The title of this post alone should give you some pause; but there’s more. According to the European Air Traffic Management Computer Emergency Response Team (EATM-CERT) the majority, 61%, of this increase is on airlines themselves. The graph below shows the sectors of the aviation industry and the number of cyber attacks witnessed over the last year. This trend has continued into 2021.
In May, Air India admitted it had been the victim of a cyber attack which stole the personal information of 4.5 million passengers. This information included passport details and credit card information. But this was only the tip of the iceberg. What was important about this hack was that it did not originate with Air India itself but was a product of a supply chain attack that began with a company few people have heard of named, SITA. The extent of this company’s influence in the aviation industry can be taken from one sentence on its website which states that, “nearly every airline and airport in the world does business with SITA, and almost every passenger’s trip relies on our technology.” To break this down, SITA states that “our membership base includes airlines, airports, airport-based organizations, and air traffic management, with 95% of all international destinations and over 13,500 industry sites connected by SITA‘s network.” What criminal wouldn’t want to get into this network?
In the Air India case, the criminals appear to be a hacking group associated with the Chinese government known as APT41. Although the sophistication of the attack points to a state-sponsored group, as is often the case in cyber attacks, attribution is never without some doubts. In fact, in such attacks, it is difficult to tell if the airline was attacked independent of SITA or not. That said, after the breach, SITA notified Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa that they may be targeted for cyber attacks. Since that time, Malaysia Airlines, Singapore Airlines, and Finnair have announced breaches. That seems more than just a coincidence to me. Once an airline is breached, all the information on customers and partners can be accessed.
APT41 is one of those hacking groups which oscillate between financial hacking and information hacking, most likely under the approval of the Chinese government. In other words, if they wanted to, they could transform an information hack into a ransomware attack. And, in fact, this seems to be what they have been doing. The EATM-CERT report stated that the aviation industry had been targeted with one ransomware attack a week; and that was in 2020.
But ransomware attacks were not the main vector used to attack the aviation industry, as can be seen in this chart.
36% of the attacks involved data theft, but that’s not really giving us any useful information. How did this theft occur? From the chart, it seems that use of fraudulent websites and phishing emails were the main way that data were accessed. The report stated that 95% of the attacks were done for financial gain. That may very well be. However, it would be unusual for the Chinese government not to look over the stolen data first before it was monetized. A ransomware attack will initially encrypt an airline’s data and demand a ransom in order for them to get it back. However, even if the ransom is paid and the data are restored, there is no guarantee that the criminals will not keep some of it for themselves, either to sell to other hackers or use for further attacks.
My guess is that phishing emails were used to lead victims to fraudulent websites. This type of attack can be quite effective if the email looks like it is from a trusted contact or organization. If the website then looks legitimate, the victim can be more easily compromised. According to the report, 280 of 335 fake websites were “impersonating IATA and A4E airline members, selling fake tickets and seeking to extract customer credit card data.” They also made use of the COVID pandemic by pretending to be sites that were offering refunds. The goal behind most of these sites was to steal customer credentials. These, they packaged and put up for sale on deep web sites. Altogether, 15,493 accounts from 30 airlines were up for sale.
Scam ticket sale sites have been increasing despite flight restrictions dictated by COVID. These are sites that will offer tickets at incredible savings. Moreover, they will send you a confirmation email to make it look like you really have the tickets. Sadly, the email is all you’re going to get. There are other sites that offer to get your refund for a delayed or cancelled flight. All of these sites will ask for personal information including credit card data.
Phishing emails have probably been the most successful attack vector because, invariably, even if not particularly well-designed, some will get through spam filters which gives them initial face validity. Some spearphishing emails will be targeting airline employees. When these targets reveal their network credentials the information they provide will be enough to start a more sophisticated attack on the airlines themselves. As the report notes, “if just one person in an organisation of thousands takes the bait, that can be enough to make the entire attack worthwhile. This highlights the importance of raising awareness within organisations about how good cybersecurity practice involves every staff member, and that attacks cannot be prevented by technology alone.” In short, what is required is end point protection that does not allow the bad behavior of one individual in a company or organization to undermine its cybersecurity architecture.
Meanwhile, Bangkok Airways has just admitted that it was the victim of a ransomware attack organized by Russian ransomware group, LockBit. Does this have anything to do with the SITA hack? It’s difficult to say. Maybe LockBit hacked SITA or maybe they bought login credentials online. But they don’t even need to do that. When a company refuses to pay a ransom, all of their data is put online for anyone to view for free. This makes it relatively easy for any hacking group to find a vulnerable endpoint to exploit.
This is what happened to Bangkok Airways. They refused to pay the ransom and now their data is being released online.
Now, other hacking groups can find information around which to organize the next attack on an airline. So, the future, at least for airlines, does not look good.