A series of cyberattacks is gradually being revealed to involve the airline industry – most recently Air India – and perhaps more than 4 million passengers.
Air India, the country’s flagship airline, made the announcement last month, reporting that personal data was compromised including some credit card and passport information.
A leading cybersecurity firm, Group-IB, believes the Chinese government-affiliated group APT41 is responsible for the Air India breach and could involve a much wider effect on the airline industry.
According to Forbes:
“APT41 was called out by the FBI in September 2020, and a number of its alleged members indicted for various cybercrimes, including hacks on more than 100 organizations across the world, including in the U.S. The accused are now on the FBI’s Cyber Most Wanted list.
“Group-IB researchers found the attacker was using a certificate to validate its web traffic (known as an SSL certificate), and that the certificate was only detected on five servers. One of the IP addresses of those servers had been previously identified by Microsoft as one used by APT41.”
Some malware reportedly worked in a fashion similar to previous APT41 spy tools.
Forbes said it wasn’t able to independently verify Group-IB’s findings so the truth is not settled, though Don Smith, senior director of cyber intelligence at SecureWorks, told Forbes that some material in Group-IB’s reporting appeared to be Chinese and could “easily align with an APT41 intrusion.”
Group-IB suspects that the Air India hack is linked to a wider attack on the airline industry, one that started with the breach of SITA, an IT supplier for the industry.
“After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply-chain attacks in the airline industry’s history,” Group-IB analyst Nikita Rostovcev said in a recent report about the discovery.
SITA, which provides IT for 90 percent of the airline industry, has not yet identified its hacker.