A cyberattack on SITA that impacted multiple airlines across the globe was likely the work of a Chinese nation-state threat actor known as APT41, according to new research from security experts at Group-IB. The attack was disclosed in March and affected airlines such as Air India, Air New Zealand, Singapore Airlines, Finnair, and more. SITA boasts roughly 2,500 customers and offers services across 1,000 different airports.
The investigation conducted by Group-IB revealed that the first system within Air India’s network that was communicating with the attackers’ infrastructure hosted the Cobalt Strike implant for more than two months before the attack. The system was also named SITASERVER4. The attackers used their undetected presence on the network to collect credentials, compromising at least 20 devices within Air India’s network. The attack lasted roughly 2 months and 26 days, according to Group-IB.
Read More: Researchers Attribute SITA Cyberattack to Chinese Hackers
