ECCSA Monthly Threat Report

ECCSA MTR [202210-1]

TLP:GREEN
Recipients may share with peers & partner within their sector
October 2022
Target Recipients: Senior management, CISOs or equivalent Issue: 03 November 2022 Vers: 1.0
CONTENT TABLE
1. Cyber Threats & Incidents in the Aviation Sector
a. Airports, Airlines & Manufacturer
• Thales Group allegedly victim of LockBit 3.0 ransomware
• Genesys Aerosystems allegedly victim of BlackBasta ransomware
• Aerolineas Argentinas allegedly suffered a data breach
• Air New Zealand faces cyber breach, multiple accounts compromised
• Finnair: Some customers affected by data breach of Portuguese airline
• DJI drone tracking data exposed in the US
• Anonymous Russia announced DDoS attack against Slovak airport websites
• Cyber-attack on Bulgarian websites including airports traced to Russia
• Cyber-attacks by pro-Russian KillNet, reported at US airports
• Atlanta Airport General Manager outlines recent cyber-attack of website
• Hallmark Aviation suffers data breach and encryption of networks & servers
• Sri Lankan Airlines twitter account hacked over crypto scam
• Ethiopian Airlines reported Facebook account compromised
• GPS interference caused FAA to reroute Texas air traffic
b. Vulnerabilities & Critical Infrastructure Attacks
• Toyota warns of possible data theft after access key left exposed on GitHub
• Blackcat breached American manufacturer Kemet
• US CommonSpirit Health: Ransomware attack responsible IT outages
• UK car dealer Pendragon hit with record ransom demand from LockBit
• Hackers used exfiltration tool (Impacket) to steal data from DIB organization
• Hive claims ransomware attack on Tata Power
• Thomson Reuters collected and leaked at least 3TB of sensitive data
• “See Tickets” discloses data breach, customers’ credit card data exposed
2. Cybersecurity Related News
a. Innovative Technology & Potential Areas of Attention
• How to combat cyber threats against aircraft
• Cyber budgets flying high for transport and aviation
• Transportation issuers increasingly at risk of cyber attack
• Business travellers not taking steps to reduce exposure to cyber security threats
• 5G cell service can coexist with planes, US study suggests
• How Wi-Fi spy drones snooped on financial firm
• Starlink unveils airplane service - Musk says it’s like using Internet at home
• Lawmakers cry foul as Strasbourg Airport buys Chinese scanners
• SSP to introduce customer-facing robots at Belfast International Airport
b. EU & European State Regulators
• US signs executive order for a new EU-US data transfer framework
• Ukraine and EU (ENISA) explore deeper cyber collaboration
• UK prepares for Russian-led cyber-attacks on critical infrastructure including aviation
• Eurocontrol and Israel Airports Authority (IAA) host aviation cyber security Olympics
• Germany fires cybersecurity chief after reports of possible Russia ties
• UK given right to directly request data from US companies
c. Other Regulators & Organisations
• US to issue new cybersecurity requirements for critical aviation systems
• New US cybersecurity guide aimed at protecting nation's critical infrastructure
• White House hosts international summit aimed at thwarting ransomware
• Singapore champions ASEAN CERT as region's cyber armour
• India set to extend deadline for “absurd” information security reporting requirements
• Australia flags increased penalties for data breaches following major cyberattacks
• INSA thwarts over 1,600 cyber-attack attempts on Ethiopia

