China-Tied Hackers That Hit U.S. Said to Breach United Airlines
China-Tied Hackers That Hit U.S. Said to Breach United
Airlines
by Michael RileyJordan Robertson
July 29, 2015 — 2:00 AM PDT
The hackers who stole data on tens of millions of U.S.
insurance holders and government employees in recent months breached another
big target at around the same time -- United Airlines.
United, the world’s second-largest airline, detected an
incursion into its computer systems in May or early June, said several people
familiar with the probe. According to three of these people, investigators
working with the carrier have linked the attack to a group of China-backed
hackers they say are behind several other large heists -- including the theft
of security-clearance records from the U.S. Office of Personnel Management and
medical data from health insurer Anthem Inc.
The previously unreported United breach raises the
possibility that the hackers now have data on the movements of millions of
Americans, adding airlines to a growing list of strategic U.S. industries and
institutions that have been compromised. Among the cache of data stolen from
United are manifests -- which include information on flights’ passengers,
origins and destinations -- according to one person familiar with the carrier’s
investigation.
It’s increasingly clear, security experts say, that
China’s intelligence apparatus is amassing a vast database. Files stolen from
the federal personnel office by this one China-based group could allow the
hackers to identify Americans who work in defense and intelligence, including
those on the payrolls of contractors. U.S. officials believe the group has
links to the Chinese government, people familiar with the matter have said.
That data could be cross-referenced with stolen medical
and financial records, revealing possible avenues for blackmailing or
recruiting people who have security clearances. In all, the China-backed team
has hacked at least 10 companies and organizations, which include other travel
providers and health insurers, says security firm FireEye Inc.
Tracking Travelers
The theft of airline records potentially offers another
layer of information that would allow China to chart the travel patterns of
specific government or military officials.
United is one of the biggest contractors with the U.S.
government among the airlines, making it a rich depository of data on the
travel of American officials, military personnel and contractors. The hackers
could match international flights by Chinese officials or industrialists with
trips taken by U.S. personnel to the same cities at the same time, said James
Lewis, a senior fellow in cybersecurity at the Center for Strategic and
International Studies in Washington.
“You’re suspicious of some guy; you happen to notice that
he flew to Papua New Guinea on June 23 and now you can see that the Americans
have flown there on June 22 or 23,” Lewis said. “If you’re China, you’re
looking for those things that will give you a better picture of what the other
side is up to.”
Computer Glitches
The timing of the United breach also raises questions
about whether it’s linked to computer faults that stranded thousands of the
airline’s passengers in two incidents over the past couple of months. Two
additional people close to the probe, who like the others asked not to be
identified when discussing the investigation, say the carrier has found no
connection between the hack and a July 8 systems failure that halted flights
for two hours. They didn’t rule out a possible, tangential connection to an
outage on June 2.
Luke Punzenberger, a spokesman for Chicago-based United,
a unit of United Continental Holdings Inc., declined to comment on the breach
investigation.
Zhu Haiquan, a spokesman for the Chinese embassy in
Washington, said in a statement: “The Chinese government and the personnel in
its institutions never engage in any form of cyberattack. We firmly oppose and
combat any forms of cyberattacks.”
Embedded Names
United may have gotten help identifying the breach from
U.S. investigators working on the OPM hack. The China-backed hackers that
cybersecurity experts have linked to that attack have embedded the name of
targets in web domains, phishing e-mails and other attack infrastructure,
according to one of the people familiar with the investigation.
In May, the OPM investigators began drawing up a list of
possible victims in the private sector and provided the companies with digital
signatures that would indicate their systems had been breached. United Airlines
was on that list.
Safety Concerns
In contrast to the theft of health records or financial
data, the breach of airlines raises concerns of schedule disruptions or
transportation gridlock. Mistakes by hackers or defenders could bring down
sensitive systems that control the movement of millions of passengers annually
in the U.S. and internationally.
Even if their main goal was data theft, state-sponsored
hackers might seek to preserve access to airline computers for later use in
more disruptive attacks, according to security experts. One of the chief tasks
of the investigators in the United breach is ensuring that the hackers have no
hidden backdoors that could be used to re-enter the carrier’s computer systems later,
one of the people familiar with the probe said.
United spokesman Punzenberger said the company remains
“vigilant in protecting against unauthorized access” and is focused on
protecting its customers’ personal information.
There is evidence the hackers were in the carrier’s
network for months. One web domain apparently set up for the attack --
UNITED-AIRLINES.NET -- was established in April 2014. The domain was registered
by a James Rhodes, who provided an address in American Samoa.
James Rhodes is also the alias of the character War
Machine in Marvel Comics’ Iron Man. Security companies tracking the OPM hackers
say they often use Marvel comic book references as a way to “sign” their
attack.
Targeting Pentagon
This isn’t the first time such an attack has been
documented. Chinese military hackers have repeatedly targeted the U.S.
Transportation Command, the Pentagon agency that coordinates defense logistics
and travel.
A report last year from the Senate Armed Services
Committee documented at least 50 successful hacks of the command’s contractors
from June 2012 through May 2013. Hacks against the agency’s contractors have
led to the theft of flight plans, shipping routes and other data from
organizations working with the military, according to the report.
“The Chinese have been trying to get flight information
from the government; now it looks as if they’re trying to do the same in the
commercial sector,” said Tony Lawrence, a former Army sergeant and founder and
chief executive officer of VOR Technology, a Columbia, Maryland-based
cybersecurity firm.
It’s unclear whether United is considering notifying
customers that data may have been compromised. Punzenberger said United “would
abide by notification requirements if a situation warranted” it.
The airline is still trying to determine exactly which
data was removed from the network, said two of the people familiar with the
probe. That assessment took months in the OPM case, which was discovered in
April and made public in June.
M&A Strategy
Besides passenger lists and other flight-related data,
the hackers may also have taken information related to United’s mergers and
acquisitions strategy, one of the people familiar with the investigation said.
Flight manifests usually contain the names and birthdates
of passengers, but even if those files were taken, experts say that would be
unlikely to trigger disclosure requirements in any of the 47 states with
breach-notification laws.
Those disclosure laws are widely seen as outdated. The
theft by hackers of corporate secrets usually goes unreported, while the
stealing of customer records such as Social Security numbers and credit cards
is required in most states.
“In most states, this is not going to trigger a
notification,” said Srini Subramanian, state government leader for Deloitte
cyber risk services.
Comments
Post a Comment