Saturday, June 12, 2021

China backed APT41 behind SITA and Air India cyber attacks

The recent cyberattack on air travel solutions software major SITA and a number of airlines including Air India have been linked to the Chinese state-sponsored threat actor APT41.

Airlines have been warned to comb through their networks and trace the campaign that may be concealed within their networks. SITA is one of the leading global IT providers for nearly 90 percent of the world’s airline industry.

According to a report by Group-IB analyst Nikita Rostovcev, "After Air India, it was evident the world’s national carriers are dealing with one of the biggest supply-chain attacks in the airline’s history. SITA’s data breach is estimated to have revealed data of 4.5 million passengers."

The report states, though the Air India attack lasted for just 4 days short of 3 months, it took the threat actors only 24 hours and 5 minutes to spread Cobalt Strike beacons to the other devices in the airline’s network. SITA is responsible for processing Air India’s personal customer data. The hacked data was put for sale on a leak site for $3,000.

The Group-IB report further said, "The campaign’s code name is ColunmTK. It was formed by combining the first two domains used for DNS tunneling in the attack. "

The ColunmTK campaign committed by APT41 is also known as Wicked Panda, Wicked Spider, Winnti, and Barium. Active since 2007 APT41 is known for supply-chain attacks, cyber espionage, and financial cybercrimes.

The US Department of Justice last year charged five Chinese nationals for hacking more than 100 companies in the US and worldwide. The five have also been charged with attacking NGOs, universities, foreign governments, and Hong Kong-based pro-democracy politicians and activists.

The data breach at Air India involved the personal data of customers which included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card information.


To Read the News in full at Source, Click the Headline


Post a Comment