Last month, Air India disclosed a data breach leaking data of 45 lakh users from around the world. A cybersecurity firm is now claiming that Chinese government sponsored hackers were behind the massive Air India data breach.
The information regarding a data breach had first surfaced in March, but the extent of damage was then unknown. The national airliner said that its data processor of the Passenger Service System (PSS), SITA, informed it of the breach on 25th February, 2021. However, SITA clarified the identity of affected data subjects on 24th March, 2021 and 5th April, 2021. The breach involved personal data registered between 26th August 2011 and 3rd February, 2021.
The leaked details included name, data of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit cards.
Group-IB is a Singapore-based global threat hunting and adversary-centric cyber intelligence company. In a blog, the firm says:
Using its external threat hunting tools, Group-IB’s Threat Intelligence team attributed the Air India incident with moderate confidence to the Chinese nation-state threat actor known as APT41. The campaign was codenamed ColunmTK.
It further says that the attack on Air India lasted for at least 2 months and 26 days.
The firm also suggests that the data breach could be part of a wider campaign to snoop on the airline industry. An attack on SITA was the beginning of this wider campaign. However, it adds that although there have been further breaches at Singapore Airlines and Finnair, it doesn’t yet have enough evidence to confirm a large-scale supply chain compromise.
The FBI, in September 2020, had listed the APT41 group, also known as BARIUM on its Cyber Most Wanted List. A Grand Jury in the District of Columbia in 2019 had indicted five Chinese nationals associated with the group, namely Zhang Haoran and Tan Dailin, on charges including unauthorized access to protected computers, aggravated identity theft, money laundering, and wire fraud.
Once again, in 2020, a Grand Jury in the District of Columbia returned an indictment against more Chinese nationals, namely Qian Chuan, Fu Wiang, and jiang Lizhi, on charges of racketeering, money laundering, fraud, identity theft, and access device fraud.
The group allegedly conducted supply chain attacks to gain unauthorized access to networks throughout the world. It targeted hundreds of companies including social media, telecommunications, government, defence, education, and manufacturing. These targets were from multiple countries including companies in Australia, Brazil, Germany, India, Japan, United States, Malaysia, etc. The group also allegedly deployed ransomware attacks and demanded payments from victims.
Relation between APT41 and the Air India data breach
Group-IB claims that the APT41 group is known for stealing digital certificates for its cyber espionage operations. It says that the attackers in the SITA breach were using a digital (SSL) certificate, and that the certificate was only detected on five host servers. Microsoft had previously identified one of the IP addresses of those servers as one used by APT41.
The group also suggests, among other suggestions, that the malware used for the attack operated in a similar way as previous APT41 spy tools, including files used to establish persistent access to the victim network.
Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. APT41, also known as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, is believed to have been engaging in state-sponsored espionage in China’s interests as well as committing financially motivated cybercrimes. According to Group-IB’s Threat Intelligence & Attribution system, the threat actor has been active since at least 2007.”
You can read Group-IB’s full research here.
One cybersecurity industry executive whose company had researched APT41 operations spoke to Forbes, and believed that the report was not accurate. However, a Senior Director of cyber intelligence at SecureWorks said that the what was in the report appear to be Chinese in origin and could “easily align with an APT41 intrusion.”
This is not the first time such an attack to any Indian entity is being attributed to China. Earlier this year, a study had attributed the Mumbai blackouts to China sponsored hackers.
Update (16th June, 2021, 02:53 p.m.) : Post publication of this article, SITA PSS clarified to My Lawrd that the attack on SITA and Air India are unrelated, and are separate incidents. You can read the clarification here.