It has been reported that a group of cybercriminals believe to link with the Chinese government is actively targeting the airline industry to obtain passenger data. It is believed that a threat actor Chimera is being such an attack. Believed to be operating in the interests of the Chinese state, the group’s activities were first described in a report and Black Hat presentation from CyCraft in 2020.
<p>This type of network infiltration is often difficult to identify, especially since sophisticated hacking groups tend to leverage previously unknown tactics, the signatures of which are not necessarily picked up by the most common threat analysis tools. Furthermore, given that in these cases attackers dwell in the network for months or even years, the extent of the damage is often difficult to determine with a detection-first strategy, where network traffic logs are only recorded when the suspicious activity has already been flagged. </p> <p> </p> <p>The intrusions discovered by NCC Group and Fox-IT, but also the recent high profile SolarWinds attack, highlight the importance of having a data-first approach to network security: only by making sure that a complete record of anything that happens on the network is recorded, stored, indexed and actionable can defenders go back to the origin of the breach and figure out what went wrong.</p>
<p>The questions to ask are who are they, who are they watching, and why? It’s a given that this type of data stalking on a mass scale is criminal – there’s a very clear and thick legal line of privacy and data that this group is on the other side of with their data extraction.</p> <p> </p> <p>While we don’t know if this is a state-sponsored actor, a proxy for a nation-state, or a monetization player, we do that the Biden Administration will be tackling cybersecurity policy on these types of threats with new ferocity and historic vigor. While we all hope that the Biden Administration gets the 100-day honeymoon that most newly elected presidents get to shape and invoke policy, it appears that bad actors won’t be giving that to them. We’re optimistic that we now have a president who will evaluate and act upon trustworthy information, and is taking preemptive actions to strengthen our cybersecurity, risk mitigation, and personal privacy. We are confident that this situation is on their radar.</p>
<p>The revelation that advanced attackers, apparently based in China, have been targeting airline travel sites to track specific individuals is not a surprise. Tracking the travel patterns of individuals involved in certain industries or areas of research is information of great value to a State level intelligence agency. While it is the kind of specific information that might be useful to a cybercriminal going after a specific target, is guaranteed to be useful to a rival state agency. </p> <p> </p> <p>Victims of these attacks are not facing common cybercriminals. They are likely facing State or State-Sponsored threat actors with a high degree of skill and effectively limitless resources. They will have to up their game if they want to thwart these intrusions in the future and keep their customer\’s data safe. They will have to follow industry best practices and deploy best in breed defenses, including security analytics tools that can help identify and remediate these intrusions before the data is compromised.</p>
<p>The Chinese government will deny any involvement in the hacking of the airlines, as they will roll out familiar talking points about not being involved in this sort of activity, when in fact it is likely they are hacking many other industries. Cybereason\’s groundbreaking 2019 investigation – \'<a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUTb4Q8G2-2F0MYkMDaVoHyFiFp9tgAk-2FojcnAiVofvfVSYl1Y52nXe3MFY4BlCR2zME8eA2XZZqgO5Gd3vEMceqyTzuWmLFS2eOnf0I-2FGHuNMBdnIsRxpqoEizDCSc8APiDIxJOxD2rui6TbPCItf8aAE-3DrXA1_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGTO5AKaXxfXA6PdkmD9nZzOoTnHFT1UG5oGB72ysmgMLjbJnCmP3A2y-2F4mGJz10q67po5Qt0DakfWn4oQR5PgJpp2SzoBxG9kjrsRm3sIbH9EaaiVEETUIWH-2FgWkfYiTrHZvC2VaAxBSNX0KoWOaud7CKqHGagJWoGiBO4H7ez9mnmsrlW9ChutvGuCvR5xjsBnv4MKNUGdUAV1s5YRFWrL698ZtNcXwdxnvJiN1H37HqWNMFpLKb-2FJoGX6CAexC2VJb-2BMjbsTHUWllh-2FmOmp9ZyM23g2afiFKmcG1vIMgZz\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUTb4Q8G2-2F0MYkMDaVoHyFiFp9tgAk-2FojcnAiVofvfVSYl1Y52nXe3MFY4BlCR2zME8eA2XZZqgO5Gd3vEMceqyTzuWmLFS2eOnf0I-2FGHuNMBdnIsRxpqoEizDCSc8APiDIxJOxD2rui6TbPCItf8aAE-3DrXA1_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGTO5AKaXxfXA6PdkmD9nZzOoTnHFT1UG5oGB72ysmgMLjbJnCmP3A2y-2F4mGJz10q67po5Qt0DakfWn4oQR5PgJpp2SzoBxG9kjrsRm3sIbH9EaaiVEETUIWH-2FgWkfYiTrHZvC2VaAxBSNX0KoWOaud7CKqHGagJWoGiBO4H7ez9mnmsrlW9ChutvGuCvR5xjsBnv4MKNUGdUAV1s5YRFWrL698ZtNcXwdxnvJiN1H37HqWNMFpLKb-2FJoGX6CAexC2VJb-2BMjbsTHUWllh-2FmOmp9ZyM23g2afiFKmcG1vIMgZz&source=gmail&ust=1611314957864000&usg=AFQjCNGUMzoBcBX12s2S_KutAQDU0eJqDw\">Operation Soft Cell</a>\’ into global espionage against telcos by Chinese cyber threat actors – opened the world to the techniques, tactics, and procedures being used to spy on individuals through their mobile phones. Individuals in prominent positions in government and business were being spied on around the clock for years without any knowledge and the operation was so deep into the telcos that the intrusion went undetected for more than seven years.</p> <p> </p> <p>This airline industry threat is a reminder that nation-states will stop at nothing to steal personal information, conduct espionage and look to gain an upper hand on the world stage. The airline industry, its suppliers, enterprises, and all defenders, need to be deploying threat hunting services and need to think about cybersecurity from an operation-centric and alert-centric standpoint. Operation-centric security enables security analysts to string together disparate pieces of information involved in malicious cyber activity, greatly increasing the likelihood of stopping cybercrime before material damage is done.</p>
<p>Data thefts like the Chinese group\’s action against the airlines is an example of why I always urge victims of data breaches to change their passwords on all of the sites they use, or at the very least to change passwords that have been used on more than one website.</p> <p>Hackers use the login info gleaned from previous data breaches to perform credential stuffing or password spraying attacks against a targeted system. Once inside, the hackers can use penetration methods to acquire the data they are looking for.</p>