Report: China-Connected APT41 Likely Behind Attacks on AirlinesGroup-IB Analyzes Impact of Attacks That Affected SITA, Air India, Others
(This story has been updated with reaction from SITA.)
The China-backed advanced persistence threat group APT41 apparently was responsible for the breach of SITA, an international provider of IT services for the air transport industry worldwide, that led to customer data at Air India and other airlines being compromised, according to the security firm Group-IB. But SITA disputes the findings.
"After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply chain attacks in the airline industry's history," says Nikita Rostovcev, threat intelligence analyst at Group-IB.
Group-IB says it linked the attack to APT41 by tying command-and-control servers known to be used by the group to the attacks.
"Using its external threat hunting tools, Group-IB's threat intelligence team attributed the Air India incident with moderate confidence to the Chinese nation-state threat actor known as APT41. The campaign was codenamed ColunmTK," Rostovcev says.
APT41 also is known as Wicked Spider, Winnti Umbrella and Barium.
Attackers managed to access data stored on SITA's Passenger Service System server in the U.S., leading to the exposure of customer frequent flyer data from Air India, Malaysia Airlines, Singapore Airlines, Finnair Airlines and Air New Zealand, says Group-IB.
In a statement provided to Information Security Media Group on Wednesday, SITA says it disagrees with Group-IB's finding that there is a connection between the Air India attack and the earlier attack on SITA.
"There is no substance in the suggestion of Group-IB that the attack on SITA PSS and the separate attack on Air India were linked or carried out by the same threat actor," the company says. "The threat actor that attacked SITA PSS was expelled from our network several weeks before the blog suggests the separate attack on Air India began."
ColunmTK and Air India
Air India reported a cyber incident on May 21, apparently stemming from a February breach at SITA.
The Air India compromise began on or about Feb. 23, with the attackers maintaining persistence within Air India's system for almost 90 days, Group-IB reports. The security firm found a server inside Air India's network named Sitaserver4 communicating with an APT41 command and control server that hosted the Cobalt Strike penetration testing tool often used by malicious actors, and that was used against Air India.
"Based on how it is named, it is fair to assume that the device [Sitaserver4] is related to a SITA data processing server," Group-IB says.
In its Wednesday statement, SITA says it has found no evidence that Sitaserver4, communicated with the SITA network during the attack on Air India. And it says that Group-IB does not provide evidence of how the named server was attacked or the network source used to attack the server. It says none of the methods that the blog suggests were used to attack Air India were employed in the attack on SITA,
"We understand that the named Air India server had previously been used to host in the Air India network some software provided by SITA to Air India," SITA says. "This software was removed from the named server in 2019, and we do not know whether Air India is continuing to use the named server or the purpose they may now be using that server for."
Group-IB estimates APT41 took only 24 hours to place Cobalt Strike beacons throughout Air India's network.
"After the attackers established persistence in the network and obtained passwords, they began moving laterally. The threat actor collected information inside the local network, including names of network resources and their addresses," Rostovcev says.
At this stage, the attacker exfiltrated NTLM hashes and plain-text passwords from local workstations, using hashdump and Mimikatz. The attackers tried to escalate local privileges with the help of the privilege escalation malware BadPotato, says Group-IB.
"According to our data, at least 20 devices from Air India's network were compromised during the lateral movement stage. The attackers used DNS-txt requests to connect the bots to the C&C server," Rostovcev says.
Tying in APT41
Stolen digital certificates used in the Air India attack were connected to five servers known to be used by APT41, Group-IB says.
Group-IB listed several pieces of evidence connecting the servers to APT41:
- Address 45[.]61[.]136[.]199 was attributed to APT41 by Microsoft in their recent research;
- Address 104[.]224[.]169[.]214 was used to host the Cobalt Strike framework, shared an SSL certificate with ColunmTK's IP address 185.118.166[.]66 and was found parked at the known APT41 domain 127.0.0.1;
- Service[.]dns22[.]ml shared the SSL certificate with ColunmTK's IP address and was parked at 127.0.0.1;
- Address 104[.]224[.]169[.]214 was used as the IP address for a shellcode loader in APT41's earlier campaigns.
Rostovcev notes that APT41 127.0.0.1 usually parks its domains for some time at 127.0.0.1 after a campaign ends.
The final clue is a file Group-IB researchers named "Install.bat" (SHA1-7185bb6f1dddca0e6b5a07b357529e2397cdee44). The attackers uploaded the file to some of the compromised devices inside Air India's network as part of the ColunmTK campaign. The file is very similar to the one used by APT41 in a different campaign described by FireEye researchers.