Chinese hackers deploy information theft campaign against multiple airlines

The personal data of airline users around the world has become one of the main objectives of hacking groups. The most recent campaign related to these attacks has been attributed to a Chinese hacking group identified as Chimera, detected in mid-2020.

Although early reports of Chimera suggested that attackers focused their efforts against the superconductor industry in Taiwan, subsequent reports determined that these hackers had spread their attacks on various airlines. NCC Group, a cybersecurity firm, mentions that this group was identified in several reported incidents between October 2019 and April 2020, when the group began expanding to other locations outside Asia.

While the main goal of the initial attacks was intellectual property theft, this group’s second wave of activity focused on airline information theft. Hackers sought to obtain passenger name records through custom DLLs, used to retrieve personal information from memory in data processing systems.

According to experts, Chimera attacks begin with collecting login credentials from users or employees, information obtained through other security incidents. Once this information was obtained, attackers deployed credential-filling campaigns to access compromised accounts, from where they were looking for logins to access corporate systems, VPN networks, among others.

In the event of gaining access to an organization’s internal networks, malicious hackers used Cobalt Strike to inadvertently navigate for IP addresses and details of airline users.

This attack variant requires great patience; reports mention that hackers may have passed up to 3 years before being discovered. When they found the information of interest, hackers sent it to cloud services such as OneDrive, Google or Dropbox, as traffic for these services would not be analyzed by compromised networks.

On the motivations of these attacks, experts mention that cybercriminals seek access to as much detail as possible from people of interest, whether entrepreneurs, federal agents, politicians or even activists. An example of this is the campaign that the Chinese hacking group identified as APT41 deployed against multiple telecommunications companies seeking greater control over the Uiguri minority, in some cases getting to track their movements outside China.

So far it is ignored how many users might have been affected by this campaign, although researchers believe it is still active.