Chinese hackers are gathering passenger details from airlines across the world to track high-value targets’ movements. The intrusions have been linked to a threat actor that the cyber-security has been tracking under the name of Chimera. The initial report mentioned a series of coordinated attacks against the Taiwanese superconductor industry, however, a new report published last week by NCC Group and its subsidiary Fox-IT, the two companies said the group’s intrusions are broader than initially thought, having also targeted the airline industry. The attacks orchestrated against the semiconductor industry were aimed towards the theft of intellectual property (IP), the attacks against the airline industry were focused instead obtaining Passenger Name Records (PNR).
The joint NCC and Fox-IT report also describes the Chimera group’s typical modus operandi, which usually begins with collecting user login credentials that leaked in the public domain after data breaches at other companies. This data is used for credential stuffing or password spraying attacks against a target’s employee services, such as email accounts. Once in, the Chimera operators search for login details for corporate systems, such as Citrix systems and VPN appliances.
Once inside an internal network, the intruders usually deploy Cobalt Strike, a penetration-testing framework used for “adversary emulation,” which they use to move laterally to as many systems as possible, searching for IP and passenger details. It is very common for state-sponsored hacking groups to target airline companies, hotel chains, and telcos to obtain data they could use to track the movements and communications of persons of interest.
What to do?
- Ensure your network security software is up to date and active.
- Conduct routine employee training on cyber threats and techniques such as phishing
- Perform routine system checks to identify any possible breaches.
- Perform routine backups and store copies off site in a secure location.
What can you do to when this happens to you?
- If you determine your network has been breached and/or compromised, immediately shut down and identify any malware present.
- Determine if any data has been modified or exfiltrated.
- If data has been stolen notify all parties affected including local law enforcement data crimes division and the FBI,
- Reinstate the network from a known “clean” backup