1
Recipients may share TLP:GREEN with peers & partner within their sector/community, NOT via publicly accessible channels
 1. Cyber Threats & Incidents in the Aviation Sector
a. Airports, Airlines & Manufacturer
Thales Group allegedly victim of LockBit 3.0 ransomware
Through its Data Leak Site, LockBit 3.0 claims to have compromised the Thales Group, saying the exfiltrated
data will be published on 07/11. According to The Record, Thales denies the ransomware attack.
Genesys Aerosystems allegedly victim of BlackBasta ransomware
On the BlackBasta’s Data Leak Site it was claimed that the US aerospace & defense company Genesys
Aerosystems - which mainly produces advanced avionics solutions and components - was a ransomware
victim. Several samples traceable to the company and apparently to some of its employees were in the post.
Aerolineas Argentinas allegedly suffered a data breach
Argentina's largest airline, Aerolineas Argentinas, allegedly suffered a data breach and the leaked documents
have been advertised to be freely down loadable on the underground forum “BreachForums”. Almost 66,000
email addresses of its clients’ documents were extracted from the FTP server (including confidential data, old
logs, technical information, passwords). The airline claims that no confidential data or PII was involved.
Air New Zealand faces cyber breach, multiple accounts compromised
Multiple Air New Zealand customers have been locked out of their accounts after the airline took action
against a cyber breach. The breach was an instance of “credential stuffing”, in which scammers used email
and password information stolen from another online source to hack into Air NZ Airpoints accounts.
Finnair: Some customers affected by data breach of Portuguese airline
Finland's national airline Finnair confirmed that some of its customers' data was stolen in a data breach that
targeted Portuguese flag carrier TAP, since some TAP routes can be purchased through the Finnish airline.
DJI drone tracking data exposed in the US
Over 80,000 drone IDs were exposed in a data leak after a database containing information from dozens of
airspace monitoring devices manufactured by the Chinese-owned DJI was left accessible to the public.
Anonymous Russia announced DDoS attack against Slovak airport websites
The targets of Anonymous Russia included: Bratislava airport, Sliač airport, SIAF International Aviation Days,
financial institutions and several taxi services, as well as the Uzhgorod and Budapest airports.
Cyber-attack on Bulgarian websites including airports traced to Russia
A DDoS attack was reported, targeting various Bulgarian government ministries’ websites, that of the
Presidency, the National Revenue Agency, telecommunications companies, airports, banks and some media.
The threat actor located in Russia was apparently tracked by the Bulgarian National Investigation Service.
Cyber-attacks by pro-Russian KillNet, reported at US airports
Some of the US largest airports have been targeted for cyberattacks by a pro-Russian hacker group KillNet.
Supposedly, the systems targeted did not handle air traffic control, internal airline communications and
coordination or transportation security. The attacks resulted in targeted "denial of public access" to public-
facing web domains that report airport wait times and congestion.
Atlanta Airport General Manager outlines recent cyber-attack of website
The top manager at Atlanta’s airport offered insight into how officials were able to ward off a cyber-attack,
providing a behind the scenes look at how his team stopped the hackers.
Hallmark Aviation suffers data breach and encryption of networks & servers
A vendor that contracts with Hallmark Aviation Services discovered that it had experienced a data breach in
which the sensitive PII in its systems may have been accessed. Through its investigation, Hallmark Aviation
Services’ vendor concluded that an unauthorized actor may have accessed this data.
Sri Lankan Airlines twitter account hacked over crypto scam
The official Twitter account of Sri Lankan Airlines has been hijacked in what appears to be the latest round of
crypto scams running rampant on social media. Though crypto scams have been around for some time, these
types of attacks have been occurring at an increasing frequency over the past couple of years. The latest
iteration of these crypto scams seems to revolve around the recent Ethereum merge to a proof of stake.
Ethiopian Airlines reported Facebook account compromised
Ethiopian Airlines reported, through a Twitter post, that its Facebook account was compromised and was
used by malicious users to live stream videogames matches.
GPS interference caused FAA to reroute Texas air traffic
The FAA is investigating the cause of mysterious GPS interference that, has closed one runway at the Dallas-
Fort Worth International Airport and prompted some aircraft in the region to be rerouted to areas where
signals were working properly.

2
Recipients may share TLP:GREEN with peers & partner within their sector/community, NOT via publicly accessible channels
 b. Vulnerabilities & Critical Infrastructure Attacks
Toyota warns of possible data theft after access key left exposed on GitHub
Toyota Motor has warned that nearly 300,000 customers may have had their data stolen in the third data
breach related to the company this year. The potential data breach was uncovered after it was found that an
access key to Toyota T-Connect (Toyota App) was left publicly available on GitHub for the last five years.
Blackcat breached American manufacturer Kemet
The ransomware group Blackcat aka Alphv claims to have breached the American electronics manufacturer
Kemet. Further information cannot be currently found on this subject.
US CommonSpirit Health: Ransomware attack responsible IT outages
The US largest Catholic health system - CommonSpirit Health - is characterizing the interruption of IT services
across several of its hospitals as a ransomware attack.
UK car dealer Pendragon hit with record ransom demand from LockBit
According to security researchers, UK’s second-largest car dealer, Pendragon, was subject of a cyber-attack
and presumably the LockBit gang was responsible, requesting a ransom of $60M.
Hackers used exfiltration tool (Impacket) to steal data from DIB organization
The US Government released an alert about state-backed hackers using a custom CovalentStealer malware
and the Impacket framework to steal sensitive data from a US organization in the Defense Industrial Base
(DIB) sector. It is likely that multiple APT groups compromised the organization.
Hive claims ransomware attack on Tata Power
Hive ransomware group has claimed responsibility for a cyber-attack disclosed by Tata Power. The criminals
are leaking data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed.
Thomson Reuters collected and leaked at least 3TB of sensitive data
Thomson Reuters, a multinational media conglomerate, left an open database with sensitive customer and
corporate data, including third-party server passwords in plaintext format exposed online. Attackers could
use the details for a supply-chain attack.
“See Tickets” discloses data breach, customers’ credit card data exposed
International ticketing services company “See Tickets” disclosed a data breach that exposed customers’
payment card details. According to the company, the attackers obtained data provided by the customers
while purchasing event tickets on the “See Tickets” website.
2. Cybersecurity Related News
a. Innovative Technology & Potential Areas of Attention
How to combat cyber threats against aircraft
ICT has complemented the growth and advancement of the aviation sector in the areas of aircraft design,
manufacturing, operations, and navigation. In addressing and combating aircraft cyber threats and attacks,
aircraft and avionics manufacturers, airlines, authorities, organizations, and other stakeholders should
collaborate in developing and implementing cyber threat risk reduction and mitigation measures. [LINK]
Cyber budgets flying high for transport and aviation
Despite rising investment in cyber security, with 82% of transport and aviation organisations increasing their
cyber budgets over the past 12 months, they take almost two months to detect a cyber attack, according to
research a UK cyber security firm. Revealing that the transport sector is lagging behind communications,
utilities, finance, and government in the timely detection of security breaches. [LINK]
Transportation issuers increasingly at risk of cyber attack
Issuers of transportation infrastructure debt now need to manage cyber risks on multiple fronts, as potential
targets for hackers include mass transit systems, airports, ports, toll roads and parking facilities. [LINK]
Business travellers not taking steps to reduce exposure to cyber security threats
Research has found that whilst over 86% of business travellers say their organisation asks them to take cyber
security measures during work travel, fewer than 24% have anti-virus software on their devices. [LINK]
5G cell service can coexist with planes, US study suggests
The new 5G cell towers that generated controversy this year are well designed to limit radio-wave
interference on airliners, according to a US government study that appears to show the technology can soon
safely coexist with aviation. [LINK]
How Wi-Fi spy drones snooped on financial firm
Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.
Security researchers recently recounted various incidents. [LINK]
Starlink unveils airplane service - Musk says it’s like using Internet at home

