The recent cyberattack on air travel solutions software major SITA and a number of airlines including Air India have been linked to the Chinese state-sponsored threat actor APT41.
Airlines have been warned to comb through their networks and trace the campaign that may be concealed within their networks. SITA is one of the leading global IT providers for nearly 90 percent of the world’s airline industry.
According to a report by Group-IB analyst Nikita Rostovcev, "After Air India, it was evident the world’s national carriers are dealing with one of the biggest supply-chain attacks in the airline’s history. SITA’s data breach is estimated to have revealed data of 4.5 million passengers."
The Group-IB report further said, "The campaign’s code name is ColunmTK. It was formed by combining the first two domains used for DNS tunneling in the attack. "
The ColunmTK campaign committed by APT41 is also known as Wicked Panda, Wicked Spider, Winnti, and Barium. Active since 2007 APT41 is known for supply-chain attacks, cyber espionage, and financial cybercrimes.
The data breach at Air India involved the personal data of customers which included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card information.
Security-related information such as passwords or CVV numbers of the customers however was not stolen as SITA was not in charge of the same.