Internal Use

Latest Report on current state of Air India after the

Data Breach

APT41 likely behind a third-party attack on Air India

Last few months, India's leading airline, Air India, announced that it had been the
victim of a massive hack that affected up to 4.5 million passengers.

Unknown hackers had accessed their data, which included passport information
and some credit card information. A cybersecurity firm now claims, with
"moderate" confidence, that Air India was hacked by APT41, a well-known Chinese
government-sponsored espionage and cybercriminal cell. APT41, also known as
WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, is suspected of
conducting state-sponsored espionage and financially motivated cybercrime in
China's interests.

The threat actor has been active since at least 2007, according to Group-Threat IB's
Intelligence & Attribution system. The attackers began moving laterally after
establishing persistence in the network and obtaining passwords. The threat actor
gathered data from within the local network, including the names and addresses of
network resources. The hacked devices were placed in multiple subnets, according
to Group-Threat IB's Intelligence & Attribution data, which could indicate that the
compromise touched distinct areas of Air India's network.
While the initial assault vector is unknown, the attack on Air India lasted at least 2
months and 26 days, according to Group-IB documents. Cobalt Strike beacons were
spread across the airline's network in 24 hours and 5 minutes by the attackers.

A file called "Install.bat" was identified by Group-IB researchers. As part of the

ColunmTK effort, the attackers uploaded the file to some of the infected machines
on Air India's network. The file looks extremely similar to one used by APT41 in a
previous campaign revealed by FireEye. The files were employed in both situations
to establish network persistence. In the way they start a DLL file as a service and
create registry keys, the files are extremely similar. The ColunmTK effort against
Air India was carried out by the Chinese nation-state threat actor APT41, according
to Group-IB experts.

For RealPage Internal Use Only

 Internal Use

Air India has been sued by a flyer over the recent personal data leak
of 4.5 million customers.
An Air India flyer has sought damages from the airline after the recent leak of personal
data of 4.5 million passengers including hers and her husband's.
A legal notice was sent to Air India management on Sunday by Ritika Handoo in which
she said that the airline informed her about the breach on June 1, her lawyer said.
Terming the breach as a violation of her "right to be forgotten and informational
autonomy", she sought a compensation of Rs 30 lakh.

Air India Response to the Security Breach

In its response to its massive security breach, Air India announced it took the following
steps to ensure passenger data safety by:
 Investigating the security breach
 Securing the servers that were compromised
 Working with external data security incident specialists
 Notifying and working with credit card issuers
 Resetting passwords for its Frequent Flyer program

The airline further stated:

Further, our data processor has ensured that no abnormal activity was observed after
securing the compromised servers. While we and our data processor continue to take
remedial actions including but not limited to the above, we would also encourage
passengers to change passwords wherever applicable to ensure safety of their personal
data. The protection of our customers’ personal data is of highest importance to us, and
we deeply regret the inconvenience caused and appreciate continued support and trust of
our passengers.

Air India had acknowledged the breach in March but did not reveal any further details
about it. In its latest announcement, it moved to assure its passengers that there was no
evidence of “misuse” of the data but urged its customers to change their passwords to
ensure the security of their confidential information.

Air India, which assured its passengers that there was no evidence of any “misuse” of the
data, said it is in touch with regulatory agencies in India and abroad over the attack.
The airline also noted that it had engaged various data security specialists to look into
compromised servers and are also currently in talks with credit card companies to reset
the passwords of Air India's frequent flyer members.

References:

For RealPage Internal Use Only

 Internal Use

 Air India Data breach: All you need to know. Google. Retrieved October 8, 2021, from
https://www.google.com.ph/amp/s/www.hindustantimes.com/india-news/air-india-data-
breach-all-you-need-to-know-101621647788771-amp.html.

Big Airline heist: Apt41 likely behind a third-party attack on Air India. Group. (n.d.). Retrieved
October 8, 2021, from https://blog.group-ib.com/colunmtk_apt41.

India, P. T. of. (2021, July 4). Air India Flyer seeks damages over data breach of 4.5 million
passengers. Business Standard. Retrieved October 8, 2021, from https://wap.business-
standard.com/article/companies/air-india-flyer-seeks-damages-over-data-breach-of-4-5-
million-passengers-121070400608_1.html.

Air India's massive data breach - following best practices for data security is more important
than ever. Cryptomathic. Retrieved October 8, 2021, from https://www.cryptomathic.com/news-
events/blog/air-indias-massive-data-breach-compliance-to-major-rules-of-data-security-of-more-
important-than-ever.

For RealPage Internal Use Only