For the last few years, a Chinese threat group under the name Chimera has been targeting the airline industry with the intention of amassing passenger data, and later to monitor their movement and track the persons, selectively. However, the operations of Chimera have been under the radar of the cybersecurity organizations for a while and experts suspect the threat actors behind Chimera to be working in alignment with the interests of the Chinese state. The Cyber Security Organization CyCraft first described the actions of the group in a paper written and presented at the Black Hat Conference in 2020. Chimera has also been suspected to coordinate attacks against the Taiwanese superconductor industry as mentioned in the paper written report.
In a recent study released last week by the NCC Group and its affiliate Fox-IT, the two companies said that the intrusions of the group were larger than what was originally believed- even targeting the airline sector besides the superconductor industry. This spanning was not limited to Asia but was done for assorted geographical areas as well. They also cited that in several cases, actors had been cloaking within networks for more than three years before they were identified.
The attack on the superconductor industry of Taiwan was targeted at stealing intellectual property, although the target was different in the case of the airline industry. The companies further alleged that the actors wanted to gather Passenger Name Record (PNR) for which they were targeting the victims. With further investigation, the companies observed that the assorted custom DLL files were continuously used to extract PNR information from the memory structures where the main data is generally stored.
“NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020,” added the two companies.
The report provided by NCC and its affiliate Fox-IT states the modus operandi of the actors whose first step is to collect data like the user login credentials which would be leaked in the public domain or the dark web after the data breach has occurred at other companies. This collected data is later used by the actors for ‘credential stuffing’ and ‘password spraying’ attacks against the target’s personnel accounts, as the email account.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.