Over the last few months, we have witnessed an increasing trend in attacks against the supply chain. 2020 came to a close with the concerning attack against SolarWinds impacting many government organizations, and February saw the attack against SITA. For both of these attacks, the impact is likely not yet fully understood, and it could be several months before it is realized. In the case of SITA, which provide IT services to a large number of airlines, the most recent impact of this attack has been associated with Air India, with recent reports indicating that the attack resulted in the theft of data relating to 4.5 million Air India customers.
This information is coming to light since cyber-criminals involved in this attack have actively sought to exfiltrate data from the network, with the likely aim of selling it on the dark web for financial gain. Further, due to the sheer amount of data extracted before being detected, they likely understood the network thoroughly, especially how to exfiltrate the data whilst remaining undetected, minimizing the chance of triggering security alerts. This is becoming a much more common technique that is no longer reserved for the more advanced threat actors, being much more widely deployed in cyber-criminal operations and, unfortunately, causing more of a reputational and financial impact to the target organization, but also when selling the data on the dark web.
The data stored by airlines is of high value within the criminal underground since it contains large amounts of Personally Identifiable Information (PII), including names, addresses, emails, passport numbers, credit card details and so on. This information can be sold individually on the dark web or consolidated into a package of full information, or ‘fullz’. Fullz are easily monetized on the dark web, selling anywhere from $10 to $100, although passport information can make this as much as 10-times more valuable. This makes the total value of the data stolen in this attack worth a considerable amount of money to the criminals that stole it.
The value placed upon this data by cyber-criminals should be reflected in the importance organizations place on securing it. Organizations such as airlines have a considerable amount of our data, and we should be considering this fact when it comes to implementing cybersecurity, seeking to establish a mature cybersecurity posture in line with the importance and value associated with the data they are protecting. It is no longer sufficient to assume single cybersecurity solutions such as an anti-virus or a firewall can cover everything required to safeguard a network. Organizations require established security controls with in-depth defense, including endpoint solutions, anti-virus and firewalls, as well as network security solutions to enable visibility across their entire digital estate, not just on the endpoints themselves.
However, as cybersecurity solutions increase in complexity, so too should the knowledge and expertize of the analysts and the teams utilizing them. This will ensure that they are not only making the most out of their solutions, but that they can move from a reactive security posture i.e. dealing with threats after they have been detected to a proactive posture, whereby teams actively conduct threat hunting within their network to discover the unknown malicious activity before it can do damage.
Threat actors are becoming more sophisticated and are constantly evolving their capabilities to remain effective in their operations. To this end, organizations need to invest in the people, processes and technology they deploy across their network in order to stand the best chance of preventing an attack. And, if the worst-case scenario should happen, this will result in the development of capabilities and processes that will help to remediate any attacks as efficiently as possible, reducing the potential impact to both the organization and its customers.