India’s flagship airline Air India announced last month it was hit by a huge cyberattack, affecting as many as 4.5 million passengers. Their data, including passport information and some credit card details, had been compromised by unknown hackers.
A cybersecurity company is now claiming, with “moderate” confidence, that a prolific Chinese government-sponsored espionage and cybercriminal group known as APT41 hacked Air India. It could be part of a wider campaign to snoop on the airline industry, according to Singapore-based Group-IB, which showed Forbes its findings on Thursday ahead of publication. APT41 was called out by the FBI in September 2020, and a number of its alleged members indicted for various cybercrimes, including hacks on more than 100 organizations across the world, including in the U.S. The accused are now on the FBI’s Cyber Most Wanted list.
The apparent link to Air India came via an analysis of what Group-IB claimed was a command and control server used in an attack on the airline. Group-IB researchers found the attacker was using a certificate to validate its web traffic (known as an SSL certificate), and that the certificate was only detected on five servers. One of the IP addresses of those servers had been previously identified by Microsoft as one used by APT41. Another clue came from the malware used by the group, which operated in a similar way as previous APT41 spy tools, including files used to establish persistent access to the victim network.
Forbes wasn’t able to independently verify Group-IB’s findings and there are some doubts about its “moderate” confidence attribution. One cybersecurity industry executive, whose company had researched APT41 operations and spoke on condition of anonymity, said they believed the report was not accurate, but couldn’t specify how, citing sensitivities over their research. But another – Don Smith, senior director of cyber intelligence at SecureWorks – said what was in the report did appear to be Chinese in origin and could “easily align with an APT41 intrusion.”
Group-IB has recently been successful in identifying cybercriminals behind major operations. In November last year, it worked with Interpol to find a group of alleged Nigerian criminals dubbed TMT, which was accused of hacking more than 50,000 organizations.
MORE FOR YOU
Neither Air India nor the Chinese embassy in London had responded to requests for comment.
A wider supply chain attack?
Whether China was responsible or not, Group-IB suspects that the Air India hack is linked to a wider attack on the airline industry, one that started with the breach of SITA, an IT supplier for the industry. That breach was revealed in early March, which led to a leak of passenger data. “This was a highly sophisticated attack,” the company wrote at the time.
When Air India disclosed its breach, it noted that it started with the hack of SITA, the data processing provider for the airline. However, SITA said the Air India hack described by Group-IB was not linked to the breach of its own network, but was separate. And despite the indicators from the Air India hack—and though there have been breaches at other airlines following the SITA hack, leading to data leaks from Singapore Airlines and Finnair (amongst others)—Group-IB told Forbes it doesn’t yet have enough evidence to confirm a large-scale supply chain compromise.
SITA doesn’t yet know who hacked its network. “Together with our external experts we completed our forensic investigation of the … data security incident in May 2021. Our findings as to the identity and motive of the perpetrator are not entirely conclusive and coalesce around several possibilities that we will not speculate about in public,” a spokesperson told Forbes. “However, as determined by Mandiant, SITA’s appointed third-party security expert, the attack was highly sophisticated and the TTPs (Tactics, Techniques and Procedures) and IOCs (Indicators of Compromise) point to a single entity behind the cyber-attack.”
If APT41 is targeting the airline industry, it would fit with the group’s modus operandi of targeting travel market players and using supply chain providers as a route into company networks. Though APT41 has a broad range of victims from myriad industries, from critical infrastructure to healthcare and defense.
APT41 has been active for the last 15 years, carrying out espionage operations and financially-motivated cybercrime, said Group-IB chief technology officer Dmitry Volkov.
“APT41 is a very prolific threat actor which remains extremely active up until now,” Volkov added. “Their main attack vector for APT41 is spear-phishing emails with malicious attachments leveraging a number of different exploits. In some cases, APT41 communicates with their potential victims in social networks, reaching out to those who work in the business development or HR departments, and then spear phishing a victim using a variety of malware installation vectors.”
According to the Justice Department, APT41 has also been seen deploying ransomware on target networks. In recent months, following the attacks on Colonial Pipeline and meat supplier JBS, that a group with the technical prowess of APT41 is also wielding ransomware could be a real worry for IT teams.