Attacks

(This was originally posted in CNBCTV18)

The recent cyberattack on air travel solutions software major SITA and a number of airlines including Air India are believed that they are linked to the Chinese state-sponsored threat actor APT41. Airlines have been warned to comb through their networks and trace the campaign that may be concealed within their networks. SITA is one of the leading global IT providers for nearly 90 percent of the world’s airline industry.

NOTE:- While Air India was impacted by the attack on SITA PSS, the alleged attack on Air India as described in the Group-IB blog was a separate, unrelated cyber-attack. There is no substance in the suggestion of Group-IB that the attack on SITA PSS and the separate attack on Air India were linked or carried out by the same threat actor.

The report states, though the Air India attack lasted for just 4 days short of 3 months, it took the threat actors only 24 hours and 5 minutes to spread Cobalt Strike beacons to the other devices in the airline’s network. SITA is responsible for processing Air India’s personal customer data (TILL 2019). The hacked data was put for sale on a leak site for $3,000.

The Group-IB report further said, “The campaign’s code name is ColunmTK. It was formed by combining the first two domains used for DNS tunneling in the attack. ” The ColunmTK campaign committed by APT41 is also known as Wicked Panda, Wicked Spider, Winnti, and Barium. Active since 2007 APT41 is known for supply-chain attacks, cyber espionage, and financial cybercrimes.

The US Department of Justice last year charged five Chinese nationals for hacking more than 100 companies in the US and worldwide. The five have also been charged with attacking NGOs, universities, foreign governments, and Hong Kong-based pro-democracy politicians and activists. The data breach at Air India involved the personal data of customers which included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card information.

Security-related information such as passwords or CVV numbers of the customers however was not stolen as SITA was not in charge of the same. SITA post disclosure of the cyberattack revealed Star Alliance and One World airlines were also attacked apart from Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Air New Zealand, Cathay Pacific, Singapore Airlines, among others.


Kartik Sud

I am working as a News Author With the DefenceXP network, Observing LOC and LAC

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

Back to top button
Translate »