Even as a massive data breach affecting Air India came to light the previous month, India’s flag carrier airline appears to have suffered a separate cyber assault that lasted for a period of at least two months and 26 days, new research has revealed, which attributed the incident with moderate confidence to a Chinese nation-state threat actor called APT41.
Group-IB dubbed the campaign “ColunmTK” based on the names of command-and-control (C2) server domains that were used for facilitating communications with the compromised systems.
“The potential ramifications of this incident for the entire airline industry and carriers that might yet discover traces of ColunmTK in their networks are significant,” the Singapore-headquartered threat hunting company said.
While Group-IB alluded that this may have been a supply chain attack targeting SITA, the Swiss aviation information technology company told The Hacker News that they are two different security incidents.
“The airline confirmed vis-à-vis SITA on Jun. 11 2021 that the cyber attack on Air India […] is not the same or in any way linked to the attack on SITA PSS,” SITA told our publication over email.
Also known by other monikers such as Winnti Umbrella, Axiom and Barium, APT41 is a prolific Chinese-speaking nation-state advanced persistent threat known for its campaigns centered around information theft and espionage against healthcare, high-tech, and telecommunications sectors to establish and maintain strategic access for stealing intellectual property and committing financially motivated cybercrimes.
“Their cyber crime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies, and attempted deployment of ransomware,” according to FireEye. “APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance.”
On May 21, Air India disclosed a data breach affecting 4.5 million of its customers over a period stretching nearly 10 years in the wake of a supply chain attack directed at its Passenger Service System (PSS) provider SITA earlier this February.
The breach involved personal data registered between Aug. 26, 2011, and Feb. 3, 2021, including details such as names, dates of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data, as well as credit card data.
FireEye’s Mandiant, which is assisting SITA with the incident response efforts, has since determined that the attack was highly sophisticated and that the tactics, techniques, and procedures (TTPs) and compromise indicators point to a single entity, adding the “identity and motive of the perpetrator are not entirely conclusive.”
Likely a New Attack Against Air India
Group-IB’s analysis has now revealed that at least since Feb. 23, an infected device inside Air India’s network (named “SITASERVER4”) communicated with a server hosting Cobalt Strike payloads dating all the way back to Dec. 11, 2020.
Following this initial compromise, the attackers are said to have established persistence and obtained passwords in order to pivot laterally to the broader network with the goal of gathering information inside the local network.
No fewer than 20 devices were infected during the course of lateral movement, the company said. “The attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and mimikatz,” Group-IB Threat Intelligence Analyst, Nikita Rostovcev, said. “The attackers tried to escalate local privileges with the help of BadPotato malware.”
In all, the adversary extracted 23.33 MB of data from five devices named SITASERVER4, AILCCUALHSV001, AILDELCCPOSCE01, AILDELCCPDB01, and WEBSERVER3, with the attackers taking 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline’s network.
While the initial entry point remains unknown, the fact that “the first device that started communicating with the adversary-controlled C&C server was a SITA server and the fact that SITA notified Air India about its security incident give reasonable ground to believe that the compromise of Air India’s network was the result of a sophisticated supply chain attack, which might have started with SITA.”
Connections to Barium are grounded on the basis of overlaps between the C2 servers found in the attack infrastructure with those used in earlier attacks and tactics employed by the threat actor to park their domains once their operations are over. Group-IB also said it discovered a file named “Install.bat” that bore similarities to payloads deployed in a 2020 global intrusion campaign.
When reached for a response, Group-IB CTO Dmitry Volkov told The Hacker News that “Despite the fact that the initial compromise vector remains unknown, Group-IB treats [the] SITA incident and Air India breach as interrelated.”
“This assumption is built on the fact that it was a server in Air India’s network that, Group-IB assumes, might have established [a] connection with SITA’s network that was breached first. According to Group-IB’s data, SITASERVER4 was the first host to have been infected within Air India’s network. This has also been confirmed by Air India,” Volkov added.
Indicators of compromise (IoC) associated with the incident can be accessed here.
Note: We have updated the story and headline to note that the two incidents are different from one another.