Hackers have successfully infiltrated the personal electronic device of a Turkish Airlines (THY) employee, subsequently gaining access to and leaking sensitive data belonging to Airbus, one of the world’s largest aircraft manufacturers.
The hacker, operating under the pseudonym “USDoD”, exposed sensitive data including the names, contact details, email addresses, physical addresses, and more of 3,200 Airbus vendors. A significant portion of this data has been made available for free on BreachForums, while registered members can access the remaining data for a small fee.
Interestingly, USDoD is the same hacker who, in December 2022, put up for sale a database stolen from the FBI’s “InfraGard” network system on hacking forums. Having evaded investigation since then, the hacker has once again become the focal point of cybercrimes this week, announcing their involvement in a “Ransomware-as-a-Service” (RaaS) operation and the leak of Airbus data.
Turkish Airlines: An Airbus Client
The attacker claims that the breach against Airbus was made possible primarily by compromising the account of a Turkish Airlines employee. Given that Turkish Airlines is a client of Airbus, it is plausible that certain privileged employees might have access to the aircraft manufacturer’s systems.
Cyber intelligence firm Hudson Rock confirmed this claim in August 2023, stating that a Turkish Airlines computer was infected with the Redline malware family, a widely distributed information-stealing malicious software. Hudson Rock suggests that the THY employee likely attempted to download a pirated version of the Microsoft .NET framework but inadvertently downloaded a malware downloader instead. This is a typical distribution method for information thieves, often promoted through Google Search, torrent sites, and Black Hat SEO tactics.
It is highly probable that the attackers used the credentials harvested by the Redline thief to compromise the Turkish Airlines account and gain direct access to Airbus systems.
Investigation Underway
Airbus, on September 13, confirmed the cybersecurity incident to RestorePrivacy and stated that the company is currently investigating the situation.
“Airbus has initiated an investigation into the cyber incident involving the compromise of an IT account belonging to an Airbus customer. This account was used by the customer to download business-specific documents from the Airbus web portal. Immediate remedial and follow-up measures have been taken by our security teams to prevent the compromise of our systems. As a major high-tech and industrial player, Airbus is also a target for malicious actors. Airbus takes cybersecurity seriously, continuously monitoring activities in its IT systems, and possesses robust protective tools, skilled cyber experts, and relevant processes to protect the company when necessary.”
The incident underscores the importance of robust cybersecurity measures and the potential risks associated with third-party vendors and partners.