A new report from cybersecurity company CrowdStrike says an unnamed aviation industry company sustained a significant cyber intrusion through 2018 and 2019, featuring a hacker with "valid credentials" and a "high level of administrative access."
The report gives further insight into what many experts have called persistent, often successful intrusions against the aviation industry. Most recently, AFP reported Airbus had been victim to intrusions and attempted hacks through its huge network of third-party providers. CrowdStrike said the attack outlined in its Tuesday report appeared to be geared toward collecting data and establishing a wide foothold on the aviation company's network.
The incident is another example of how corporate espionage works in critical industries, including those connected to the defense industrial sector like aviation. Nation-state hackers often target these companies to gather as much information and intellectual property as possible, while also establishing several avenues of access within a company meant to serve as wide-scale, longer term network observation points. It's also a reminder that significant security incidents aren't always big data thefts, but can be quieter reconnaissance missions that are hard to detect, but nonetheless severely damaging.
The CrowdStrike report does not attribute the aviation incident to any person or group. The earlier AFP report cited several suggested China as the culprit for other aviation industry attacks. China issued several denials to the Airbus report, with China Foreign Ministry spokesman Geng Shuang calling the report irresponsible, unprofessional and having "ulterior motives."
CrowdStrike's new report says the anonymous aviation company's attack likely began with the hacking of an internal business application at the company that was "exposed to the internet," in other words, an internal corporate function that was accessible online.
The hacker had both "valid credentials" and a "high level of administrative access," and was able to move "laterally" across the aviation company, according to the report, meaning he or she could access many different parts of the company. The attacker then moved throughout the company, continuing to steal more credentials and password information along the way to facilitate ever-increasing access to different corporate functions.
Later, the attacker changed tactics and singled out an individual employee at the company, the report said. The hacker "was was observed opening a significant number of document and image files belonging to a user of interest. The files inspected included the extensions .log, .jpg and .docx, and were located within the [employee's] Desktop and Documents directories."
The hack was part of a compilation of intelligence reports released by CrowdStrike on Tuesday. The company outlined attacks its researchers have observed against companies in other industries including telecommunications and the chemical sector.