A Chinese Hacking Group Is Stealing Airline Passenger Details

It has been reported that a group of cybercriminals believe to link with the Chinese government is actively targeting the airline industry to obtain passenger data. It is believed that a threat actor Chimera is being such an attack. Believed to be operating in the interests of the Chinese state, the group’s activities were first described in a report and Black Hat presentation from CyCraft in 2020. 

Experts Comments

January 22, 2021
Greg Bell
CEO
Corelight

This type of network infiltration is often difficult to identify, especially since sophisticated hacking groups tend to leverage previously unknown tactics, the signatures of which are not necessarily picked up by the most common threat analysis tools. Furthermore, given that in these cases attackers dwell in the network for months or even years, the extent of the damage is often difficult to determine with a detection-first strategy, where network traffic logs are only recorded when the

.....Read More

This type of network infiltration is often difficult to identify, especially since sophisticated hacking groups tend to leverage previously unknown tactics, the signatures of which are not necessarily picked up by the most common threat analysis tools. Furthermore, given that in these cases attackers dwell in the network for months or even years, the extent of the damage is often difficult to determine with a detection-first strategy, where network traffic logs are only recorded when the suspicious activity has already been flagged. 

 

The intrusions discovered by NCC Group and Fox-IT, but also the recent high profile SolarWinds attack, highlight the importance of having a data-first approach to network security: only by making sure that a complete record of anything that happens on the network is recorded, stored, indexed and actionable can defenders go back to the origin of the breach and figure out what went wrong.

  Read Less
January 22, 2021
Chloé Messdaghi
VP of Strategy
Point3 Security

The questions to ask are who are they, who are they watching, and why? It’s a given that this type of data stalking on a mass scale is criminal - there’s a very clear and thick legal line of privacy and data that this group is on the other side of with their data extraction.

 

While we don’t know if this is a state-sponsored actor, a proxy for a nation-state, or a monetization player, we do that the Biden Administration will be tackling cybersecurity policy on these types of threats with new

.....Read More

The questions to ask are who are they, who are they watching, and why? It’s a given that this type of data stalking on a mass scale is criminal - there’s a very clear and thick legal line of privacy and data that this group is on the other side of with their data extraction.

 

While we don’t know if this is a state-sponsored actor, a proxy for a nation-state, or a monetization player, we do that the Biden Administration will be tackling cybersecurity policy on these types of threats with new ferocity and historic vigor. While we all hope that the Biden Administration gets the 100-day honeymoon that most newly elected presidents get to shape and invoke policy, it appears that bad actors won’t be giving that to them. We’re optimistic that we now have a president who will evaluate and act upon trustworthy information, and is taking preemptive actions to strengthen our cybersecurity, risk mitigation, and personal privacy. We are confident that this situation is on their radar.

  Read Less
January 22, 2021
Saryu Nayyar
CEO
Gurucul

The revelation that advanced attackers, apparently based in China, have been targeting airline travel sites to track specific individuals is not a surprise.   Tracking the travel patterns of individuals involved in certain industries or areas of research is information of great value to a State level intelligence agency.  While it is the kind of specific information that might be useful to a cybercriminal going after a specific target, is guaranteed to be useful to a rival state agency. 

 

Victi

.....Read More

The revelation that advanced attackers, apparently based in China, have been targeting airline travel sites to track specific individuals is not a surprise.   Tracking the travel patterns of individuals involved in certain industries or areas of research is information of great value to a State level intelligence agency.  While it is the kind of specific information that might be useful to a cybercriminal going after a specific target, is guaranteed to be useful to a rival state agency. 

 

Victims of these attacks are not facing common cybercriminals.  They are likely facing State or State-Sponsored threat actors with a high degree of skill and effectively limitless resources.  They will have to up their game if they want to thwart these intrusions in the future and keep their customer's data safe.  They will have to follow industry best practices and deploy best in breed defenses, including security analytics tools that can help identify and remediate these intrusions before the data is compromised.

  Read Less
January 21, 2021
Sam Curry
Chief Security Officer
Cybereason

The Chinese government will deny any involvement in the hacking of the airlines, as they will roll out familiar talking points about not being involved in this sort of activity, when in fact it is likely they are hacking many other industries. Cybereason's groundbreaking 2019 investigation - 'Operation Soft Cell' into global espionage against telcos by Chinese cyber threat actors - opened the world to the techniques, tactics, and procedures being used to spy on individuals through their mobile

.....Read More

The Chinese government will deny any involvement in the hacking of the airlines, as they will roll out familiar talking points about not being involved in this sort of activity, when in fact it is likely they are hacking many other industries. Cybereason's groundbreaking 2019 investigation - 'Operation Soft Cell' into global espionage against telcos by Chinese cyber threat actors - opened the world to the techniques, tactics, and procedures being used to spy on individuals through their mobile phones. Individuals in prominent positions in government and business were being spied on around the clock for years without any knowledge and the operation was so deep into the telcos that the intrusion went undetected for more than seven years.

 

This airline industry threat is a reminder that nation-states will stop at nothing to steal personal information, conduct espionage and look to gain an upper hand on the world stage. The airline industry, its suppliers, enterprises, and all defenders, need to be deploying threat hunting services and need to think about cybersecurity from an operation-centric and alert-centric standpoint. Operation-centric security enables security analysts to string together disparate pieces of information involved in malicious cyber activity, greatly increasing the likelihood of stopping cybercrime before material damage is done.

  Read Less
January 21, 2021
Chris Hauk
Consumer Privacy Champion
Pixel Privacy

Data thefts like the Chinese group's action against the airlines is an example of why I always urge victims of data breaches to change their passwords on all of the sites they use, or at the very least to change passwords that have been used on more than one website.

Hackers use the login info gleaned from previous data breaches to perform credential stuffing or password spraying attacks against a targeted system. Once inside, the hackers can use penetration methods to acquire the data they are

.....Read More

Data thefts like the Chinese group's action against the airlines is an example of why I always urge victims of data breaches to change their passwords on all of the sites they use, or at the very least to change passwords that have been used on more than one website.

Hackers use the login info gleaned from previous data breaches to perform credential stuffing or password spraying attacks against a targeted system. Once inside, the hackers can use penetration methods to acquire the data they are looking for.

  Read Less
January 21, 2021
Paul Bischoff
Privacy Advocate
Comparitech

State-sponsored hackers tend to use more sophisticated attacks to target high-value persons of interest, whereas a typical private hacking group would just go for low hanging fruit. Chimera's ability to steal PNR records from the RAM of flight booking servers is much more advanced than your standard data breach, and wouldn't have much direct financial value to the hackers. The fact that Chimera's activity went undiscovered for up to three months shows just how dangerous state-sponsored hackers

.....Read More

State-sponsored hackers tend to use more sophisticated attacks to target high-value persons of interest, whereas a typical private hacking group would just go for low hanging fruit. Chimera's ability to steal PNR records from the RAM of flight booking servers is much more advanced than your standard data breach, and wouldn't have much direct financial value to the hackers. The fact that Chimera's activity went undiscovered for up to three months shows just how dangerous state-sponsored hackers can be. China could use this information to spy on executives, public officials, and other persons of interest.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.