Cybercrime Activities at a Glance
The Aviation industry is a critical, strategic, and economically important sector for any nation. The pandemic-struck industry has started showing signs of gradual recovery after two years of volatility, however, attaining the pre-COVID global travel figures seems still farfetched until mid-2023. Amidst epidemic chaos, the Aviation industry steered itself towards embracing technology to reduce human dependence and make a clean break, but with looming cybersecurity challenges. The Cyber Research Labs consistently investigates various cybersecurity risks affecting the resilience of the Aviation industry.
Expanding Attack Surface of the Aviation Industry
The cyberattacks on the Civil Aviation sector can be attributed to the various factors enumerated below:
- Large-scale adoption of Industry 4.0 technologies after the pandemic for optimizing business operations has amplified the challenges.
- Enhancement of Airport infrastructure to augment quantity and service quality has magnified the cybersecurity governance challenges.
- Increased data gathering and data management for operational profitability makes the sector a lucrative target for cybercriminals to extract personal information.
- The backbone of the Aviation industry is the Travel industry which is dependent on vulnerable software and platforms alongside poor cybersecurity practices.
- Technological advancements in aircraft and increased dependence on Information and Communication Technology (ICT), Supervisory Control and Data Acquisition (SCADA), and Industrial Control Systems (ICS) to improve operational efficiency widen the attack surface.
- Legacy IT infrastructure, encryption technologies, and data management procedures have further aggravated the risks.
- Acculturated Threat Actors (TA) are gaining an edge because of easy access to cyberattack tools and better anonymity techniques.
- It is owing to the scarcity of skilled and experienced cybersecurity workforce, budgets, insider threats, and security mindset.
Types of Cyberattacks Impacting the Aviation Industry
The most common modus operandi of cybercriminals to fraudulently monetize the Aviation industry are:
Use of Compromised/Stolen Payment Cards
Our research revealed various sellers active on cybercrime marketplaces for selling stolen payment (credit/debit) card data for low prices to the fraudsters/cybercriminals. In turn, cybercriminals use stolen/forged compromised payment card information to book fraudulent flight tickets at certain websites. This method is recognized by cybercriminals as Carding.
The following figure demonstrates a post in one of the carding forums wherein the threat actor shared a fraudulent method to book a flight ticket at a major US-based online travel booking website using compromised payments cards of specific Bank Identification Numbers (BINs) that do not require additional security information.
Compromised Loyalty Program Accounts
Loyalty rewards programs are one of the most sought-after marketing gimmicks adopted by airlines around the world for attracting and retaining their customers. Fraudsters keenly look for methods to take over such accounts and subsequently obtain reward points for monetary gains. TAs employ brute force techniques (such as credential stuffing) followed by various social engineering methods in order to take over loyalty program accounts.
We identified several such sellers in the English-language cybercrime forums, offering compromised accounts with reward points balance.
Once the TAs obtain access and take over an account, they redeem the loyalty reward points to book air travel tickets on partner websites.
Fraudulent Flight Booking Services in Cybercrime Forums
Another use case commonly employed by TAs for the utilization of reward points is offering illicit air travel booking services on cybercrime forums at relatively inexpensive prices in exchange for cryptocurrencies.
A recent lookup in one of the cybercrime forums known for fraudulent activities revealed a number of nefarious sellers offering fraudulent services to book flight tickets in the Americas, Asia, Europe, and the Middle East, at far lesser prices than original rates. In the following screenshot, one of the TAs claimed to use “miles” (i.e., loyalty reward points) for flight bookings.
Compromised Corporate Air Travel Booking Systems
Our research revealed a few instances wherein TAs have obtained access to either administrator or authorized personnel accounts of air travel booking platforms of corporate travel agencies. Cybercriminals are leveraging such opportunities to monetize illicit flight bookings.
In one such recent instance, we identified a threat actor on a major Russian cybercrime forum having auctioned unauthorized access to a global flight booking portal belonging to a UK-based travel management company. The overall activities suggested that the TA was able to leverage the compromised access to book and modify international flight tickets.
In another instance from August 2020, a TA was identified offering alleged access to a North American air travel booking company.
Furthermore, it cannot be entirely ruled out that the TAs may be scouting for insiders from airlines or corporate travel agencies to monetize the insider access on cybercrime marketplaces for financial gains.
Compromised Databases Impacting Aviation Companies
As highlighted earlier, fraudsters scout cybercrime forums to buy aviation industry platform access. The two instances reflected in the undermentioned screenshots from cybercrime forums reveal access on sale from the Americas. One of the companies operates in air cargo, while the other is an airport technology solutions provider.
Ransomware Attacks Impacting the Aviation Industry
The Aviation and related Travel Industry are in the crosshairs of ransomware groups because of the magnitude of data the industry handles, including sensitive payment information. The ransomware groups, by targeting these corporations, garner quick name-to-fame due to media hype around the incidents of this critical transportation system. During the year, we observed:
- The Quantum Blog ransomware group ransomed a Middle Eastern airline in February 2022.
- The RansomEXX ransomware group targeted a South American carrier in March 2022.
- A private carrier operating in the Oceanic region was attacked by Quantum Blog in April 2022.
- An online travel booking site in the Middle East suffered a ransomware attack by LOCKBIT in May 2022.
- A large MNC providing Aviation Technology Products and Services to various global carriers and travel companies was backdoored by the AlphaVM ransomware group in August 2022.
The Civil Aviation Industry is highly diverse, with an extended supply chain, and interdependence on a wide range of human factors. The anticipated growth in the industry and expanding digital transformation towards enhanced air connectivity and customer management will now require enhanced cybersecurity posturing of aviation assets more than ever before.
Our research indicates growing cybercrime activities on various deep and darkweb forums/marketplaces concerning payments and banking-related frauds, illicitly obtained access to different platforms, and leaked databases of citizens have a direct bearing on the Aviation industry. Thus, apart from cyber espionage threats, the Aviation and Travel Industries will now have to brace themselves from financially motivated TAs trying to intrude on their operational and cyber integrity.