Airlines are warned to scour networks for traces of the campaign, likely the work of APT41, lurking in networks.

A monster cyberattack on SITA, a global IT provider for 90 percent of the world’s airline industry, is slowly unfurling to reveal the largest supply-chain attack on the airline industry in history.

The enormous data breach, estimated to have already impacted 4.5 million passengers, has potentially been traced back to the Chinese state-sponsored threat actor APT41, and analysts are warning airlines to hunt down any traces of the campaign concealed within their networks.

SITA announced the attack in March, and soon after Singapore and Malaysia Airlines were the first airlines to disclose that their customers’ personal data had been exposed. Most recently, SITA’s customer Air India reported an attack on its systems.

, Monumental Supply-Chain Attack on Airlines Traced to State Actor

“After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply-chain attacks in the airline industry’s history,” Group-IB analyst Nikita Rostovcev said in a recent report about the discovery.

The campaign’s code name is ColunmTK, the Group-IB report said, which researchers came up with by combining the first two domains used for DNS tunneling in the attack: ns2[.]colunm[.]tk and ns1[.]colunm[.]tk.

SITA Attack Claims Air India Among Victims

Air India made the first public statement about its breach on May 21, however, it wasn’t until later that Group-IB traced its origins to SITA, which is responsible for processing personal customer data for the airline. Adding in Air India’s customers, the SITA attack has now impacted 4.5 million people, the report said.

Group-IB said the Air India attack persisted for at least two months and 26 days. However, the researchers pointed out that it only took the threat actors “24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline’s network.”

Shortly after Air India’s disclosure, a database of customers allegedly exfiltrated from Air India were put up for sale on a leak site for $3,000.

‘Sophisticated Nation-State Threat Actor’

At first, Group-IB analysts thought the database was a fake because it hadn’t popped up on the Dark Web, but after a closer look, “Group-IB’s Threat Intelligence team soon realized that they were dealing with a sophisticated nation-state threat actor, rather than another financially motivated cybercriminal group,” the report added.

Analysts found the command-and-control (C2) server involved in the Air India attack first started communicating with a SITA data processing server (the initial compromise method is unclear), then began moving laterally around the network.

“The attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and Mimikatz,” Group-IB reported. “The attackers tried to escalate local privileges with the help of BadPotato malware. BadPotatoNet4.exe was uploaded to one of the devices inside the victim’s network under the name SecurityHealthSystray.exe. ”

The team estimated at least 20 devices on Air India’s network were compromised during this lateral movement phase, adding, “the attackers used DNS-txt requests to connect the bots to the C2 server.”

The researchers were able to tie APT41-controlled IP addresses to those used the Air India attack, and said the incident showed similarities with the SITA attack and others carried out by APT41. Thus, Group-IB analysts believe with “moderate confidence” that the ColunmTK campaign was perpetrated by APT41 (a.k.a. Wicked Panda, Wicked Spider, Winnti and Barium), a group which has been active since 2007 and which is known to specialize in supply-chain attacks.

APT41 is known for nation-state-backed cyber-espionage activity as well as financial cybercrime. The Department of Justice alleged last year that the group “facilitated the theft of source code, software code-signing certificates, customer-account data and valuable business information,” which in turn “facilitated other criminal schemes, including ransomware and cryptojacking.”

The DoJ in 2020 charged five suspected perpetrators, all of whom are residents and nationals of the People’s Republic of China (PRC), with hacking more than 100 victim companies in the United States and abroad, including software-development companies, computer-hardware manufacturers, telecom providers, social-media companies, video-game companies, nonprofit organizations, universities, think tanks and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.

Airlines Warned to Shore Up Defenses Against ColnmTK

If the Group-IB team is right, this Chinese nation-state actor is sitting on a breathtaking trove of travel data. It’s now up to the airlines to make sure they have the problem under control, according to John Bambenek from Netenrich.

“Airlines have a wealth of information that is of interest to intelligence agencies,” Bambenek told Threatpost by email. “China, in particular, would love to collect the travel patterns of individuals associated with the targets of their national-security apparatus. All airlines should take note of this report and search for these indicators in their environments.”

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!