The NCC Group and its subsidiary Fox-IT have published a joint report on the activities of the Chinese hacker group Chimera. For the first time, experts from cybersecurity firm CyCraft spoke about this group last year and presented their findings at the Black Hat 2020 conference .
As analysts from the NCC Group and Fox-IT, who watched the hackers from October 2019 to April 2020, now write, the group’s activities were not limited to attacks on Taiwanese semiconductor manufacturers, as previously assumed. It turned out that hackers were no less interested in the aviation industry, and not only in Asian countries. In some cases, attackers successfully hid inside the networks of compromised companies for up to three years, avoiding detection.
While the attacks on the semiconductor industry were aimed at stealing intellectual property, the attacks on the aviation industry had a very different purpose: hackers stole the personal data of passengers (Passenger Name Records).
“The methods for obtaining PNR data varied and probably depended on the individual victim, but we observed the use of a number of custom DLLs designed to continuously retrieve PNR data from the memory of systems where such information is usually processed, for example, from flight booking servers”, – reads the report.
As a rule, Chimera attacks began with a trivial collection of credentials that were leaked to the public as a result of any incidents. This data was then used to carry out targeted attacks such as credential stuffing and password spraying. That is, the attackers went through different usernames and tried to use them with the same simple, easily guessed password, in the hope of finding a poorly protected account. In addition, hackers have abused the fact that many people use the same logins and passwords for different sites and services.
Chimera’s attacks targeted specific employees of targeted companies, for example, to compromise their mail. Having penetrated into someone else’s mailbox, hackers looked for data there that would help them gain access to corporate systems (Citrix, VPN, and so on).
On the internal networks of the victim companies, attackers took their time and usually deployed Cobalt Strike, which they used to move sideways across the network and hack as many systems as possible. In this way, the attackers searched for IP addresses and information about passengers. The detected data was regularly uploaded to various cloud services, including OneDrive, Dropbox and Google Drive (such traffic is usually not suspicious and is not blocked).
The experts’ report does not specify what kind of passengers the attackers were interested in in the first place, and what was the ultimate goal of this large-scale campaign. However, this is far from the first time that “government hackers” have attacked airlines, hotel chains and telecoms in order to obtain information that can be used to track the movements and contacts of specific individuals.