A Chinese threat group under the name Chimera has been targeting the airline industry with the intention of amassing passenger data, and later to monitor their movement and track the persons, selectively.
The operations of Chimera have been under the radar of the cybersecurity organizations for a while and experts suspect the threat actors behind Chimera to be working in alignment with the interests of the Chinese state.
NCC Group and Fox-IT, the two companies said that the intrusions of the group were larger than what was originally believed- even targeting the airline sector besides the superconductor industry. This spanning was not limited to Asia but was done for assorted geographical areas as well.
The companies further alleged that the actors wanted to gather Passenger Name Record (PNR) for which they were targeting the victims. With further investigation, the companies observed that the assorted custom DLL files were continuously used to extract PNR information from the memory structures where the main data is generally stored.
The report provided by NCC and its affiliate Fox-IT states the actors whose first step is to collect data like the user login credentials which would be leaked in the public domain or the dark web after the data breach has occurred at other companies. This collected data is later used by the actors for ‘credential stuffing’ and ‘password spraying’ attacks against the target’s personnel accounts, as the email account.