The cyber assault on Air India that came to light last month lasted for a period of at least two months and 26 days, new research has revealed, which attributed the incident with moderate confidence to a Chinese nation-state threat actor called APT41.
Group-IB dubbed the campaign “ColunmTK” based on the names of the command-and-control (C2) server domains that were used for communications. “The potential ramifications of this incident for the entire airline industry and carriers that might yet discover traces of ColunmTK in their networks are significant,” the Singapore-headquartered threat hunting company said.
Also known by other monikers such as Winnti Umbrella, Axiom, and Barium, APT41 is a prolific Chinese-speaking nation-state advanced persistent threat known for its campaigns centered around information theft and espionage against healthcare, high-tech, and telecommunications sectors to establish and maintain strategic access for stealing intellectual property and committing financially motivated cybercrimes.
“Their cyber crime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies, and attempted deployment of ransomware,” according to FireEye. “APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance.”
On May 21, India’s flag carrier airline, Air India, disclosed a data breach affecting 4.5 million of its customers over a period stretching nearly 10 years in the wake of a supply chain attack directed at its Passenger Service System (PSS) provider SITA earlier this February.
The breach involved personal data registered between Aug. 26, 2011, and Feb. 3, 2021, including details such as names, dates of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data, as well as credit card data.
Group-IB’s analysis into the incident has revealed that at least since Feb. 23, an infected device inside Air India’s network (named “SITASERVER4”) communicated with a server hosting Cobalt Strike payloads dating all the way back to Dec. 11, 2020. Following this initial compromise, the attackers are said to have established persistence and obtained passwords in order to pivot laterally to the broader network with the goal of gathering information inside the local network.
No fewer than 20 devices were infected during the course of lateral movement, the company said. “The attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and mimikatz,” Group-IB Threat Intelligence Analyst Nikita Rostovcev said. “The attackers tried to escalate local privileges with the help of BadPotato malware.”
In all, the adversary extracted 23.33 MB of data from five devices named SITASERVER4, AILCCUALHSV001, AILDELCCPOSCE01, AILDELCCPDB01, and WEBSERVER3, with the attackers taking 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline’s network.
While the initial entry point remains unknown, the fact that “the first device that started communicating with the adversary-controlled C&C server was a SITA server and the fact that SITA notified Air India about its security incident give reasonable ground to believe that the compromise of Air India’s network was the result of a sophisticated supply chain attack, which might have started with SITA.”
Connections to Barium are grounded on the basis of overlaps between the C2 servers found in the attack infrastructure with those used in earlier attacks and tactics employed by the threat actor to park their domains once their operations are over. Group-IB also said it discovered a file named “Install.bat” that bore similarities to payloads deployed in a 2020 global intrusion campaign.
Indicators of compromise (IoC) associated with the incident can be accessed here.