AirAsia, a budget airline that operates out of Malaysia, is dealing with the aftermath of a ransomware attack that saw the personal data of some five million people stolen.
To add insult to injury, the gang of responsible cyber criminals said they would not follow up on the beleaguered airline due to how “sloppy” its internal organization and management appeared to be.
The perpetrators of the ransomware attack appear to be “Daixin Team,” a group that is thought to be based in or around China and that has become active enough in recent months to merit an alert from the FBI and CISA. The group has been active since at least June 2022, but previously had shown a strong preference for targeting healthcare and public health facilities via unpatched VPN vulnerabilities.
The ransomware attack on AirAsia occurred on November 11 and 12, with samples of the stolen personal data being leaked to the group’s dark web site about a week later. The posted samples contain employee personal information as well as passenger booking information. The group says that it has captured “all employees” personal data and an unspecified quantity of passenger data.
While Daixin Team continues to shake down AirAsia using the stolen personal data, it said there would be no further ransomware attacks on the company due to its “chaotic organization” and poor cybersecurity. However, this did not appear to be out of pity, but at frustration at having to sort through a tangled internal network to find information of value; the group said it would leave it to “newcomers” to pick through the “garbage.” However, the hackers also said they would stop short of locking anything that could be life-threatening, such as air traffic control and radar systems.
Founded in 1993, AirAsia has the largest fleet in Malaysia and flies to the greatest range of international and domestic destinations. The airline carried a total of about 4.81 million passengers in 2021, indicating that the personal data stolen by the attackers may be limited to bookings taking place within the last year or so. Part of the leak of sample data stolen during the ransomware attack shows a database of passenger names with ID numbers and the total cost of their ticket.
Ransomware attacks have become both more frequent and more expensive to weather in recent years, but they have also become more dangerous. Attackers have now demonstrated that they are willing to cause real-world damage, potentially even death, if they think it will increase their chances of a payout. That was a red line that was really not crossed before the major attacks on critical infrastructure and hospitals in 2021.
It is unclear if Daixin Team’s claim that it had access to air traffic control and other sensitive airline applications that could cause physical damage is accurate. This would generally require direct access to an individual airport’s systems rather than an airline’s internal network or booking system. There have been numerous attacks on both airlines and the public-facing portion of airport websites at this point, none of which have yielded that sort of access; about the closest example was an attack on Bristol Airport in 2018 that caused outages of the flight status screens for two days, but did not impact actual aircraft operations. Another attack in India earlier this year disrupted flight scheduling for several days, but did not prevent planes from flying. FedEx’s air shipment service has also been hit by ransomware attacks at least twice, but flight operations are not known to have been impacted.
Ransomware attacks have been demonstrated to be capable of indirectly causing death at this point, however, in the health care industry that Daixin Team likes to target. In 2020 a German patient being transported by ambulance for emergency services was turned away from a hospital that had its systems shut down by ransomware, and died en route to the next closest facility. And in 2021, a baby in Alabama died after a mother was not given tests that may have saved its life, due to ransomware limiting hospital capabilities at the time. Though hospitals are generally not well-funded, hackers target them due to the wealth of personal data they hold and the fact that they cannot afford to have systems down for any length of time.
Nick Tausek, Lead Security Automation Architect at Swimlane, notes that this is a risk that all types of organizations now need to consider: “Since June of this year, the Daixin Team has attacked several healthcare organizations, including the OakBend Medical Center in Texas and the Fitzgibbon Hospital in Missouri. Both attacks resulted in the exposure of personally identifiable information (PII) on the dark web and represented a significant threat to patient and employee safety. Now, the Daixin Team seems to be shifting towards new targets – global critical infrastructure. Like prior Daixin Team attacks, the attack on AirAsia has resulted in sensitive data exposure. Unfortunately, AirAsia will most likely face large financial burdens and a crisis of confidence from its consumer base due to this attack.”
“To mitigate the chances of similar attacks in the future, it is imperative that organizations adopt low-code security automation to help detect and respond to threats in real-time by allowing complete visibility into IT environments. Endpoint security tools that integrate low-code security automation give organizations a cohesive protection strategy that protects customers and employees as well as keeps essential services like air travel up and running,” recommended Tausek.