Airlines and the airport industry in general are highly lucrative targets for APT groups; they are rife with information that other countries would find useful. NETSCOUT data from 2019 shows airport and airline targeting remains strong and steady, with Russian, Chinese, and Iranian APT groups attempting access. Not only do we see state-sponsored threats targeting the industry, we also see a large amount of DDoS attacks, which we’ll cover in a follow-up blog (Part 2).
• Airlines and airports are targeted by APT actors regularly as they possess a wealth of information on people, logistics, business, and intellectual property.
• Airlines and airports are critical infrastructure entities with security concerns that extend far beyond physical security of passengers.
• Substantial theft by APT groups has already occurred; the information now in the hands of adversarial states is concerning.
Airline Industry Targeting
Airlines and airports are targeted by APT actors regularly, although it’s usually the intellectual property theft from airplane manufacturers that gets the most attention. There are many reasons why the airline industry or airports themselves would be targets of APT:
- Logistics of Things: State governments have a vested interest in learning what is being delivered to neighboring and/or adversary states. Military logistics, government-contracted companies, and private businesses will use airports to move supplies all over the world, to allies, military bases, embassies, or to private businesses. State governments would be very interested to learn the contents and destinations of those deliveries. For example, infantry troops are not usually the first thing to show up in a military engagement or peacekeeping mission. Generally, infrastructure such as tents, supplies such as toilet paper, and communications equipment precede. If a country were to see those types of items with a shipment destination along their contested border, that would be of concern.
- Logistics of Passengers: Much like the logistics of things, intelligence gathering states have a high interest in where people are going, especially VIP-types such as government officials, industry leaders, or specialty subject matter experts. Additionally, tracking of journalists, activists, dissidents, or expatriates would be also be an intelligence gathering objective for many countries. Leaked Iranian strategy documents prioritized tracking its own citizens both inside and outside of Iran and using airlines to further that goal.
- The Information of Passengers: The Chinese APT group that hacked both the US Office of Personnel Management (OPM) and various insurance companies, also were implicated in airline hacks around the same time that targeted passenger information. Combining the data obtained from all three victims would result in a robust intelligence database, essential for tracking or finding people of interest. The Iranian leaked documents expressed a desire to identify suspicious, but unknown passengers on specific flight paths. More insidious is the idea that with enough personal information about someone (name, address, phone, ID numbers, passport picture) duplicate identities could be created for the purposes of clandestine movement around the globe, providing cover for espionage activities.
- Business Information: In the world of business there are mergers and acquisitions, and the aviation industry is no different. State governments have long used APT actors to obtain confidential business information on an acquisition target and used that information to their advantage in business negotiations as well as hostile takeovers. China in particular has been aggressively pursuing airport investment opportunities on foreign soil. The Chinese APT hackers responsible for the aforementioned OPM hack (#3) also reportedly stole information on the airlines’ mergers and acquisition strategy.
- Intellectual Property: There is still intellectual property available, even when the airplane components aren’t being targeted. One trend that has been emerging over the past few years is that the Chinese (undoubtedly the frontrunner of intellectual property theft) who have already stolen airplane schematics and subsequently crafted their own versions, now require information on how to actually use those planes at scale. Additionally, Iran’s Chafer heavily targets airlines, in a possible attempt to improve their own safety posture. Information theft seen in the past few years has included policy and regulation documents on safe and efficient airport operations, air traffic control procedures, and administrative details such as the tracking of cargo. Training documents are also stolen often, everything from pilot to safety training.
- Smuggling: By understanding the inner workings of an airline or airport, one could plan large-scale, continuous smuggling operations. Countries might be interested in this to get around sanctions, build a weapons program, or to support its economy. For decades, the DPRK government has used everything from embassies and diplomats to front companies and organized crime rings to participate in trafficking drugs and counterfeit money into host countries, to undermine its enemies. The trafficking has the additional benefit of keeping the DPRK economy afloat, so gemstones and endangered species from the African continent are often seen as well. Conversely, there is a market within the DPRK for luxury items and technology that could be used to make weapons systems.
- Sabotage, Destruction, & Terrorism: While terrifying to consider, APT groups have a history with hacks that could cause work stoppages, total loss of data or worse—human lives. Many countries have developed and deployed destructive malware and hackers themselves have been more willing to engage in destructive attacks. Sometimes the destruction is the point, such as DPRK’s attack on Sony or Iran’s attack on Saudi Aramco. However, sometimes the destruction is accidental, the result of the adversary sparring on network against incident response or even fighting for ownership with another APT group. Regardless, the result can be devastating. Targeted attacks as well as more indiscriminate ransomware can cripple an airline or an entire airport, leaving costly damage and stranded people.
How to Protect Yourself
- Protecting Yourself from Risk: Ideally, prevention is best. But when that fails, catching the intruder as early as possible will limit the damage from the compromise.
- Prevention: Most APT attacks continue to utilize phishing. It is quick and easy, with a low barrier to entry. Most APT attacks save their fancy expensive tools for when they are on network. As a result, the biggest effect an organization can have against compromise is strengthening the employees. Thorough training of staff against phishing, social engineering (especially on places like LinkedIn), and even physical access (removable media, unlocked server room) awareness would be impactful.
- Blocking: Blocking macros from running, is one example of stopping the attack from continuing. Additionally, having solid information security products in place will hopefully catch a program doing something it shouldn’t (the malware installation) or block activity to a known bad domain (malware communication). NETSCOUT monitors APT infrastructure closely and blocks malicious domains and IPs for customers.
- Limit the Damage: Additionally, segregate networks so if hackers get in via airport administration’s email, it doesn’t affect the computers used by air traffic control. Public wifi, retail/point-of-sale systems, airport/airline administration, and air traffic control are examples of things that should not share a network.
- Have a Plan: Every airport and every airline should have an incident response plan and staff that have read it. Time is of the essence and knowing when to call infosec professionals, lawyers, and/or the CEO will be critical.
The world relies on air transportation and that need continues to grow even as newer, larger aircraft are made and put into circulation. The need for air travel is even greater for VIPs that must get from point A to B quickly. The dependence on this form of travel and the heightened interest from APT actors poses a significant threat that must be taken seriously. No matter the reason for the targeting, the adversary often uses very similar tactics to acquire information in varying forms and thus following some of the best practices laid out above, organizations can evaluate their own security posture to ensure they are taking proactive steps to mitigate the threat to their customers, intellectual property, and their infrastructure. We’ll see in a follow-up report that APT are not the only interested parties that target this industry, but that DDoS is a very real threat to be taken seriously.