The recent cyberattack on air travel solutions software major SITA and a number of airlines including Air India have been linked to the Chinese state-sponsored threat actor APT41.

Airlines have been warned to comb through their networks and trace the campaign that may be concealed within their networks. SITA is one of the leading global IT providers for nearly 90 percent of the world’s airline industry.

Air India attack lasted for just 4 days short of 3 months, it took the threat actors only 24 hours and 5 minutes to spread Cobalt Strike beacons to the other devices in the airline’s network. It was evident the world’s national carriers are dealing with one of the biggest supply-chain attacks in the airline’s history. SITA’s data breach is estimated to have revealed data of 4.5 million passengers

APT41 is also known as Wicked Panda, Wicked Spider, Winnti, and Barium. Active since 2007 APT41 is known for supply-chain attacks, cyber espionage, and financial cybercrimes. This attack in particular carried out by combining the first two domains used for DNS tunneling in the attack.

The data breach at Air India involved the personal data of customers which included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card information.

SITA post disclosure of the cyberattack revealed Star Alliance and One World airlines were also attacked apart from Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Air New Zealand, Cathay Pacific, Singapore Airlines, among others.