A new report by NCC Group and its subsidiary Fox-IT details about a reconnaissance campaign, where the threat actor is breaching airline servers to steal the passenger data. The threat group was reportedly backed by the Chinese state and is named Chimera. Stealing the data would help them track the person of interest.
Chinese Hackers Stealing Airline Passenger Data
A joint report by NCC Group and its subsidiary Fox-IT details published last week detail a three-year-long reconnaissance campaign by a Chinese state-backed hacking group. Touted as Chimera, it’s first reported in 2020 attacking semiconductor companies.
While this seems understandable since hacking semiconductor companies for stealing intellectual property, attacking airlines for reconnaissance too has a purpose. While the report didn’t mention the intentions of Chimera, it’s noted that gaining passenger details can help threat actors track the persons of interest.
Researchers said the group has been attacking airlines in not just Asia, but also in other nations. Further, it’s speculated that the group has been in this business for at least three years before being initially discovered. The group would gain access to an airline network by comprising any of the employees’ credentials.
For this, they’d search for possible credentials of that person from previously leaked data breaches. Collecting the relevant ones and using techniques like password spraying can help get the right ones. After gaining access to the airline’s network, it will look for a place where it will get the PNR data.
This is majorly the servers since data being stored in the memory can be leaked easily. Hackers would then leak the PNR data and upload them to online cloud services like Dropbox or Google Drive since the data transmitted between them and the servers aren’t monitored for being legitimate applications.
This could then be pulled out by hackers for tracking the targets, which could be of any interest. Similar attacks have previously happened against Uyghur Muslims, targeted and tracked by Chinese hackers.