APT41, a Chinese state-sponsored threat actor has been connected to a recent hack against SITA, an air travel solution software company, and many airlines including AirIndia.
For over 90% of the world’s aviation business, SITA is one of the main worldwide IT suppliers. It has also been advised to the airlines to trawl through their networks properly in order to track down the threat that may be hidden inside them.
According to a report by Group-IB analyst Nikita Rostovcev, “After Air India, it was evident the world’s national carriers are dealing with one of the biggest supply-chain attacks in the airline’s history. SITA’s data breach is estimated to have revealed data of 4.5 million passengers.”
SITA in charge of AirIndia’s personal information. The stolen information was sold for $3,000 on a leak site. Despite the fact that the AirIndia network lasted for only 4 days short in 3 months, only 24 hours and 5 minutes were required by the threat actors to disseminate cobalt strike beacon to the rest of the airline’s infrastructure.
The Group-IB report further said, “The campaign’s code name is ColunmTK. It was formed by combining the first two domains used for DNS tunneling in the attack. “
Wicked Panda, Wicked Spider, Winnti, and Barium are all names for APT41’s ColunmTK campaign. APT41 has been responsible for supply-chain assaults, cyber espionage, and financial criminality since 2007.
Customers’ private details, such as name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card details, were exposed in the cyberattack at Air India.
SITA was not in control of Customers’ personal data, such as passwords or CVV numbers, this information was not stolen.