Airbus has confirmed a data breach that exposed confidential business information via a partner airline’s compromised account.
Threat intelligence firm Hudson Rock said the threat actor ‘USDoD’ compromised a Turkish Airlines employee account using the Redline info-stealer malware in August 2023. The malware targets saved passwords and session cookies, allowing threat actors to bypass multifactor authentication.
Hudson Rock suggested that the Turkish airline employee infected their computer after downloading a “pirated version of the Microsoft .NET framework.”
The threat actor announced the airplane-themed data breach on the 22nd anniversary of the September 11 terrorist attacks and threatened “Lockheed Martin, Raytheon, and the entire defense” industry.
The hacker who was also responsible for an FBI data leak exposed the stolen data on the English language hacking forum BreachForums shortly after joining the ransomware group ‘Ransomed.’
Hudson Rock identified the compromised account before the data breach
Describing the data breach as avoidable, Hudson Rock said it identified the compromised account the same day the infection occurred. Airbus has confirmed that the compromised account was the initial attack vector.
“Airbus’s CERT team was able to determine that the hack originated from the infected computer Hudson Rock identified,” the cybersecurity firm noted.
Airbus launched an investigation and found that the attacker used the compromised account to download confidential information from the Airbus web portal.
Airbus immediately acted to prevent further abuse of the compromised account to contain the data breach.
“Immediate remedial and follow-up measures were taken by our security teams to prevent our systems from being compromised,” Airbus said in a statement.
Hudson Rock has disclosed that the data breach leaked details of 3,200 employees and suppliers, including Thales and Rockwell Collins, exposing their names, addresses, phone numbers, and email addresses. The information could allow threat actors to execute compelling phishing attacks resulting in business email compromise or account takeover attacks.
“Credentials obtained from infostealer infections, which have become the primary initial attack vector in recent years, provide threat actors with easy entry points into companies, facilitating data breaches and ransomware attacks,” Hudson Rock explained.
The threat intelligence firm noted that infostealer infections had surged by 6,000% since 2018 enabling various attacks such as corporate espionage, ransomware, and account takeovers.
The threat actor behind the compromised account was responsible for the FBI ‘InfraGard’ data breach that exposed 80,000 individuals. The individual posted the FBI data on the Breached hacking forum before the law enforcement agency seized the hacking platform prompting threat actors to migrate to other cybercrime sites such as BreachForum.
Aerospace industries a target for threat actors
Although the Airbus data breach was an opportunistic attack, the aerospace industry is a popular target for financially-motivated and state-sponsored threat actors.
“As a major high-tech and industrial player, Airbus is also a target for malicious actors,” the planemaker said.
In 2019, suspected Chinese hackers targeted Airbus’ suppliers to steal trade secrets, including jet engine technology for a military transporter and a commercial plane. In the same year, the airplane maker leaked the personal information of its European employees.
On September 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) also found that multiple state-sponsored cyber actors compromised an Aerospace Organization via Zoho ManageEngine ServiceDesk vulnerability CVE-2022-47966 and critical FortiOS SSL-VPN flaw CVE-2022-42475. The attackers collected authentication credentials, created privileged accounts, and transversed laterally within the organization.
Samantha Humphries, a Senior Director of International Security Strategy at Exabeam, advised organizations to consider supplier risk when developing their cybersecurity strategy: “Supply chain attacks are a breed of insider threat that all organisations need to be planning for, as they are often a much easier route for cybercriminals to penetrate or circumnavigate defences.”
The Airbus data breach will likely attract the attention of European data regulators.