Airline Supply Chain Attack

Introduction

For the lucky ones who have achieved Air Canada’s top tier membership level, some numerous benefits and privileges come with such a status. Lounge access, upgrade credits, and fast track lanes are some of the luxuries that this elite few experience. But what happens when a top tier passenger uses another airline, say South African Airways? Heaven forbid they need to wait in queues like the regular folk…

This is where Star Alliance comes in. As members of the same alliance, South African Airways can recognize Air Canada top tier passengers and, in turn, provide the appropriate services and benefits. SITA’s Passenger Service System (SITA PSS) operates the system for processing airline passenger data. This allows passengers’ frequent flyer status to be recognized across airlines. The communication and IT vendor serves to enhance airlines’ services but, in doing so, must access airlines’ passenger data. As a result, the recent cyberattack on SITA’s Passenger Service System (SITA PSS) has meant that SITA’s clients, and their clients’ clients, have been impacted.

Attack on Personal Data

In late February of this year, SITA PSS’ US servers were breached, causing a compromise to passenger data. Many airlines have confirmed that none of their passengers’ financial details or passwords were exposed… Although some other personal data was affected. In most cases, the hackers accessed frequent flyer membership numbers, tier status and even members’ names. Singapore Airlines is one of the affected airlines and has reported that over 580,000 of its customers were affected. Many other Star Alliance members have been communicating with their at-risk passengers, as have members of OneWorld, another airline alliance that relies on SITA PSS.

Major airlines such as British Airways, Lufthansa, Cathay Pacific, and more have acknowledged an impact on their frequent flyer programs. Even airlines that do not use SITA PSS directly were affected since their frequent flyer data passes through it, demonstrating the risk that the supply chain poses.

Supply Chain

SITA’s services require access to a vast amount of its clients’ data and, subsequently, passenger data, making it an attractive target for attackers. And, with SITA serving around 90% of the world’s airlines, the appeal only increases as a malicious actor can target this one supplier and gain access to a treasure trove of data.

It is not just the aviation industry that sees attacks originating in its supply chain. In general, organizations across all industries are increasingly reliant on their supply chains. While this brings many advantages to operational capabilities, the supply chain is also an attack vector to cybercriminals. In fact, around 40% of cyberattacks originate from the supply chain.

With third parties often having access to their clients’ confidential information, the supply chain can be exploited by attackers to gain access to such data – as was the case in the SITA PSS attack. But in other cases, suppliers can be used as an infiltration method whereby a bad actor manipulates a component of the supply chain, with the intention of said manipulation finding its way into the target organization. Just take a look at the recent SolarWinds attack…

Moving to Hardware-Based Supply Chain Attacks

Cybercriminals are turning towards hardware attack tools to carry out their malicious activity. The appeal of Rogue Devices comes from their covert characteristics and harmful nature. Specifically, Spoofed Peripherals impersonate legitimate HIDs and are therefore not recognized as malicious. Network Implants, on the other hand, operate on the Physical Layer which is not covered by existing security software solutions. Moreover, their presence goes undetected. Additionally, Rogue Devices have various capabilities that facilitate harmful cyberattacks, making them a worthy asset for bad actors.

Hardware attacks, however, require the attacker to gain some form of physical access to implant the device within the target organization. Some entities are heavily secured, making it extremely difficult to gain physical access. Suppliers, on the other hand, are typically easier to physically infiltrate. And with suppliers often having some level of access to an organization’s data, third parties are an alternative, and valuable, target. Hence, a supplier can find themselves victim to a Rogue Device attack.

Third Party – Entry Point

In other cases, the supply chain is merely an entry point. In a method known as interdiction, the third party is the source of manipulation whereby a perpetrator intercepts a hardware asset during transit, modifies it in a secure location, and quickly places it back in transit to the final destination; the target organization. Alternatively, a malicious actor can simply insert an already-manipulated device into the supply chain, where it will eventually reach the victim. Supply chain complexities are part of the appeal of using a third-party as an entry point.

Today, organizations rely on hundreds, if not thousands, of suppliers. And locating the origin of manipulation – should the attack be detected – is almost impossible. Moreover, attackers will not manipulate every hardware asset; only a select few would have been tampered with. Hence, locating the attack source means dismantling every hardware device; a time-consuming process requiring manual efforts. Additionally, these factors significantly reduce the organization’s ability to catch the attacker. So, even if the attack is detected and stopped, it is unlikely that the perpetrator will face any consequences.

Conclusion

For enterprises, their supply chain is a valuable asset that enhances productivity and operational capabilities. And, with globalization, this often comes at a low cost. However, the supply chain is also a valuable asset for cybercriminals, and the value it brings to the latter means that it can be a significant liability for the former. So, while the supply chain might bring many benefits to an organization, it might just be the source of one of its most considerable costs.

  • Previous Post

    Departing employee? Incoming data breach…

  • Next Post

    Formula 1 Blog Post

Leave a Reply