Task

Research recent cloud security incidents with prominent media coverage, and identify one to study for this exercise. For the incident you select, you will then create a five-minute presentation with a voice-over discussing the following:

• Describe the nature of the attack. Who is the attack actor or who was responsible for this attack? 
• What was the impact of the attack? 
• How was cloud technology involved in the attack being successful? Could cloud technology have mitigated it? 
• Who do you think was responsible for securing the resources that were exploited in this attack? Was it the impacted organisation, a cloud provider, or another third party? What could/should they have done differently? 
• In your opinion, what would be the future trends of this attack in the cloud environment?

Presentation

For this assessment I continued my focus on aviation and chose the cyber attack on SITA which occurred in 2021.

Transcript

Slide 1

On February 24, 2021, SITA, a major IT provider to the aviation sector (Farrer, 2021) suffered a cyber attack. A brief statement followed the attack (SITA, 2021), but no further details were released, however we are still able to build a picture and prepare ourselves for a similar attack.

Patient zero was a SITA customer  and following breach, the attacker moved laterally, escalated privileges and exfiltrated password lists and hashes (Rostovtsev, 2021). From there it is believed the adversary used stolen credentials – effectively becoming a trusted insider – to access and maintain a presence within SITA systems for 22 days (Sinha, 2021) where they exfiltrated passenger data. 

Though no one has claimed responsibility, research indicates that APT-41 may have been responsible (Rostovtsev, 2021). APT-41 is a Chinese state-sponsored group which undertakes espionage and financially motivated attacks, with the travel sector being one of their known targets (Mandiant, 2022).

Slide 2

Because patient zero was a SITA customer and a Star Alliance member, the attacker went on to exfiltrate airline passenger data of both organisations (Ilascu, 2021).

Data of over 2.1 million airline passengers (Ilascu, 2021) from at least 11 airlines was published on the dark web (Securin Inc, 2021), including: name, itinerary and contact information (Sorrells, 2021) and in some cases, date of birth, passport information, and credit card details (Sinha, 2021). This could lead to further impacts of identity theft and loyalty point fraud (Silk, 2021).

It has also impacted SITA’s posture with the formation of the ‘Cyber and Privacy Committee’ to monitor their Enterprise Security Improvement Plan and Privacy Program (SITA, 2022, p. 9). 

APT-41 leverages cloud technology in their attacks, using Cloudflare services to: collect recon data anonymously; deploy serverless code to route C2 traffic and to exfiltrate data via websocket traffic from edge servers (Brown et al., 2023).

SITA is implementing cloud technology to mitigate future attacks, an SDN solution to provide flexibility and improved security (SITA, 2022), if implemented to permit just-in-time and least-privileged-access with analytics for improved detection and prevention it could mitigate this kind of attack. We will look at other useful cloud technology shortly. 

Slide 4

There should have been shared responsibility in this situation: SITA should have secured the data on their servers; the airlines should have ensured that their passenger data was shared in a manner that appropriately de-identified or tokenised when sharing with their alliances or networks. 

In their pre-attack state, SITA could implement IAM policies, advanced cyber risk monitoring and encryption of data at rest to mitigate the attack.

Cloud technology which SITA could implement to mitigate this attack includes zero trust architecture and federated identity management.

Zero trust will make breach more difficult and even if they did breach, lateral movement and execution will be challenging due to microsegmentation. Federated identity means that the data would be with the airlines, so would not be SITA’s responsibility and any data present would be encrypted, protecting it in the event of breach.

Slide 5

Cloud infrastructure facilitates low overhead, scalable and flexible infrastructure, so it makes sense that we will see its use increase for attacks in the future. We may even see the emergence of dedicated attacker cloud infrastructure in state-sponsored APT friendly regions (Collier et al., 2021, p. 1412).

I think there will be significant trends in cyber defence as a result of this and similar attacks.

Aviation supply network cyber security will be a future trend. The aviation sector already has underdeveloped supply chain cybersecurity and has not paid sufficient attention to its technology supply chains (Koepsel, 2018, p. 64). This attack was reported as a supply chain attack, but can more accurately be described as a supply network (Braziotis et al., 2013, p. 645) attack. Supply networks are complex and can include indirect relationships (Braziotis et al., 2013, p. 646) – in other words can include connections between active and inactive participants (Braziotis et al., 2013, p. 646). This is what we saw in the SITA breach, where non-SITA customers’ data was stolen.

