Executive Summary
The aviation and aerospace verticals face numerous challenges in the form of cyber threats. This report gives an overview of the different threat actor motivations to target aviation and aerospace and the types of threats to these verticals.
Key Takeaways
- The aviation and aerospace verticals face numerous challenges in the form of cyber threats.
- These verticals rely on multiple technologies that create a large attack surface.
- Criminal, hacktivist, and nation-state threat actors have different motivations for attacking these verticals.
- Other categories of cyber threats to aviation and aerospace include ransomware, data theft, and phishing.
The aerospace and aviation industries face an increase in the potential for cyber threats due to an increase in connected devices and trust relationships with third-party vendors.
FireEye has reportedly observed at least 24 different advanced threat actor groups targeting various aspects of the aviation and aerospace industries. These include aerospace and defense parts wholesalers, aerospace products and parts manufacturing, aircraft engine and parts manufacturing, guided missile and space vehicle manufacturing, and industrial and military computer system manufacturing. The majority of these groups were Chinese nexus state-sponsored threat actor groups.
Data stolen by these groups included budget information, business communications, equipment maintenance records and specifications, organizational charts and company directories, PII, product designs and blueprints, production processes, proprietary product and service information, research reports, safety procedures, system log files, and testing results and reports.
Vulnerable Technologies
Aerospace and aviation rely on multiple technologies that create a large attack surface. Technologies that remain a prime target for cyberattacks include but are not limited to the following.
- Aircraft IP networks
- Digital air traffic control and traffic management systems
- Flight by wire systems
- Flight history servers
- Fleet and route planning systems
- Passenger reservation systems
- Ticket booking portals
- Access, departure, and passport control systems
- Cargo handling and shipping
- Fuel gauges
- Hazardous materials transportation management
- In-flight entertainment systems
- Electronic Flight Bags (EFB), a system used by flight crews
- Cabin crew devices
- Airplane Information Management systems (AIMS)
Different types of threat actor groups are driven by different motivations when selecting targets in the aviation and aerospace verticals.
Criminal Threat Actors
Criminal threat actor groups are typically motivated by financial gain. These threat actors may engage in ransomware, extortion, and data theft. Criminal threat actors are likely to target the aviation vertical due to the vast amounts of sensitive information used in related systems, such as passport information and payment data. The threat actors may steal payment information for fraudulent use, threaten to sell stolen information, or hold data for ransom.
Hacktivists
Hacktivists use cyber attacks as leverage to promote or protest specific political, religious, or other ideologies. They are known to engage in DDoS and other disruptive activities and sometimes use data leaks to negatively impact an organization’s reputation. An example of hacktivist threats is Killnet’s October 2022 DDoS attack on multiple airport websites. In light of the political climate surrounding the Russia-Ukraine conflict, Killnet has been targeting the websites of multiple NATO member countries with DDoS attacks. This incident prompted the TSA to propose new cybersecurity requirements for some key aviation systems.
Nation-state Threat Actors
Nation-state threat actors work on behalf of a government or defense entity. They often engage in espionage activity. They may also attempt to sabotage systems used by an opposing nation in times of conflict, as in the case of Russia targeting Ukraine’s satellite communications. Chinese threat actors are motivated to target the aerospace industry in support of China’s intelligence collection requirements as outlined in China’s 14th Five-Year Plan. The current Five Year Plan spans from 2021 to 2025 and includes a focus on deep space exploration and satellite-based communications networks.
Recent Attacks on Aviation and Aerospace
In 2021 and 2022, numerous threat actor groups targeted different aspects of the aviation and aerospace industries, including satellite communications, airports, and defense technologies. Some of the more prolific incidents are noted below.
- Iranian nexus state-sponsored threat actor group Static Kitten (Muddy Water) leveraged a backdoor that used Slack workspaces to target airlines. The attacks began as early as October 2019 and continued until late 2021. The attacks began with the Aclip PowerShell backdoor and used the Slack API for C2. Static Kitten is known to target transportation manifests to conduct surveillance on individuals who may pose a challenge to Iran’s political ideologies.
