Canadian media revealed that in November 2016, the International Civil Aviation Organization (ICAO) was a hit by a large-scale cyberattack .

The security breach was discovered by an analyst at Lockheed Martin that immediately informed the organization. The expert discovered that hackers took control of two of its servers to carry out a so-called watering hole attack aimed at infecting people accessing the sites hosted on the servers.

“The ICAO had been targeted by a watering hole, or an attack where a cyberattacker uses a website frequented by the intended target with an exploit.” reported a blog post published by ESET.

“The analyst at Lockheed Martin emphasized that this attack could represent a “significant threat to the aviation industry.””

Cyber security experts believe the attack was carried out by the China-linked APT group LuckyMouse (aka Emissary Panda, APT27 and Threat Group 3390, and Bronze Union).

The ICAO organization hired an external analyst to help it to evaluate the extent of the attack. According to an investigation conducted by Secureworks hackers were also able to access the hackers were also able to compromise the mail servers to obtain access to admin accounts.

“Mail server, domain administrator and system administrator accounts were all affected, giving cyberespions access to the past and current passwords of more than 2,000 ICAO system users. Hackers could read, send or delete emails from any user. “ reports Radio-Canada.

“The spies also had access to the personal records of past and present employees, the medical records of those who had used the ICAO clinic, financial transaction records and personal information of anyone who had visited the ICAO building or was registered on the website.”

In the weeks following the attack, the e-mail account of an ICAO delegate was also hacked and used to send out messages, but at the time it is not clear if both incidents are linked.

According to Radio Canada, ICAO tried to hide a cyberattack with important consequences in the incident response.

Documents cited by Radio Canada reveal that four members of the ICAO information and communication technology (ICT) team attempted to conceal evidence of their own incompetence, facilitated by the absence of their supervisor.

“Despite the seriousness of the attack, confidential sources told CBC / Radio-Canada that ICAO Secretary General Fang Liu had rejected internal recommendations to investigate ICT team members and their boss. , James Wan. All are still working at the Organization. continues Radio Canada.

According to ESET experts Matthieu Faou, the Chinese LuckyMouse APT group specializes in watering hole attacks. The hackers scan the Internet for vulnerable servers that could lead to compromising valuable targets.

“In addition to using generic tools relatively accessible on the Web, the group has developed tools of its own, including a rootkit. Last year, they stole a digital certificate belonging to a legitimate company, used to sign its rootkit. ” explained Faou.

Why ICAO?

According to José Fernandez, cybersecurity expert and professor at Polytechnique Montréal, “ICAO is a natural choice”, for the purpose of cyber-espionage, a type of campaign with which LuckyMouse is often associated. “The agency thus becoming a one-stop shop for the hacking of all other players in the aerospace industry.”

Anthony Philbin, ICAO’s chief of communications, attempted to reassure the community following the disclosure of the attack that has happened in 2016.

“Decisions made by ICAO regarding the 2016 incident you’ve referenced were based on forensic evidence provided by two independent expert bodies,” Philbin said.

“I’m sure you’ll understand that it wouldn’t be prudent for me to discuss more specific details with media on matters relating to ICAO security measures, cyber or otherwise.”

“ICAO maintains no type of financial or other private information which could possibly pose risks to individual Canadians.”

“We are not aware of the serious cyber security consequences for the external partners that would have resulted from this incident …”, adding that since the attack, “ICAO has made significant improvements to its cybersecurity framework and approaches to mitigate other incidents.”

Pierluigi Paganini

( SecurityAffairs – APT, hacking)

Share this...

Linkedin Reddit Pinterest

Share On