A hacking group which is being speculated to be comprised of Chinese hackers has been on a rampant barrage targeting and inflicting the airline industry for a couple of years now has once again emerged, with the idea of stealing private information and data of the passengers.
Tech news and updates website ZD Net has reported that the hacking group's moves are intended to track and follow the actions, as well as the movement and whereabouts of the targeted airlines' passengers, which could be dubbed as vital 'persons of interest.'
Cyber Attacks by 'Chimera'
The attacks that were done by the suspected Chinese hacking group has been tracked down, which was eventually linked to the so-called "Chimera" - the codename being speculated to be inclined with the attacks.
Big companies such as the NCC Group and Fox-IT were reported to have bene monitoring the moves of the same threat 'actor', according to their own incident response interactions and investigations. The actions of the two companies were done last October 2019 up until April 2020. They have also mentioned that the attacks that took place aimed towards semiconductor, as well as airline companies that are being located in various geographical areas and places.
For the semiconductor companies, the two companies have claimed that the actions were intended for intellectual property theft. For the airline industry, however, the spawn of cyber attacks geared towards another reason or purpose, which has remained undisclosed during that time. Yet today, a major conclusion of stealing Passenger Name Records or PNR has been dubbed as the primary reason of doing the attacks. Yet still it remains unconfirmed but as the evidence suggests, it would be the most likely to be the main agenda.
CyCraft technology has provided and posted a PDF report, as well as a Black Hat presentation which has showed that the Chinese group of hackers has been on a long run of conducting their operations as a part of the ulterior interests and motives of the Chinese state. One of which was the series of attacks labeled as 'coordinated' and has been inflicted upon the superconductor industry of Taiwan.
The Hackers' Modus Operandi
The report formulated by NCC and Fox-IT illustrated what could have been the modus operandi being executed by the group of hackers themselves. It would usually start off with the collection of the user login information which have been leaked for the knowledge of the public domain as a result of the data breaches that occurred at other companies.
The data that was obtained by the hackers would then be used to go through various password spray attacks on the email accounts of the target company's employee services. After entering the system, the team of Chimera operators would then proceed on finding the confidential information required for logging in on the internal systems inclined within the company, such as VPN appliances.
Reaching their desired internal networks would proceed to their Cobalt Strike action - or the attackers' system used to perform "adversary emulation," or their way of infiltrating the internal systems, looking for those IP and passenger information.