Recent investigations have unveiled that Air India, India’s national carrier, was subject to a protracted cyberattack lasting at least two months, in addition to a significant data breach disclosed last month. The attack has been attributed with moderate confidence to APT41, a China-based nation-state threat group known for its sophisticated cyber campaigns.
The cybersecurity firm Group-IB has identified this coordinated operation as “ColunmTK,” named after the command-and-control server domains involved. This campaign poses serious implications for the aviation sector, as it could indicate similar vulnerabilities across other airlines that may unknowingly harbor remnants of the attack within their networks.
While Group-IB has suggested this incident may represent a supply chain attack targeting SITA, a Swiss-based aviation IT service provider, SITA has clarified that the cyber incidents involving Air India and its own network are distinct. SITA confirmed through communication with Air India on June 11, 2021, that these cyber events are unrelated.
APT41, which is also recognized as Winnti Umbrella, Axiom, and Barium, is notorious for its reconnaissance and espionage activities, affecting sectors such as healthcare and telecommunications. The group often targets high-value digital assets, engaging in intellectual property theft and financially motivated cybercrimes, including manipulation of virtual currencies and ransomware deployment.
On May 21, Air India publicly acknowledged a data breach impacting the personal information of 4.5 million customers over a span of nearly a decade. This breach emerged following a supply chain attack against SITA that came to light in February. Personal details compromised ranged from names and contact information to sensitive data including passport and credit card information.
FireEye’s Mandiant team, involved in securing SITA’s response, confirmed that the attack was executed using advanced techniques indicative of one specific entity, although the full identity and motivations of the attackers remain incomplete. Group-IB’s more recent findings suggest that the compromised Air India device was actively communicating with servers running Cobalt Strike payloads as early as December 11, 2020.
The attackers reportedly established persistence within the Air India network, breaching at least 20 devices and extracting sensitive information such as NTLM hashes and plain-text passwords. These operations demonstrate tactics consistent with the MITRE ATT&CK framework, including initial access, lateral movement, and privileges escalation, highlighting the organized sophistication of the threat actors involved.
Group-IB traced connections to the Barium group based on overlapping infrastructure used in this attack with prior campaigns. An important method of confirming identity lay in similarities with previous payloads deployed in significant intrusion efforts documented in 2020.
Despite the lack of clarity surrounding the initial point of compromise, Group-IB’s investigation treats the SITA and Air India incidents as interconnected. The firm posited that the initial infection in Air India’s network may have stemmed from a compromised connection to SITA, as SITASERVER4 was confirmed to be the first host affected within Air India’s ecosystem, even though it was not directly managed by SITA.
In response, SITA emphasized that the server was formerly associated with their software offerings, which were removed in 2019. They also underscored that none of the attack vectors leading to the Air India infiltration were the same as those targeting SITA, reinforcing the notion that the two incidents stemmed from different sources.