I believe we will see organisations shift from focusing on collecting data to data utility, using federations to leverage data without the liability of holding it. 

Zero trust will not only improve security, but also intelligence – as we are expecting and prepared for breach, we can gather more pertinent data when it occurs.

This will lead to clearer definitions of trust boundaries which will inform improved architecture, practices, monitoring and response.

I look forward to presenting you with more detail in my upcoming report.

References

Bracken, B. (2021, March 5). Massive supply-chain cyberattack breaches several airlines. Threatpost. https://threatpost.com/supply-chain-cyberattack-airlines/164549/

Braziotis, C., Bourlakis, M., Rogers, H., & Tannock, J. (2013). Supply chains and supply networks: Distinctions and overlaps. Supply Chain Management: An International Journal, 18(6), 644–652. https://doi.org/10.1108/scm-07-2012-0260 

Brown, R., Ta,  van, Bienstock, D., Ackerman, G., & Wolfram, J. (2023, August 9). APT41 targeting U.S. state government networks. Mandiant. https://www.mandiant.com/resources/blog/apt41-us-state-governments 

Collier, B., Clayton, R., Hutchings, A., & Thomas, D. (2021). Cybercrime is (often) boring: Infrastructure and alienation in a deviant subculture. The British Journal of Criminology, 61(5), 1407–1423. https://doi.org/10.1093/bjc/azab026 

Farrer, M. (2021, March 5). Airline data hack: Hundreds of thousands of Star Alliance passengers’ details stolen. The Guardian. https://www.theguardian.com/world/2021/mar/05/airline-data-hack-hundreds-of-thousands-of-star-alliance-passengers-details-stolen 

Hally, L. (2023, June 3). Advanced cyber risk monitoring. A Cyber Security Blog by Luke Hally. https://www.lukehally.com.au/cyber-risk-resilience/advanced-cyber-risk-monitoring/ 

Ikeda, S. (2021, March 8). Aviation IT giant SITA breached in extensive supply chain attack; frequent flier programs of major airline … CPO Magazine. https://www.cpomagazine.com/cyber-security/aviation-it-giant-sita-breached-in-extensive-supply-chain-attack-frequent-flier-programs-of-major-airlines-compromised/ 

Ilascu, I. (2021, March 5). SITA data breach affects millions of travelers from major airlines. BleepingComputer. https://www.bleepingcomputer.com/news/security/sita-data-breach-affects-millions-of-travelers-from-major-airlines/amp/ 

Koepsel, K. M. (2018). The aerospace supply chain and cyber security: Challenges ahead. SAE International.

Kropotov, V., McArdle, R., & Yarochkin, F. (2020, July 21). Hacker infrastructure and underground hosting 101:where Are cybercriminal platforms offered? Security News. https://www.trendmicro.com/vinfo/au/security/news/cybercrime-and-digital-threats/hacker-infrastructure-and-underground-hosting-101-where-are-cybercriminal-platforms-offered 

Mandiant. (2022). Apt41, a dual espionage  and cyber crime operation. Mandiant. https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf 

Rostovtsev, N. (2021, June 10). Big airline heist. Group-IB. https://www.group-ib.com/blog/colunmtk-apt41/ 

Securin Inc. (2021, July 9). Back-to-Back air India attacks indicating more than just a data breach? – Securin. Securin – Continuously Improve Your Security Posture. https://www.securin.io/back-to-back-air-india-attacks-indicating-more-than-just-a-data-breach/ 

Silk, R. (2021, March 19). Airline data breach targets a fraudster favorite Loyalty programs. Travel Weekly. https://www.travelweekly.com/Travel-News/Airline-News/Airline-data-breach-targets-a-fraudster-favorite-Loyalty-programs 

Sinha, S. (2021, May 22). Air India data breach: SITA says cyber attackers ‘accessed some systems for 22 days at Atlanta centre.’ Times Of India. https://timesofindia.indiatimes.com/india/air-india-data-breach-sita-says-cyber-attackers-accessed-some-systems-for-22-days-at-atlanta-centre/articleshow/82864982.cms 

SITA. (2021). SITA statement about security incident. SITA Statement about Security Incident. https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/ 

SITA. (2022). Sita activity report 2022. https://www.sita.aero/globalassets/docs/surveys–reports/activity-report-2022.pdf

Sorrells, M. (2021, March 5). sita cyber attack accesses passenger data for multiple airlines. PhocusWire. https://www.phocuswire.com/sita-cyber-attack-accesses-passenger-data-for-multiple-airlines