3
Recipients may share TLP:GREEN with peers & partner within their sector/community, NOT via publicly accessible channels
 SpaceX is now advertising Starlink Aviation, promising 350Mbps broadband with unlimited data for each
airplane it's installed in. [LINK] [LINK]
Lawmakers cry foul as Strasbourg Airport buys Chinese scanners
Nuctech equipment will scan kit passing through one of European Parliament members’ favorite transport
hubs. A previously unreported deal between Chinese tech firm Nuctech and Strasbourg Airport to provide
airport scanning systems is causing a stir among EU Parliament members who fear their data is at risk. [LINK]
SSP to introduce customer-facing robots at Belfast International Airport
Travel food & beverage company SSP Group is trialling a robot service technology which it claims will enhance
colleague and customer experience at Belfast International Airport. [LINK]
b. EU & European State Regulators
US signs executive order for a new EU-US data transfer framework
The US has signed an executive order for a new EU-US data transfer framework which will introduce
safeguards for US intelligence services’ access to European personal data. [LINK]
Ukraine and EU (ENISA) explore deeper cyber collaboration
Ukrainian delegation met with ENISA officials to explore deeper cooperation on cyber security issues. [LINK]
UK prepares for Russian-led cyber-attacks on critical infrastructure including aviation
UK critical infrastructure such as energy, telecoms, health services and aviation are likely to be targeted by
Russia. They would consider it a major victory if they could disrupt energy supply or close airports. [LINK]
Eurocontrol and Israel Airports Authority (IAA) host aviation cyber security Olympics
Aviation cyber security experts from 9 organisations joined “Capture the Flag” cyber conference and exercise,
co-organised by Eurocontrol and IAA at Ben-Gurion Int Airport. The event saw experts compete in solving
cyber challenges related to responding, handling and successfully recovering from a cyber-attack. [LINK]
Germany fires cybersecurity chief after reports of possible Russia ties
Germany fired the country’s cybersecurity chief and launched an investigation into his conduct after media
allegations he may have encounter Russian security circles through a consultancy he co-founded. [LINK]
UK given right to directly request data from US companies
The UK has been given the right to directly request data from US technology firms under a new Data Access
Agreement. This will transform how investigators in the UK collect digital evidence from US platforms. [LINK]
c. Other Regulators & Organisations
US to issue new cybersecurity requirements for critical aviation systems
The TSA plans to issue new cybersecurity requirements for some key aviation systems after several US airport
websites were hit with coordinated DDoS attacks. [LINK]
New US cybersecurity guide aimed at protecting nation's critical infrastructure
The CISA has released a long-awaited list of cyber performance goals for critical infrastructure in the US. The
government is relying on existing regulatory authority within agencies to introduce new rules to industries,
including rail and aviation. [LINK]
White House hosts international summit aimed at thwarting ransomware
Representatives from 36 countries and the EU met in Washington to strategize ways to combat
“ransomware” including setting up a joint task force next year. [LINK]
Singapore champions ASEAN CERT as region's cyber armour
The ASEAN Regional CERT will operate as a virtual centre comprising incident responders from across member
states, each sharing information during security incidents that occur in any of the respective nation. The
critical information infrastructure protection would include aviation, maritime, banking and finance. [LINK]
India set to extend deadline for “absurd” information security reporting requirements
India hinted that it will again extend the deadline to comply with sweeping new information security
reporting rules that were imposed, with reporting of incidents within 6 hours of detection. [LINK]
Australia flags increased penalties for data breaches following major cyberattacks
Australia will introduce laws to increase penalties for companies subject to major data breaches, after high-
profile cyberattacks hit millions of Australians in recent weeks. [LINK]
INSA thwarts over 1,600 cyber-attack attempts on Ethiopia
Ethiopia’s Information Network Security Agency says more than 1600 cyber-attack attempts on the nation
were noted in Q1 2022, targeting energy, hospitals, telecom, air traffic control systems and financial. [LINK]

4
Recipients may share TLP:GREEN with peers & partner within their sector/community, NOT via publicly accessible channels