ICAO and ACAO Compromised: Cyberespionage Threats Target Aviation Safety Experts
February 05, 2025 
The International Civil Aviation Organization (ICAO), a key UN agency, is currently assessing a major security breach that raises alarms about the integrity of its systems and the confidentiality of its personnel’s data. In a recent official statement, ICAO confirmed its investigation into reports of a potential information security incident linked to a cyber adversary known for targeting major international bodies.
This alarming situation emerged following an individual’s claim on a well-known hacking forum on January 5, stating the unauthorized acquisition of 42,000 documents from ICAO, which include significant personal identifiable information (PII).
According to ICAO, “The confirmed information security incident involves around 42,000 records of recruitment applications from April 2016 to July 2024, purportedly accessed by the actor identified as Natohub.” The organization states that it has verified the information and found that 11,929 individuals were affected, with efforts underway to contact these individuals directly.
The attackers appear to have focused not on disrupting IT or operational technology processes but rather on gathering specific intelligence about the affected individuals and their digital identities. This reflects strategies commonly associated with traditional espionage, particularly human intelligence (HUMINT), where cyberspace becomes a pivotal avenue for acquiring targeted information. The compromised data primarily consists of recruitment-related details, including names, email addresses, birthdates, and employment histories.
In a parallel incident, Resecurity has reported a targeted campaign against the Arab Civil Aviation Organization (ACAO), following a successful SQL injection attack that compromised a vulnerable web application. This breach reportedly resulted in the exfiltration of staff records and credentials, affecting safety aviation specialists and incident investigators—individuals crucial for sensitive communications and operations. Unlike typical cybercriminals who may exploit such data for monetary gain, state-sponsored actors may pursue this sensitive information for strategic espionage purposes, particularly given the recent ICAO incident.
The breach involving ACAO has not been previously disclosed, and although specifics regarding the extent and nature of the leaked information remain uncertain, the event highlights the ongoing security vulnerabilities within aviation organizations. The gathered data appears to include usernames, hashed passwords, email addresses, job titles, and internal communications. Similar to the ICAO incident, this sensitive information was reportedly shared in a Dark Web forum on February 4, 2024.
The compromised dataset has been linked to prominent aviation safety authorities, such as the Qatar Aircraft Accident and Incident Investigation Unit, the Aviation Investigation Bureau of Saudi Arabia, the Iranian Civil Aviation Authority, and other regulatory bodies. This troubling trend of cyber threats targeting aviation safety specialists underscores the critical need for robust cybersecurity measures, particularly as the sector grapples with heightened geopolitical tensions following a series of significant aviation incidents last year.
In light of these developments, it is essential for businesses and organizations within the aviation sector to enhance their cybersecurity frameworks, as noted by the MITRE ATT&CK Matrix which identifies potential tactics employed in these attacks, including initial access, data exfiltration, and privilege escalation. The incidents reveal an urgent need for vigilance and readiness against sophisticated cyber threats.
For ongoing updates, you can follow me on Twitter: @securityaffairs, on Facebook, and also on Mastodon.
(SecurityAffairs – hacking news related to the International Civil Aviation Organization (ICAO)
