Researchers Attribute SITA Cyberattack to Chinese Hackers
The cyberattack on SITA that impacted multiple airlines around the world was orchestrated by a Chinese nation-state threat actor tracked as APT41, security researchers at detection and prevention firm Group-IB say.
Codenamed ColunmTK and disclosed in early March 2021, the attack affected airlines such as Air India, Air New Zealand, Finland’s Finnair, Singapore Airlines, Malaysia Airlines, and Jeju Air in South Korea. SITA has roughly 2,500 customers and provides services in over 1000 airports worldwide.
One of the affected airlines was Air India, which announced in May that approximately “4,500,000 data subjects globally,” were affected. Compromised data includes names, dates-of-birth, passport information, contact information, and additional data.
Air India revealed that the attack was related to SITA PSS, which processes personally identifiable information (PII).
Group-IB’s investigation revealed that the first system within Air India’s network to communicate with the attackers’ infrastructure was named SITASERVER4 and that it hosted the Cobalt Strike implant for more than two months before that.
The attackers used their presence on the network to collect credentials and move laterally. They compromised at least 20 devices within Air India’s network and also attempted to escalate privileges. They also exfiltrated data from the network.
“The attack on Air India lasted for at least 2 months and 26 days. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline’s network,” Group-IB says.
The security researchers believe that APT41, a prolific Chinese state-sponsored threat actor, was behind the attack. Active since at least 2007, the group is also tracked as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, and is known for frequently targeting Indian organizations.
In this attack, the threat actor used a specific SSL certificate that was detected on five hosts only, and which the researchers linked to APT41. Furthermore, the adversary used IP addresses and file contents that they employed in previous attacks and, after the campaign was over, domains were parked at IP address 127.0.0.1, a tactic APT41 is well known for.