A suspected Chinese hacking group has been attacking the airline industry for the past few years with the goal of obtaining passenger data in order to track the movement of persons of interest. The intrusions have been linked to a threat actor that the cyber-security has been tracking under the name of Chimera, believed to be operating in the interests of the Chinese state. Researchers say the group has remained undetected in a network for up to three years. Initial reports mentioned a series of coordinated attacks against the Taiwanese superconductor industry.
In a recent report by NCC Group and its subsidiary Fox-IT, the two companies spokespersons said the group's intrusions are broader than initially thought, having also targeted the airline industry. "NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020," representatives of both of the two companies stated. These attacks targeted semiconductor and airline companies in different geographical areas, and not just Asia, NCC.
While the attacks orchestrated against the semiconductor industry were aimed towards the theft of intellectual property (IP), the attacks against the airline industry were focused instead on something else. "The goal of targeting some victims appears to be to obtain Passenger Name Records (PNR)," per the two companies’ spokespersons. "How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers."
The joint NCC and Fox-IT report also describes the Chimera group's typical modus operandi, which usually begins with collecting user login credentials that leaked in the public domain after data breaches at other companies. This data is used for credential stuffing or password spraying attacks against a target's employee services, such as email accounts. After the intrusion, the Chimera operators search for login details for corporate systems, such as Citrix systems and VPN appliances.
Once inside an internal network, the intruders usually deploy Cobalt Strike, a penetration-testing framework used for "adversary emulation," which they use to move laterally to as many systems as possible, searching for IP and passenger details. The two security firms said the hackers were patient and thorough and would search until they found ways to traverse across segmented networks to reach systems of interest.
Once they found and collected the data they were after; this information was regularly uploaded to public cloud services like OneDrive, Dropbox, or Google Drive, knowing that traffic to these services would not be inspected or blocked inside breached networks.
While the NCC and Fox-IT report did not speculate why the hackers targeted the airline industry and why they stole passenger data, this is pretty obvious. It is very common for state-sponsored hacking groups to target airline companies, hotel chains, and telcos to obtain data they could use to track the movements and communications of persons of interest.
Past examples include Chinese group APT41, which targeted telcos with special malware capable of stealing SMS messages. The attacks were believed to be related to China's efforts to track its Uyghur minority, with some of these efforts involving hacking telcos to track Uyghur travelers' movements. Another Chinese group that targeted telcos was APT10 (or Gallium), whose activities were detailed in Cybereason's Operation Soft Cell report. Chinese state-sponsored hackers were also linked to the Marriott hack, during which they stole troves of hotel reservation details going back years.
China is not the only one engaging in these types of attacks. Iranian group APT39 has also been linked to breaches at telecommunication providers and travel companies for the purpose of tracking Iranian dissidents, while another Iranian group, known as Greenbug, has been linked to hacks against multiple telecom providers across Southeast Asia.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com.
Weekly Cyber Intelligence Briefings: