Image: Hanson Lu
A suspected Chinese hacking group has been attacking the airline industry for the past few years with the goal of obtaining passenger data in order to track the movement of persons of interest.
The intrusions have been linked to a threat actor that the cyber-security has been tracking under the name of Chimera.
Believed to be operating in the interests of the Chinese state, the group’s activities were first described in a report [PDF] and Black Hat presentation [PDF] from CyCraft in 2020.
The initial report mentioned a series of coordinated attacks against the Taiwanese superconductor industry.
But in a new report published last week by NCC Group and its subsidiary Fox-IT, the two companies said the group’s intrusions are broader than initially thought, having also targeted the airline industry.
“NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020,” the two companies said.
These attacks targeted semiconductor and airline companies in different geographical areas, and not just Asia, NCC and Fox-IT said.
In the case of some victims, the hackers stayed hidden inside networks for up to three years before being discovered.
Hackers scraped user data from the RAM of flight booking servers
While the attacks orchestrated against the semiconductor industry were aimed towards the theft of intellectual property (IP), the attacks against the airline industry were focused instead on something else.
“The goal of targeting some victims appears to be to obtain Passenger Name Records (PNR),” the two companies said.
“How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers.”
A typical Chimera attack
The joint NCC and Fox-IT report also describes the Chimera group’s typical modus operandi, which usually begins with collecting user login credentials that leaked in the public domain after data breaches at other companies.
This data is used for credential stuffing or password spraying attacks against a target’s employee services, such as email accounts. Once in, the Chimera operators search for login details for corporate systems, such as Citrix systems and VPN appliances.
Once inside an internal network, the intruders usually deploy Cobalt Strike, a penetration-testing framework used for “adversary emulation,” which they use to move laterally to as many systems as possible, searching for IP and passenger details.
The two security firms said the hackers were patient and thorough and would search until they found ways to traverse across segmented networks to reach systems of interest.
Once they found and collected the data they were after; this information was regularly uploaded to public cloud services like OneDrive, Dropbox, or Google Drive, knowing that traffic to these services wouldn’t be inspected or blocked inside breached networks.
Tracking targets of interest
While the NCC and Fox-IT report didn’t speculate why the hackers targeted the airline industry and why they stole passenger data, this is pretty obvious.
In fact, it is very common for state-sponsored hacking groups to target airline companies, hotel chains, and telcos to obtain data they could use to track the movements and communications of persons of interest.
Past examples include Chinese group APT41, which targeted telcos with special malware capable of stealing SMS messages. The attacks were believed to be related to China’s efforts to track its Uyghur minority, with some of these efforts involving hacking telcos to track Uyghur travelers’ movements.
Another Chinese group that targeted telcos was APT10 (or Gallium), whose activities were detailed in Cybereason’s Operation Soft Cell report.
In addition, Chinese state-sponsored hackers were also linked to the Marriott hack, during which they stole troves of hotel reservation details going back years.
But China isn’t the only one engaging in these types of attacks.
Iranian group APT39 has also been linked to breaches at telecommunication providers and travel companies for the purpose of tracking Iranian dissidents, while another Iranian group, known as Greenbug, has been linked to hacks against multiple telecom providers across Southeast Asia.
Then there’s Operation Specialist, a UK GCHQ operation that targeted Belgian telco Belgacom between 2010 and 2013.