- In an espionage campaign spanning 2019-2021, a previously unknown Chinese nexus threat actor group targeted the aerospace industry. The threat actors, dubbed Space Pirates, used phishing to deliver malware payloads. The malware used in the campaign included MyKLoadClient, Zupdax, Downloader.Climax.A, Downloader.Climax.B, RTLShare, PlugX, BH_A006, and Deed RAT. The group’s primary objectives were espionage and information theft.
- In 2021, SITA, a telecommunications and IT provider used by the airline industry, was the target of a cyberattack. SITA provides services to around 90% of airlines. In the attack, the threat actors stole over 2 million records. Affected entities included Singapore Airlines, Thai Airways, Finnair, Cathay Pacific, United, Air New Zealand, and others.
- Unidentified threat actors using ShadowPad RAT targeted numerous organizations in Asian countries, including government-owned aerospace companies. The attacks reportedly began in early 2021, with espionage and intelligence gathering as the main objective.
- North Korean nexus threat actors Lazarus group reportedly targeted an aerospace expert in the Netherlands. The threat actors used a Windows rootkit that abused a Dell hardware driver. The malware was delivered via spearphishing, and the campaign began as early as the fall of 2021. Threat actor motivations included espionage and data theft.
- In February 2022, Russian state-sponsored threat actors reportedly targeted Ukraine’s Viasat KA-SAT satellite communications in an attempt to disrupt Ukraine’s command and control during the Russia-Ukraine conflict.
- In March 2022, an unidentified threat actor attacked the servers of Russia’s Civil Aviation Authority. The attack reportedly erased over 65 TB of data, including documents, files, aircraft registration data, and emails. The agency’s website was also down. Rosaviatsia tentatively attributed the attack to Anonymous, but Anonymous denied the allegations.
- In April 2022, Canadian budget airline Sunwing Airlines was the victim of a cyber attack that resulted in four days of flight delays. The third-party software system used for check-in and boarding was breached, forcing Sunwing to manually check in passengers.
- In May 2022, SpiceJet was the victim of a ransomware attack. The attack left hundreds of passengers stranded at airports in India.
- In recent months, the North Korean threat actor group Lazarus used living off the land (LoTL) techniques to target multiple entities, including some in the aerospace industry. The threat actors posed as recruiters and used social engineering and job recruiting lures to target individuals in the industry. Lazarus used their EventHorizon and ZetaNile malware in the campaign. They also weaponized several legitimate tools, including PuTTY, KiTTY, TightVNC Viewer, Sumatra PDF, and MuPDF/Subliminal Recording Installer.
- In October 2022, Killnet, hacktivist threat actors thought to be of Russian nexus, launched a DDoS attack that knocked the websites of multiple US airports offline. This included the website of the Atlanta airport, the world’s busiest airport.
Several types of attacks found in the general cyber threat landscape also pose a threat to the aviation and aerospace verticals.
Ransomware
The aviation sector reportedly faces ransomware attacks every week. Ransomware attacks can disrupt operations and result in monetary losses and reputational damage for the victim organization. Airlines and related entities targeted by ransomware have included VT San Antonio Aerospace, Spirit Airlines, SpiceJet, and Japan Airport Fuelling Service. Colonial Pipeline, considered part of the supply chain for aviation, was hit by a ransomware attack in 2021. This attack negatively impacted the aviation industry as collateral damage. Due to the incident, US airports on the East Coast experienced a fuel shortage, and airlines had to cancel flights and modify flight plans to accommodate refueling.
Data Theft
Multiple data theft incidents in 2018 targeted airlines:
- Cathay Pacific Airways was breached, and the data of 9.4 million passengers was stolen
- British Airways was breached, and the records of 400,000 customers and staff were stolen
- Air Canada was breached, and 20,000 records were stolen
In 2020, EasyJet was the victim of a cyber attack in which criminal threat actors stole data affecting over 9 million customers. This resulted in fines, a lawsuit, and reputational damage for EasyJet.
Phishing
Phishing is one of the primary cyber threats to the aviation and aerospace verticals. It can be used to deliver malware via malicious links and documents or can be used to intercept employee communications. In 2016-2017, Elfin (APT33) reportedly targeted a US entity in the aerospace sector and a Saudi business conglomerate with aviation holdings. The threat actors targeted employees with spearphishing emails. The emails included a malicious document that delivered a custom backdoor.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports