Chinese hack group Chimera steals data from air passengers

Chinese hack group Chimera

According to reports of cybersecurity researchers, the Chinese hack group Chimera is stealing data from air passengers. The NCC Group and its subsidiary Fox-IT have published a joint report on the activity of Asian hackers.

For the first time, experts from the cybersecurity firm CyCraft spoke about this group last year, presenting their findings at the Black Hat 2020 conference.

As write analysts from the NCC Group and Fox-IT that watched the hackers from October 2019 to April 2020, the group’s activities were not limited to attacks on Taiwanese semiconductor manufacturers, as previously assumed. It turned out that hackers were not less interested in the aviation industry, and not only in Asian countries. In some cases, attackers successfully hid inside the networks of compromised companies for up to three years, avoiding detection.

While the attacks on the semiconductor industry were aimed at stealing intellectual property, the attacks on the aviation industry had a very different purpose: hackers stole the personal data of passengers (Passenger Name Records).

The methods for obtaining PNR data differed and probably depended on the individual victim, but we observed the use of a number of custom DLLs designed to continuously fetch PNR data from the memory of systems where such information is usually processed, for example, from flight booking servers.says the report.

Typically, Chimera attacks began with a collection of credentials that were leaked to the public as a result of any incidents. This data was then used to carry out targeted attacks such as credential stuffing and password spraying.

That is, the attackers tried different usernames and tried to use them with the same simple, easily guessed password, in the hope of finding a poorly protected account. In addition, hackers have abused the fact that many people use the same logins and passwords for different sites and services.

Such attacks by Chimera were aimed at specific employees of targeted companies in order to, for example, compromise their mail. Having penetrated into someone else’s mailbox, hackers looked for data there that would help them gain access to corporate systems (Citrix, VPN, and so on).say researchers Fox-IT.

On the internal networks of the victim companies, attackers took their time and usually deployed Cobalt Strike, which they used to move laterally across the network and hack as many systems as possible. In this way, the attackers searched for IP addresses and information about passengers. The detected data was regularly uploaded to various cloud services, including OneDrive, Dropbox and Google Drive (such traffic is usually not suspicious and is not blocked).

The experts’ report does not specify, in what kind of passengers the attackers were interested in the first place, and what was the ultimate goal of this large-scale campaign. However, this is far from the first time that “government hackers” have attacked airlines, hotel chains and telecoms in order to obtain information that can be used to track the movements and contacts of specific individuals.

Let me remind you that Chinese hackers attack US organizations and exploit bugs in F5, Citrix and Microsoft Exchange.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *