A Chinese threat actor being tracked under the name Chimera has been targeting the airline industry to steal passenger travel records since early 2020, according to researchers at the NCC Group and Fox-IT. The original report on the group in 2020 from CyCraft outlined how the Chimera group was targeting the Taiwanese superconductor industry for intellectual property theft. In the new report, the threat actor has appeared to change targets. The group was seen targeting the airline industry in many different geographic locations. The group would utilize public data breaches to get credentials for employee accounts. In some cases, the group managed to stay inside victim networks for up to three years, utilizing tools such as Cobalt Strike to maintain stealthy persistence once they gained access. After the threat actors gained access to airline servers, they would target customer data to obtain Passenger Name Records (PNR). According to researchers, “How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers.” Chimera is believed to be a state-sponsored group working on behalf of the Chinese government.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in