Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Chinese Threat Actor Targeting Airline Industry

A Chinese threat actor being tracked under the name Chimera has been targeting the airline industry to steal passenger travel records since early 2020, according to researchers at the NCC Group and Fox-IT. The original report on the group in 2020 from CyCraft outlined how the Chimera group was targeting the Taiwanese superconductor industry for intellectual property theft. In the new report, the threat actor has appeared to change targets. The group was seen targeting the airline industry in many different geographic locations. The group would utilize public data breaches to get credentials for employee accounts. In some cases, the group managed to stay inside victim networks for up to three years, utilizing tools such as Cobalt Strike to maintain stealthy persistence once they gained access. After the threat actors gained access to airline servers, they would target customer data to obtain Passenger Name Records (PNR). According to researchers, “How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers.” Chimera is believed to be a state-sponsored group working on behalf of the Chinese government.

Analyst Notes

The targeting of hospitality and airline industries for nation-state actors is a common practice. Many different countries utilize cyber network intrusions in an attempt to steal travel-related information. This information can be used later to track high profile people of interest throughout the world and could be used to inform physical surveillance and intelligence operations. Password spraying attempts, such as what was used in this attack, are common. This attack is done by threat actors who find old credentials or databases leaked online and prey on the victims who have not changed their passwords from the breach. It is important that everyone needs to be tracking when their email is compromised in a data breach, to ensure the proper preventative steps can be taken quickly. Companies should utilize a service such as Binary Defense’s Counterintelligence service which offers domain monitoring, searching for data breaches and leaked email passwords, and alerting the affected parties.

More can be read here: