New analysis has indicated that the attack on Air India, that lasted for nearly three months, and emanated from a threat actor from China known as APT41.
On 21st of May, India’s flag carrier airline, Air India, announced that it suffered a data breach that affected its Passenger Service System (PSS) provider SITA. According to the announcement, the attack has impacted over 4.5 million of its customers.
Although the initial entry point of the malware that compromised the airline’s systems is still unknown, researchers have concluded that the company has become a victim of a sophisticated supply chain attack that most likely have started with SITA, since a SITA server was the first device that started communication with a hacker-controlled C&C server.
As per the reports, the incident led to a leak of personal data, including people’s names, dates of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data, as well as credit card data, collected over the span of 10 years between August 26, 2011, and February 3, 2021.
After successfully breaching the system, the malicious actors have created persistence and obtained credentials in order to proceed to other parts of the network in order to collect information from the local networks.
From what has been disclosed by security researchers, the attackers managed to exfiltrate NTLM hashes and plain-text passwords from local PCs using hashdump and mimikatz, and tried to escalate local privileges through the use of BadPotato malware.
The malicious campaign has been codenamed “ColunmTK” and, according to initial estimations, the consequences of this attack for the whole airline sector and the airlines that could detect evidence of ColunmTK in their networks are considerable.
APT41 (known also as Winnti Umbrella, Axiom, and Barium) is a China-based threat actor well known to the public for having created a series of campaigns focused on the theft of sensitive information from healthcare, high-tech, and telecommunications sectors as well a number of financially-motivated crimes. Recently, there have been indications that APT41 actively tracks individuals and conducts surveillance in sectors like higher education, travel, and news/media.