India’s flagship airline Air India announced last month it was hit by a huge cyberattack, affecting as many as 4.5 million passengers. Their data, including passport information and some credit card details, had been compromised by unknown hackers.
But a cybersecurity company is now claiming, with “moderate” confidence, that a prolific Chinese government-sponsored espionage and cybercriminal group known as APT41 was to blame for the Air India breach. It could be part of a wider campaign to snoop on the airline industry, according to Singapore-based Group-IB, which showed Forbes its findings on Thursday ahead of publication. APT41 was called out by the FBI in September 2020, and a number of its alleged members indicted for various cybercrimes, including hacks on more than 100 organizations across the world, including in the U.S. The accused are now on the FBI’s Cyber Most Wanted list.
The apparent link to Air India came via an analysis of what Group-IB claimed was a command and control server used in the attack on the airline. Group-IB researchers found the attacker was using a certificate to validate its web traffic (known as an SSL certificate), and that the certificate was only detected on five servers. One of the IP addresses of those servers had been previously identified by Microsoft as one used by APT41. Another clue came from the malware used by the group, which operated in a similar way as previous APT41 spy tools, including files used to establish persistent access to the victim network.
Forbes wasn’t able to independently verify Group-IB’s findings and there are some doubts about its “moderate” confidence attribution. One cybersecurity industry executive, whose company had researched APT41 operations and spoke on condition of anonymity, said they believed the report was not accurate, but couldn’t specify how, citing sensitivities over their research. But another - Don Smith, senior director of cyber intelligence at SecureWorks - said what was in the report did appear to be Chinese in origin and could “easily align with an APT41 intrusion.”
Group-IB has recently been successful in identifying cybercriminals behind major operations. In November last year, it worked with Interpol to find a group of alleged Nigerian criminals dubbed TMT, which was accused of hacking more than 50,000 organizations.
Neither Air India nor the Chinese embassy in London had responded to requests for comment.
A wider supply chain attack?
Whether China was responsible or not, Group-IB suspects that the Air India hack is linked to a wider attack on the airline industry, one that started with the breach of SITA, an IT supplier for the industry. That breach was revealed in early March, which led to a leak of passenger data. “This was a highly sophisticated attack,” the company wrote at the time.
When Air India revealed its breach, it noted that it started with the hack of SITA, the data processing provider for the airline. Despite the indicators from the Air India hack—and though there have been breaches at other airlines following the SITA hack, leading to data leaks from Singapore Airlines and Finnair (amongst others)—Group-IB told Forbes it doesn’t yet have enough evidence to confirm a large-scale supply chain compromise.
SITA hasn’t responded to a request for comment at the time of publication. But if APT41 has hacked the airline industry via SITA, it would fit with the group’s modus operandi of targeting travel market players and using supply chain providers as a route into company networks. Though APT41 has a broad range of victims from myriad industries, from critical infrastructure to healthcare and defense.
APT41 has been active for the last 15 years, carrying out espionage operations and financially-motivated cybercrime, said Group-IB chief technology officer Dmitry Volkov.
“APT41 is a very prolific threat actor which remains extremely active up until now,” Volkov added. “Their main attack vector for APT41 is spear-phishing emails with malicious attachments leveraging a number of different exploits. In some cases, APT41 communicates with their potential victims in social networks, reaching out to those who work in the business development or HR departments, and then spear phishing a victim using a variety of malware installation vectors.”
According to the Justice Department, APT41 has also been seen deploying ransomware on target networks. In recent months, following the attacks on Colonial Pipeline and meat supplier JBS, that a group with the technical prowess of APT41 is also wielding ransomware could be a real worry for IT teams.