APT Alert: Two Airports Hacked

Monday, June 23, 2014 @ 05:06 PM gHale

A prolonged operation to spy on aviation systems at 75 U.S. airports ended up caught via a cooperative investigation by the federal government, a state information-sharing organization and industry, but not before two victims succumbed to the campaign, a new report said.

First discovered in 2013, the federal government notified the Center for Internet Security (CIS), a nonprofit group that works closely with state and local governments, about an advanced persistent threat targeting four airports, CIS officials said.

Trojan Evolves Changes Strategies
New Trojan Targets Banks, For Now
New Trojan Starts from Scratch
Ransomware Infections Drop after Takedown

APTs use code of some sort that lurks in a network for as long as it takes to get the information the bad guys want or need.

In this case, the attackers sent targeted spear-phishing emails to aviation personnel that contained vulnerabilities difficult to detect and execute, CIS officials said.

CIS, which released the report Thursday, declined to comment on the suspected nation state.

After learning of the four potential victims, CIS officials obtained their network logs for the previous three weeks to see if their system activity exhibited any commonalities. The feds then informed CIS of eight more affected airports.

The organization used its proprietary monitoring technology to capture and analyze data provided by the affected entities. An alert went out to government and industry partners about similarities identified, including specific network locations, or IP addresses, domain names and email addresses the attackers were using to send malicious emails.

CIS determined the operation likely gained strength with the help of a public online document listing email addresses for the targeted airports. So, warnings that contained the hallmarks of the campaign went out to everyone named on the document, along with requests they search their systems for emails with those hallmarks.

After sharing findings with the potential victims, federal agencies and an aviation industry group, CIS determined 75 airports had received the infected messages. Most of the airports had not opened the emails, said Adnan Baykal, CIS vice president of services.

The airports in which systems ended up compromised were not close to each other, he said.

CIS officials said the airports cleaned all compromised systems.

This is yet another example that shows no one sector is free and clear of potential APTs.

Leave a Reply

You must be logged in to post a comment.